Accesing resources through different namespaces

General Discussions
1

If I have an app service deployed via helm in namespace dev, could this service access to a secret defined in namespace default?
Or
What is the namespace which the other resources in other namespaces can have access?

Maybe kube-public?

kube-public This namespace is created automatically and is readable by all users (including those not authenticated). This namespace is mostly reserved for cluster usage, in case that some resources should be visible and readable publicly throughout the whole cluster. The public aspect of this namespace is only a convention, not a requirement.

If I defined a secret in a kube-public namespace this should be readed by all in the cluster … But, is this the better option?

Here, talk about of Roles but I am not sure …

In where place should be my secrets in order to any environment can have access to them of a safe way?
Considering that it is my current implementation, what is the best approach?

By the way, is a good idea to have one kong-ingress by each namespace or maybe only one kong-ingress working in a cross-namespace approach? I know that this depends on the requirements, is a good idea to know that each domain has their own tls certificates.

zcrm365%20secrets-ns
zcrm365%20secrets-ns1045×717 84.1 KB

2

Secrets are restricted to namespaces, from the docs They can only be referenced by pods in that same namespace.

You may want to look into secret management tools like https://www.vaultproject.io/ or https://www.conjur.org/ .

3

HI, @macintoshprime tanks for the answer,

Does this mean that I would probably need to copy the secrets to each of the namespaces?
Do I need to replicate the docker and Postgres secrets in each environment namespace?

I am using Azure Key Vault, but that I make is create a secret with the Azure Key Vault resource values encoded and that is. And then I’ve created the secret necessarily in a specific namespace …
How this secret management tools (or Vault or conjure) can help me to read those secrets from them without keeping in mind the namespace?

4

Yes if you were just using the Kubernetes Secrets you would have to create the secrets in each namespace that needed them.

Azure KeyVault is good too, they have a nice tool that lets you mount secrets via a shared flex volume, checkout https://github.com/Azure/kubernetes-keyvault-flexvol . That way would should be able to manage the secrets there and not worry about having to create N secrets in every namespace.

1 Like