-
Notifications
You must be signed in to change notification settings - Fork 28
Introduce namespace restriction #10
Comments
This is useful to @frankscholten when implementing 1Password, although might be a bit more dynamic #11 #12 |
I'd like to have a discussion about this. Simplifying the architecture of the operator would also have a simpler security model and we could rely on RBAC to limit access. We could drop the CRD introudced by #15 and limit an operator instance to one backend and let it watch only one namespace. In this way we scope operator per namespace by RBAC and by Watch operation and avoid the risk of injecting, for example, prod secret into dev. If you want an additional backend, just run another operator with different backend type. I believe this is easier to reason about, but might be more resource intensive. Notice that only the operator with the right backend type will actually create the Secret, all the other will gracefully fail with "backend not found". |
I like this approach as it would simplify things a lot. |
I will try to implement this in #4 . |
This need to be documented, but it is implemented in #4 as RBAC roles. |
It would be useful to restrict secrets injections to specific namespaces. Possibilities are:
1 should give more flexibility.
The text was updated successfully, but these errors were encountered: