2

We have some process which create some artifices in specific namespace in k8s, one of the artifacts is a secret which is created in this namespace (e.g. ns1). The problem is that this secret needs to be used also from different namespace (apps in ns1 and ns2 needs to use it ) , which option do I have in this case? Should I copy the secret to ns2 (not sure if this is right option from security perspective ), is there a good pattern/direction/tool which can help for such case ?

Jyothi Kiranmayi
  • 2,090
  • 5
  • 14
PJEM
  • 557
  • 7
  • 33
  • 1
    AFAIK, you cannot directly reference a secret from another namespace; copying it is the only option. I wrote a sample K8S controller demonstrating how this can be automated. It might be helpful. https://github.com/ashutoshgngwr/config-reflector – ashu Dec 27 '21 at 07:20
  • You can with right rbac, although you should not. see this example https://stackoverflow.com/a/73419051/6309601 – P.... Aug 22 '22 at 13:34

1 Answers1

2

i would suggest the checking out : https://github.com/zakkg3/ClusterSecret

Cluster secret automate the process the cloning the secrets across the namespaces.

when you need a secret in more than one namespace. you have to:

1- Get the secret from the origin namespace.

2- Edit the the secret with the new namespace.

3- Re-create the new secret in the new namespace.

This could be done with one command:

kubectl get secret <secret-name> -n <source-namespace> -o yaml \
| sed s/"namespace: <source-namespace>"/"namespace: <destination-namespace>"/\
| kubectl apply -n <destination-namespace> -f -

Clustersecrets automates this. It keep track of any modification in your secret and it will also react to new namespaces.

Harsh Manvar
  • 27,020
  • 6
  • 48
  • 102
  • thanks 1+, do you know if this is secure solution? as k8s looks for a ns scope ? – PJEM Dec 27 '21 at 07:35
  • yes, that's the only option to go with as of now, but if you are more worried you can update the RBAC and service account accordingly and give specific NS scope access to the K8s operator. People also suggest not to use secret, itself at the first place. as it's just encoded not encrypted so. – Harsh Manvar Dec 27 '21 at 07:39