Oops, this was a result of some mistaken template-rending logic on my part; in the section where I was intending to grant authn-k8s authentication privileges for the webservice to the K8s apps that needed them, I had copied the line that assigned privileges for the ‘apps’ layer as a starting point and forgot to circle back around and actually template it out. So that layer was being assigned ‘authenticate’ privileges multiple times.
I’m actually quite glad that Conjur isn’t silent about this. Thanks @AndrewCopeland for taking a look at that.