-
Notifications
You must be signed in to change notification settings - Fork 403
RFE: Restrict watching to a single namespace. #106
Comments
Or maybe from an array of namespaces |
I was just suggesting it might be useful to be able to restrict to watching more than one namespace |
Agreed
|
Hi @derrickburns - thinking some more about this, and I don't quite understand the proposal. The daemon currently only watches secrets that are explicitly added to kubernetes. Can you help me understand which scenarios this would enable? |
Sure.
Today I have secrets stored in various namespaces. Apps running in one namespace have no access to secrets stored in another.
Similarly, I use kiam to ensure that apps only have access to the aws resources that they need.
With the current design, I must provide the external secret service with an Iam role that allows access to all aws secrets.
If I run multiple copies, each with a narrow iam role, each reports error messages about the external secrets that it cannot access.
|
Sorry, I should have asked that first. That sounds really useful. |
One straw person proposal would be to add an env variable to configure this. @silasbw, @satish-ravi, thoughts? |
We'd want to adjust the RBAC settings too, so we'd need to adjust helm template files too. |
ping |
I like this idea! This could solve that usecase: Given: Two teams A & B working in dedicated namespaces with access to own sets of AWS secrets. When: Team A creates an external secret in his namespace referring to AWS secrets of Team B. Then: Kubernetes secret must not be created. kubernetes-external-secrets must raise an error. A solution idea would be
|
Is this going to be implemented? It would be so amazing This is what Im doing now:
This is almost seamless but external secrets manager deployments have access to each others secrets. Also, I have to prefix all my secrets with the name of the app to give them a unique name otherwise the multiple external secrets manager deployments try to update each others secrets! If your deploying your apps with helm being able to reference this as just another helm dependency is a really elegant way to give your apps/deployments granular access to external secrets |
When restriction of scope to a single namespace is implemented, would it make sense to conditionally use Roles instead of ClusterRoles, if |
Could someone with write access review/merge Flydiverny's PR, to close this issue? #193 |
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days. |
This issue was closed because it has been stalled for 30 days with no activity. |
No description provided.
The text was updated successfully, but these errors were encountered: