Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security question - bind vaultRole to k8s namespace #202

Open
Anna-Katona opened this issue Jul 31, 2023 · 1 comment
Open

Security question - bind vaultRole to k8s namespace #202

Anna-Katona opened this issue Jul 31, 2023 · 1 comment

Comments

@Anna-Katona
Copy link

Hey!

I've started to use vault-secrets-operator and I have a question related to its security.
For example I have some secrets related to apps and infra kept in Vault and there are different policies to access them.
Using vault-secrets-operator (even if I specify 'vaultRole: my-custom-vault-role') I can access any secret in Vault, the only thing I need is to have RBAC rights to create VaultSecrets resource and know the name of vaultRole (I can see the values from someone else's code).
Did I understand it properly?

If so, it would be great to have an opportunity to use labels (or smth like that) to control which namespaces can use different roles, so my dev teams can create VaultSecrets with specific values of a vaultRole (and those values that are not allowed will be blocked by vault-secrets-operator itself).

Thanks.
@ricoberger
Copy link
Owner

Hi @Anna-Katona,

For example I have some secrets related to apps and infra kept in Vault and there are different policies to access them.
Using vault-secrets-operator (even if I specify 'vaultRole: my-custom-vault-role') I can access any secret in Vault, the only thing I need is to have RBAC rights to create VaultSecrets resource and know the name of vaultRole (I can see the values from someone else's code).
Did I understand it properly?

Yes this is correct, if the provided vault role has access to all secrets and known to everyone it can be used by everyone.

If so, it would be great to have an opportunity to use labels (or smth like that) to control which namespaces can use different roles, so my dev teams can create VaultSecrets with specific values of a vaultRole (and those values that are not allowed will be blocked by vault-secrets-operator itself).

If I get you correct you mean to have a list similar to the following one:

- vaultrole1: ["namespace1", "namespace2"]
- vaultrole2: ["namespace2", "namespace3"]

If the vaultrole1 is now used in a VaultSecret within namespace3 the operator would not create the secret.

Have I understood that correctly?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Anna-Katona @ricoberger