Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Only list akvs objects with object selector #178

Merged
merged 1 commit into from
May 31, 2021

Conversation

laozc
Copy link
Contributor

@laozc laozc commented May 31, 2021

This allows akvs objects with different labels can be handled by controllers with different authorization policies.

@laozc laozc requested review from 181192 and torresdal as code owners May 31, 2021 07:35
@181192
Copy link
Collaborator

181192 commented May 31, 2021

Hi @laozc, could you please provide an example of usage on how this feature could be used?

@laozc
Copy link
Contributor Author

laozc commented May 31, 2021

Sure.
Supposedly we have two key vaults managed by two separate teams.
They may be configured with different access policies for clear security boundaries.
Secrets/certificates in these key vaults may be read/accessed by applications within the same namespace.

It's possible to install multiple controllers in a cluster after the support to listening within one namespace is added.
In this case, there can be two Akvs controllers provisioned for reading and syncing from the two separate key vaults.
Those two instances may be configured with different identities so they will only read/access to one specific key vault.
As a result, the reconciliation needs to be able to distinguish those resources and access the key vault with correct identity.
Labels can be used to control this.
We may label the object with
scope: teamA
and
scope: teamB
which may ask a specific controller to only listen on changes made to key vaults managed by a specific team.

@181192
Copy link
Collaborator

181192 commented May 31, 2021

Aha I see, thanks for the explanation! 🙂

@181192 181192 merged commit 1959b80 into SparebankenVest:master May 31, 2021
@181192
Copy link
Collaborator

181192 commented May 31, 2021

Released controller 1.3.0-beta.3 for testing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants