INST-23232 - Document ServiceAccountNodeAudienceRestriction for GKE Workload Identity

[nagarajuv-jfrog]

Summary

• Updates GCP.md Option B (Workload Identity) to use <PROJECT_ID>.svc.id.goog as jfrog_oidc_audience instead of the generic artifactory string, aligning with the GKE Workload Identity pool identifier
• Adds new Step 3B.5 documenting the ServiceAccountNodeAudienceRestriction feature gate (enabled by default in Kubernetes 1.33+), which restricts the Kubelet from requesting projected tokens for arbitrary audiences — and the ClusterRole required to authorize it
• Fixes pre-existing inaccuracies in the Option B flow description and mermaid diagram: the K8s JWT is sent directly to Artifactory (no GCP STS exchange step), and the kubelet audience is jfrog_oidc_audience, not the hardcoded identityconfig.googleapis.com
• Updates examples/gcp-projected-service-account-values.yaml audience and adds a comment explaining why rbac.create: true is required for K8s 1.33+
• Corrects the helm/values.yaml RBAC comment, which incorrectly stated RBAC was only needed for AWS

Files changed

File	Change
GCP.md	New Step 3B.5, corrected audience throughout, fixed mermaid diagram and all Option B flow descriptions
examples/gcp-projected-service-account-values.yaml	jfrog_oidc_audience: "<PROJECT_ID>.svc.id.goog", added rbac.create: true comment
helm/values.yaml	Fixed RBAC comment to include GCP and K8s 1.33+ context

Test plan

• Verify jfrog_oidc_audience: "<PROJECT_ID>.svc.id.goog" in the example values file renders correctly via helm template
• Confirm the ClusterRole YAML in Step 3B.5 is valid Kubernetes RBAC manifest
• Review Option B mermaid diagram renders correctly in GitHub markdown preview
• Validate against a GKE cluster running Kubernetes 1.33+ with ServiceAccountNodeAudienceRestriction enabled

Closes INST-23232