Why do we recommend one SPN per service account only?
The problem with multi-SPN accounts and keytabs is that, whenever you need to update an SPN, there's a high risk of breaking existing keytab files used by the other applications.
For example, imagine Confluence, Bitbucket, Jira, and Bamboo all using CNAMEs, with SPNs that are all registered to svc-atlassian@EXAMPLE.LOCAL:
Then a year down the line, the application server for Confluence dies and is restored on a new application server. The CNAME is moved accordingly to point to the new server: appsrv.prd777.b.example.com. For Kerberos to work, you will now need to remove the old SPN for Confluence and instead add:
.... One tiny mistake when running ktpass, and the keytabs for Jira, Bamboo, and Bitbucket are now invalid, and Kerberos no longer works in any of the Atlassian applications.