Comments (4)
draganm
commented on August 11, 2024
1
+1
I've stumbled over this issue too. Using ArgoCD to deploy applications in different namespaces. It would be great if I could keep DopplerSecret resources together with the rest of the application resources so that they would be removed when the namespace is removed.
from kubernetes-operator.
dkowsley
commented on August 11, 2024
Here are the two flows that this contains. Please note that the red and green rectangles contain a SelfSubjectAccessReview request nested within the initial ValidatingWebhook callback from the API.
User does NOT have RBAC access to source/dest secrets
sequenceDiagram
User ->> k8s: PUT/PATCH/POST DopplerSecret
rect rgb(255, 0, 0)
k8s ->> Operator: ValidatingWebhook POST: payload (contains userInfo from User)
Operator ->>k8s: SelfSubjectAccessReview POST: with payload.userInfo impersonation
k8s -x Operator: SelfSubjectAccessReview response: NO either source and/or dest secrets are not manageable by User
Operator -x k8s: ValidatingWebhook response: Resource is not valid. Deny it.
end
k8s -x User: DopplerSecret rejected.
User has RBAC access to source/dest secrets
sequenceDiagram
User ->> k8s: PUT/PATCH/POST DopplerSecret
rect rgb(0, 127, 0)
k8s ->> Operator: ValidatingWebhook POST: payload (contains userInfo from User)
Operator ->> k8s: SelfSubjectAccessReview POST: with payload.userInfo impersonation
k8s ->> Operator: SelfSubjectAccessReview response: YES source/dest secrets are manageable by User.
Operator ->> k8s: ValidatingWebhook response: Resource is valid. Accept it.
end
k8s ->> User: DopplerSecret accepted
k8s --) Operator: DopplerSecret event
Operator ->> Doppler API: Requests config with token
Doppler API ->> Operator: Provides config
Operator ->> k8s: PUT/PATCH/POST config to managedSecret
Additional notes: a ValidatingAdmissionWebhook, using best practices, will be able to accept or reject any version of a DopplerSecret prior to it being presented as a new/updated object to the Doppler operator event listener. This effectively implements user level authorization via k8s RBAC to the doppler operator as if it was a service itself with the same RBAC policies.
from kubernetes-operator.
draganm
commented on August 11, 2024
Are there any plans for a new release of the operator without restriction of the namespace?
The introduced limitation makes the operator pretty much unusable for my projects, so if there where this is heading I'll have to abandon it.
from kubernetes-operator.
nmanoogian
commented on August 11, 2024
Thanks for all of the feedback! We're reviewing options internally for how to meet these use cases. I'll post here with any updates.
from kubernetes-operator.
Related Issues (20)
- Random failure publishing new secrets on changes HOT 4
- Allow DopplerSecret to be deployed to other namespaces HOT 1
- recommended.yaml not available in latest HOT 4
- GCP GKE INFO logs are showing ERROR HOT 5
- Feature request: Service Account support HOT 1
- Forcing DopplerSecret objects to be created in operator namespace breaks namespace isolation HOT 6
- RabbitMQ - default-user-credential-updater using Doppler Secrets HOT 3
- Is there an option to automatically create a new config if it's not found? HOT 1
- Strange double-deployment when doing helm deploy HOT 10
- "Cannot change existing managed secret type from Opaque to ." after upgrading to 1.4.0 HOT 3
- Manage CRDs via Helm HOT 1
- Configure resources for all containers HOT 1
- How to configure a "master token secret" HOT 6
- [Kubernetes] imagePullSecrets: unable to deploy HOT 2
- Set Loglevel HOT 4
- Reconcile algorithm overuses the Doppler API HOT 2
- Can't create managed secret for a project's root config HOT 1
- The operator should allow arbitrary string->string mappings for secrets HOT 2
- Helm Chart dependency `kube-rbac-proxy` deprecation warning HOT 1
- Support custom labels on created Secret HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubernetes-operator.