You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description:
I've came from Emissary world - and there was awesome scope.singleNamespace option which limits access to resources located only inside controller deployment namespace. I really want to have same security limit for Envoy Gateway
By default it have access to all cluster secrets with ClusterRoleBinding. Of course, I saw multi-tenancy tutorial - but with such setup controller still have access to app-namespace secrets
We could deploy it inside separate namespace in tenancy-mode and use HTTPRoute with backendRef.namespace - however, it won't work as ReferenceGrant stored inside application namespace is mandatory. But even if we add ReferenceGrant, controller won't be able to read it as it doesn't have access to application namespace
So, basically we can't provide access to application service without access to application secrets. Of course, we could store secrets inside Vault - but it's hard way
Solution proposal:
Maybe we can just use some ClusterRole with access to ReferenceGrant from all namespaces even if we're running via single-namespace tenancy mode
Thanks!
The text was updated successfully, but these errors were encountered:
Description:
I've came from Emissary world - and there was awesome
scope.singleNamespace
option which limits access to resources located only inside controller deployment namespace. I really want to have same security limit for Envoy GatewayBy default it have access to all cluster secrets with ClusterRoleBinding. Of course, I saw multi-tenancy tutorial - but with such setup controller still have access to app-namespace secrets
We could deploy it inside separate namespace in tenancy-mode and use
HTTPRoute
withbackendRef.namespace
- however, it won't work asReferenceGrant
stored inside application namespace is mandatory. But even if we addReferenceGrant
, controller won't be able to read it as it doesn't have access to application namespaceSo, basically we can't provide access to application service without access to application secrets. Of course, we could store secrets inside Vault - but it's hard way
Solution proposal:
Maybe we can just use some ClusterRole with access to
ReferenceGrant
from all namespaces even if we're running via single-namespace tenancy modeThanks!
The text was updated successfully, but these errors were encountered: