Reference single imagePullSecrets secret from multiple namespaces

Cluster information:

Kubernetes version: 1.18
Cloud being used: AWS

I’ve created a secret for dockerhub authentication, and I’m referencing it in a pod imagePullSecrets entry to authenticate to dockerhub.

I understand the recommended way to allow workloads in different namespaces to authenticate would be to create the secret in each namespace, adn reference that secret in the pods imagePullSecrets.

But I would like to only create the secret in one namespace, then reference that secret in the imagePullSecrets in other namespaces.

I realise secrets are namespace scoped, but I am attempting to make the secret available through rbac (ClusterRole and ClusterRolebinding allowing the pods service account to read the secret in the other namespace).

In the pod spec, I am attempting to reference the secret like this:

imagePullSecrets:
  - name: kube-system.dockerhub-credentials

Where the namespace the secret is stored is kube-system.

So far I have not had any success with this. I am wondering if this is simply not possible, or if my rbac rules are incorrect. Has anyone else tried this/had any success?

It’s not possible. You have to create the registry secret in every namespace.

Before I continue, I’m going to warn you, if you’re hosting multiple tenants, just cloning secrets all willy-nilly is a terrible idea. We hate repetitive work, but we hate bad tenants doing bad things with our secrets more.

Anyways… This guy made a CustomResource and operator to maintain ClusterSecrets, that get synced across the cluster. If I had to pick a tool to do this, I would use this tool because it’s generalized.

2 Likes