Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow to work without access to application secrets #3696

Open
matrix-root opened this issue Jun 28, 2024 · 0 comments
Open

Allow to work without access to application secrets #3696

matrix-root opened this issue Jun 28, 2024 · 0 comments
Labels
triage

Comments

@matrix-root
Copy link

Description:
I've came from Emissary world - and there was awesome scope.singleNamespace option which limits access to resources located only inside controller deployment namespace. I really want to have same security limit for Envoy Gateway

By default it have access to all cluster secrets with ClusterRoleBinding. Of course, I saw multi-tenancy tutorial - but with such setup controller still have access to app-namespace secrets

We could deploy it inside separate namespace in tenancy-mode and use HTTPRoute with backendRef.namespace - however, it won't work as ReferenceGrant stored inside application namespace is mandatory. But even if we add ReferenceGrant, controller won't be able to read it as it doesn't have access to application namespace

So, basically we can't provide access to application service without access to application secrets. Of course, we could store secrets inside Vault - but it's hard way

Solution proposal:
Maybe we can just use some ClusterRole with access to ReferenceGrant from all namespaces even if we're running via single-namespace tenancy mode

Thanks!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@matrix-root