Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Enforce namespace annotations for secrets #380

Merged
merged 5 commits into from
Dec 17, 2021
Merged

fix: Enforce namespace annotations for secrets #380

merged 5 commits into from
Dec 17, 2021

Conversation

skomp
Copy link
Member

@skomp skomp commented Dec 2, 2021

Fixes #379 by enforcing an annotation on the namespace to allow reading a secret, basically not allowing default access.

@skomp skomp marked this pull request as draft December 2, 2021 11:24
@skomp
Copy link
Member Author

skomp commented Dec 2, 2021

Namespace annotations are now required, otherwise external secrets will fail like this:

{"level":50,"message_time":"2021-12-02T12:04:15.366Z","pid":18,"hostname":"external-secrets-kubernetes-external-secrets-68fb9c59f-k92k2","payload":{"err":{"type":"Error","message":"not allowed to fetch secret: default/test: Namespace annotation is required","stack":"Error: not allowed to fetch secret: default/test: Namespace annotation is required\n    at Poller._upsertKubernetesSecret (/app/lib/poller.js:162:14)\n    at processTicksAndRejections (internal/process/task_queues.js:95:5)\n    at async Poller._poll (/app/lib/poller.js:128:7)"}},"msg":"failure while polling the secret default/test"}

@skomp skomp marked this pull request as ready for review December 2, 2021 12:06
Miradorn
Miradorn approved these changes Dec 17, 2021
View reviewed changes
README.md Outdated Show resolved Hide resolved
@mergify mergify bot merged commit c5cac71 into main Dec 17, 2021
@mergify mergify bot deleted the enforce-namespace-annotations-for-secrets branch December 17, 2021 06:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Miradorn Miradorn Miradorn approved these changes

@bracki bracki Awaiting requested review from bracki

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

External Secrets readable in all Namespaces
2 participants
@skomp @Miradorn