[Proposal] Namespace for Secret Object for ScaleIO plugin volume
vladimirvivien opened this issue · comments
Vladimir Vivien commented
Current configuration for the ScaleIO Kubernetes Secret object defaults to use the namespace of the PV or PodSpec where it is used. This forces the use of secret which may not be intended for users. This proposal introduces a new Spec parameter called SecretNamespace
to specify the namespace of the secret referenced in the spec. For instance, assuming your k8s cluster has a namespace called sio_namespace
, the following sample config would apply.
Using a Spec
apiVersion: v1
spec:
volumes:
- name: vol-0
scaleIO:
gateway: https://localhost:443/api
system: scaleio
volumeName: vol-0
secretNamespace: "scio_namespace"
secretRef:
name: sio-secret
fsType: xfs
Using a StorageClass
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: sio-small
provisioner: kubernetes.io/scaleio
parameters:
gateway: https://localhost:443/api
system: scaleio
protectionDomain: default
secretNamespace: "sio_namespace"
secretRef: sio-secret
fsType: xfs
- If
secretNamspace
is not provided, the PV's namespace is assumed.
Vladimir Vivien commented
Closing this. Using RBAC is a better way to safeguard access to Kubernetes secrets based on roles.