sealed-secrets icon indicating copy to clipboard operation
sealed-secrets copied to clipboard
verified publisher icon bitnami-labs

One kubeseal instance to manage secrets in a subset of namespaces

Open rayanebel opened this issue 6 years ago • 3 comments

Hello,

I'm looking for a solution like kubeseal to encrypt/decrypt on the fly our kubernetes secrets to allow us to put all of them into a git repository (helm chart).

So I followed the recent Improvements made on the tool like the ability to deploy kubeseal into a single namespace and to configure it to not watch secrets in all namespace (flag: --all-namespaces=false).

Now my question is:

We are sharing a kubernetes cluster (we are restricted in namespaces that we owned, no admin access on the cluster) and we have applications in different namespaces. Can we have a kubeseal instance deployed on a dedicated namespace and tell him to manage encryption/decryption of secrets located in different namespaces (not all namespaces but a list of allowed namespaces) or Do I need to deploy a kubeseal controller on each namespace and switch between all of them when I want to encrypt a secret (because I think not the same encryption key pair is used)?

Thanks you for your reply

rayanebel avatar Dec 13 '19 15:12 rayanebel

We'd have to add support for this "namespace whitelist". It shouldn't be hard. Contributions welcome!

mkmik avatar Dec 16 '19 11:12 mkmik

@mkmik Hello thanks for your reply. I never developed any kubernetes operator but after some research, If I don't make a mistake, one components of Kubernetes operator are informers and an informer take an object of kind ListWatcher and this object is able by default to watch into a single namespace or all namespaces when you give him an empty argument. So I think there is no built-in feature in kubernetes API to do this. I only found that prometheus-operator has implemented it's own ListWatcher object

https://github.com/coreos/prometheus-operator/blob/b69e4b73fecbdf24be888605d91d9d19ec23d095/pkg/listwatch/listwatch.go#L111

Maybe it's a little bit more complicated to implement this feature into kubeseal ?

Or maybe we should just start multiple controller in different goroutine ?

rayanebel avatar Dec 18 '19 08:12 rayanebel

I was searching all issues and release notes.... is there still a plan to implement this feature? Or perhaps... is it available in the moment and I have overlooked it?

It would be great to have a single controller for a specific team who is working on different namespaces.

disposab1e avatar Mar 30 '21 06:03 disposab1e