improvement: allow namespace selection in kubernetes authentication to go over label selection #182
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I will create the PR for the documentation on the main repo later this week. |
f4z3r
added a commit
to f4z3r/vault
that referenced
this pull request
Feb 23, 2023
…space selectors Relates-to: hashicorp/vault-plugin-auth-kubernetes#182
f4z3r
added a commit
to f4z3r/vault
that referenced
this pull request
Feb 23, 2023
…for namespace label selection Relates-to: hashicorp/vault-plugin-auth-kubernetes#182
|
Any updates on the implementation of this PR? |
|
@tommy-heyde-olsen I guess I am waiting for a review. The documentation PR on the main repo is done and I added a PR to support this use case in the helm chart as well. Have not goten feedback yet though. |
|
Would be great to see this get some attention and get merged. We could really use this feature. |
Implements: hashicorp#155
|
Closing in favor of #218 VAULT-6936 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
Add possibility to reference the namespace from which ServiceAccounts authenticate via a label selector. This is useful in scenarios where Kubernetes namespaces are provided to teams by infrastructure teams, and standardized service accounts should be enabled to perform actions against Vault. At the moment, adding a namespace and service account within that namespace implies modifying the role on the Kubernetes authentication method. With this improvement, infrastructure teams can control what namespaces are allowed to connect to Vault via labels on the namespace itself.
Design of Change
See discussion in hashicorp/vault#16222.
Related Issues/Pull Requests
[ ] Issue #155
Contributor Checklist
[x] Add relevant docs to upstream Vault repository, or sufficient reasoning why docs won’t be added yet
hashicorp/vault#19318
[x] Backwards compatible