[Proposal] Namespace for Secret Object for ScaleIO plugin volume

Question

[Proposal] Namespace for Secret Object for ScaleIO plugin volume

vladimirvivien opened this issue 7 years ago · comments

Current configuration for the ScaleIO Kubernetes Secret object defaults to use the namespace of the PV or PodSpec where it is used. This forces the use of secret which may not be intended for users. This proposal introduces a new Spec parameter called SecretNamespace to specify the namespace of the secret referenced in the spec. For instance, assuming your k8s cluster has a namespace called sio_namespace, the following sample config would apply.

Using a Spec

apiVersion: v1
spec:
  volumes:
  - name: vol-0
    scaleIO:
      gateway: https://localhost:443/api
      system: scaleio
      volumeName: vol-0
      secretNamespace: "scio_namespace"
      secretRef:
        name: sio-secret
      fsType: xfs

Using a StorageClass

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: sio-small
provisioner: kubernetes.io/scaleio
parameters:
  gateway: https://localhost:443/api
  system: scaleio
  protectionDomain: default
  secretNamespace: "sio_namespace"
  secretRef: sio-secret
  fsType: xfs

If secretNamspace is not provided, the PV's namespace is assumed.

Vladimir Vivien · Answer 1 · Thu Sep 28 2017 01:19:15 GMT+0800 (China Standard Time)

Closing this. Using RBAC is a better way to safeguard access to Kubernetes secrets based on roles.