-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove the secret from clusterrole #3668
Comments
Hey, Maybe we could add a flag like WDYT @kedacore/keda-core-contributors ? |
Support Restrict Secret Access, refer to kedacore#3668
Hey JorTurFer, Sure, pls. help to review #3677 |
Sure, I'll review during the week, I'm a bit busy atm |
Support Restrict Secret Access, refer to kedacore#3668 Signed-off-by: kevin <[email protected]>
Support Restrict Secret Access, refer to kedacore#3668 Signed-off-by: kevin <[email protected]>
Hey JorTurFer, I reviewed all your comments and also replied, pls. have a check on this PR again, #3677
Actually I didn't touch line 34 and line 36, only added line 54, not sure why it will be failed, would you help me to understand this golangci? or can we just ignore this error? Regarding configmap restriction, I will create a separate PR so as to be clear and fully tested before submit. |
I have reviewed the PR 😄 |
Support Restrict Secret Access, refer to kedacore#3668 Signed-off-by: kevin <[email protected]>
Support Restrict Secret Access, refer to kedacore#3668 Signed-off-by: kevin <[email protected]>
Support Restrict Secret Access, refer to kedacore#3668 Signed-off-by: kevin <[email protected]>
Support Restrict Secret Access, refer to kedacore#3668 Signed-off-by: kevin <[email protected]>
Support Restrict Secret Access, refer to kedacore#3668 Signed-off-by: kevin <[email protected]>
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions. |
Posting here, cause I have been troubleshooting for while. Looking at RBACs rules and sharing secrets with the Keda Operator. I have some issues with the current implementation where I need restricted access to secrets in the ClusterRole. I want to give access to the Service account via Roles and RoleBindings in the specific namespaces. I don't want to store any secrets in the Keda Operator's namespace. Do you guys know how to do this or am I crazy for trying this? Thanks |
You aren't crazy, but I'm not sure if this can be done right now. You could try to enable via RBAC the permission on the namespaces where you want and check if KEDA fails (in case of failures, you will see errors in KEDA logs). |
So when I remove the KEDA_RESTRICT environment variable from the deployment, and trying to add a new cluster role (with only a specific secret) and binding, Keda is expecting being able to read ALL secrets, which is not what would want. Can this be a feature request, we running this on premise, and we are not using Hashicorp vaults? Other projects such as Rancher does allow this to work. I am just wondering. Thanks for you help! :) |
Yeah, sure! Could you open an issue to request it? |
Sound good, I will do it momentarily. I appreciate your help! I will also add some more details! Thanks! :) |
Proposal
Greetings,
We want to leverage KEDA for autoscaling, however KEDA will require list/watch/get all secrets across all namespaces. This will introduce security risks and could not deploy on production env.
So we want to limit the secret permission to only list/watch/get on KEDA namespace, and we will only use ClusterTriggerAuthentication. Currently we have 2 proposals:
Both will require code changes.
So we just wondering is there any better options to approach this?
Thanks,
Kevin
Use-Case
Remove the secret from clusterrole, only need to get/list/watch secret on KEDA namespace
Anything else?
No response
The text was updated successfully, but these errors were encountered: