looks like the app is not isolated to its namespace?

[red8888]

I have multiple deployments of the kubernetes-external-secrets in difference namespaces on the same cluster

My expectation is they would be totally isolated but I noticed a deployment in one namespace was accessing a diff namespace

For example I saw this in the deployment in namespace-X
spinning up poller {"id":"mysecret_1234","namespace":"namespace-Z","secretDescriptors":[{"backendType":"secretsManager","data":[{"key":"mykey","name":"mykey"}],"name":"mysecret"}],"ownerReference":{"apiVersion":"kubernetes-client.io/v1","controller":true,"kind":"ExternalSecret","name":"mykey","uid":"......"}}

How is this happening?

I guess im unsure of two things: how does it have access to other namespaces and how is it finding secrets in other namespaces?

Im using the helm chart to deploy and looks like its use ClusterRole. Is fixing this as easy as changing that to just Role? or maybe there is a config option to only look for secrets in the namespace where it was deployed?

[red8888]

whoops looks like I opened a dup. closing this

• RFE: Restrict watching to a single namespace. #106
• Can this possibly work at namespace level? cmattoon/aws-ssm#37