SecretClass access control

We should have a way to control who's allowed to mount which SecretClass.

It's not really practical to control based on the deploying user, because the idea of a "source user" in the first place is about as clear as mud in K8s (the end user creating the StatefulSet? The controller creating the Pod from that? The controller creating the PersistentVolumeClaim from that? The controller creating the PersistentVolume from *that*?).

The best we could do would probably be to allowlist individual target Namespaces.

This is theoretically already possible via a K8s [admission hook](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#admission-control-extension-points) like [OPA](https://www.openpolicyagent.org/docs/kubernetes); we should either implement something native or document how to accomplish it using one of those.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

SecretClass access control #613

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

SecretClass access control #613

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions