RFE: Restrict watching to a single namespace.

[derrickburns]

No description provided.

[jeffpearce]

Or maybe from an array of namespaces

[jeffpearce]

http://yaml4r.sourceforge.net/doc/page/collections_in_yaml.htm

[jeffpearce]

I was just suggesting it might be useful to be able to restrict to watching more than one namespace

[derrickburns]

Agreed

[jeffpearce]

Hi @derrickburns - thinking some more about this, and I don't quite understand the proposal. The daemon currently only watches secrets that are explicitly added to kubernetes. Can you help me understand which scenarios this would enable?

[derrickburns]

Sure. Today I have secrets stored in various namespaces. Apps running in one namespace have no access to secrets stored in another. Similarly, I use kiam to ensure that apps only have access to the aws resources that they need. With the current design, I must provide the external secret service with an Iam role that allows access to all aws secrets. If I run multiple copies, each with a narrow iam role, each reports error messages about the external secrets that it cannot access.

[jeffpearce]

Sorry, I should have asked that first. That sounds really useful.

[jeffpearce]

One straw person proposal would be to add an env variable to configure this. @silasbw, @satish-ravi, thoughts?

[silasbw]

We'd want to adjust the RBAC settings too, so we'd need to adjust helm template files too.

[derrickburns]

ping

[muenchhausen]

I like this idea! This could solve that usecase:

Given: Two teams A & B working in dedicated namespaces with access to own sets of AWS secrets.

When: Team A creates an external secret in his namespace referring to AWS secrets of Team B.

Then: Kubernetes secret must not be created. kubernetes-external-secrets must raise an error.

A solution idea would be

• run multiple kubernetes-external-secrets instances in all team namespaces
• let kubernetes-external-secrets instances listen on own namespace only
• assign kubernetes-external-secrets dedicated AWS credentials allowing to acceess just own AWS credentials
• the necessary RBAC rights for kubernetes-external-secrets could be reduced

[red8888]

Is this going to be implemented? It would be so amazing

This is what Im doing now:

• My application's charts have the external secrets chart added as a requirement
• The applications are deployed to their own namespaces
• They use envVarsFromSecret to set a different set of AWS creds which has only the access the app nees
• When deployed with helm a separate external secrets deployment runs alongside each app creating secrets for it with only the access the application needs

This is almost seamless but external secrets manager deployments have access to each others secrets. Also, I have to prefix all my secrets with the name of the app to give them a unique name otherwise the multiple external secrets manager deployments try to update each others secrets!

If your deploying your apps with helm being able to reference this as just another helm dependency is a really elegant way to give your apps/deployments granular access to external secrets

[JeroenRijks]

When restriction of scope to a single namespace is implemented, would it make sense to conditionally use Roles instead of ClusterRoles, if SCOPE_NAMESPACE is set?

[JeroenRijks]

Could someone with write access review/merge Flydiverny's PR, to close this issue? #193

[github-actions]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[github-actions]

This issue was closed because it has been stalled for 30 days with no activity.