-
-
Notifications
You must be signed in to change notification settings - Fork 101
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security question - bind vaultRole to k8s namespace #202
Comments
Hi @Anna-Katona,
Yes this is correct, if the provided vault role has access to all secrets and known to everyone it can be used by everyone.
If I get you correct you mean to have a list similar to the following one:
If the Have I understood that correctly? |
Hey!
I've started to use vault-secrets-operator and I have a question related to its security.
For example I have some secrets related to apps and infra kept in Vault and there are different policies to access them.
Using vault-secrets-operator (even if I specify 'vaultRole: my-custom-vault-role') I can access any secret in Vault, the only thing I need is to have RBAC rights to create VaultSecrets resource and know the name of vaultRole (I can see the values from someone else's code).
Did I understand it properly?
If so, it would be great to have an opportunity to use labels (or smth like that) to control which namespaces can use different roles, so my dev teams can create VaultSecrets with specific values of a vaultRole (and those values that are not allowed will be blocked by vault-secrets-operator itself).
Thanks.
The text was updated successfully, but these errors were encountered: