Comments (1)
Hi @NOBLES5E, thanks for bring this to our attention! You're right that the operator does allow users who can create DopplerSecret
resources in any namespace to pull secrets from any token secret in the system. For example,
- You have
app1
andapp2
namespaces - You install the Doppler operator, which adds the
doppler-operator-system
namespace - You create a token k8s secret containing your service token at
doppler-operator-system/doppler-token-secret
, as we recommend in our docs - You create a DopplerSecret at
app1/doppler-secret-1
which referencesdoppler-operator-system/doppler-token-secret
and managed k8s secretapp1/k8s-secret-1
, the operator syncs the data to the managed secret - You create a DopplerSecret at
app2/doppler-secret-2
which also referencesdoppler-operator-system/doppler-token-secret
, and you specify managed k8s secretapp2/k8s-secret-2
, the operator syncs the data to the managed secret
As a result, app2
was able to access doppler-operator-system/doppler-token-secret
(and use the operator to fetch the underlying secrets) just by being able to create DopplerSecret CRDs -- even though it was created/owned by app1
.
We initially intended that your clusters would be configured such that only privileged users can create DopplerSecret
resources but I certainly see how it would be concerning and unintuitive to have resource creation as the gate for access to all Doppler-based secrets in your cluster.
I think a better approach here would be to require that the token k8s secret, DopplerSecret
resource, and managed k8s secret must all exist in the same namespace. This will silo all data to each namespace. Does this solution sound like it would meet your requirements?
from kubernetes-operator.
Related Issues (20)
- Random failure publishing new secrets on changes HOT 4
- Allow DopplerSecret to be deployed to other namespaces HOT 1
- recommended.yaml not available in latest HOT 4
- GCP GKE INFO logs are showing ERROR HOT 5
- Feature request: Service Account support HOT 1
- Forcing DopplerSecret objects to be created in operator namespace breaks namespace isolation HOT 6
- RabbitMQ - default-user-credential-updater using Doppler Secrets HOT 3
- Is there an option to automatically create a new config if it's not found? HOT 1
- Strange double-deployment when doing helm deploy HOT 10
- "Cannot change existing managed secret type from Opaque to ." after upgrading to 1.4.0 HOT 3
- Manage CRDs via Helm HOT 1
- Configure resources for all containers HOT 1
- How to configure a "master token secret" HOT 6
- [Kubernetes] imagePullSecrets: unable to deploy HOT 2
- Set Loglevel HOT 4
- Reconcile algorithm overuses the Doppler API HOT 2
- Can't create managed secret for a project's root config HOT 1
- The operator should allow arbitrary string->string mappings for secrets HOT 2
- Helm Chart dependency `kube-rbac-proxy` deprecation warning HOT 1
- Support custom labels on created Secret HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubernetes-operator.