Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow KEDA to access secrets to other Namespace #4857

Closed
sdiamond2 opened this issue Aug 3, 2023 · 11 comments
Closed

Allow KEDA to access secrets to other Namespace #4857

sdiamond2 opened this issue Aug 3, 2023 · 11 comments
Labels
feature-request All issues for new features that have not been committed to needs-discussion stale All issues that are marked as stale due to inactivity

Comments

@sdiamond2
Copy link

Proposal

Hi Keda developers!!! :)

I would like to make a request to allow KEDA access secret to other namespaces.

Context:

This is in relation to the change that happened with this issue: #3668

Since the default for KEDA is to have access to all secrets, there was a request for restricting access to all secrets and use permissions.operator.restrict.secret = true (in the Helm Chart). I appreciate that this remove the secret access in the Cluster Role, but it also adds the environment variable: KEDA_RESTRICT_SECRET_ACCESS which then prevent KEDA to access secrets in other namespaces.

The idea here that I am requesting is that I would like to be able to create my own namespaced role that would give access to the secret with a namespaced role binding to the keda-operator.

For example, I have the following:

keda-operator running under its own namespace (keda)

I have namespace test-application where I have a deployment that I want to autoscale using KEDA.

I would like to do this when I enable permissions.operator.restrict.secret = true:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: test-application
  name: test-application-secret-role
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get","list","watch"]

---

apiVersion: rbac.authorization.k8.io/v1
kind: RoleBinding
metadata:
  namespace: test-application
  name: test-application-secret-rb
subjects:
- kind: ServiceAccount
  name: keda-operator
  apiGroup: rbac.authorization.k8s.io

Currently if I attempt this with having permissions.operator.restrict.secret = true, I get the following error when debug is enabled:

scale_handler Secret Access is restricted to be in Cluster Object Namespace, please use ClusterTriggerAuthentication instead of TriggerAuthentication.

I am running a multi tenant Kubernetes on premise cluster. I am not interested in putting secrets in the Keda-operator's namespace.

If I manually remove the environment variable KEDA_RESTRICT_SECRET_ACCESS and try again. I keep getting this error

Failed to watch/list *v1.Secret: secrets is forbidden: User "system:serviceaccount:keda:keda-operator" cannot list resource "secrets" in API group "" at the cluster scope

The only this error goes away is if I allow access to ALL secrets. Even if I try to point to a specific secret in the ClusterRole definition, this error persists.

I hope this gives enough information for you guys! Thank you for you help!

Use-Case

This would help me tremendously, since I appreciate this project and like what it does. Sadly, I can't seem to be able to share secrets between the keda-operator and application namespaces.

Is this a feature you are interested in implementing yourself?

No

Anything else?

If you need any testing, I would be more than happy to get it tested for you!

Thank you so much!

@stale
Copy link

stale bot commented Oct 2, 2023

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale All issues that are marked as stale due to inactivity label Oct 2, 2023
@sdiamond2
Copy link
Author

Any status on this? :)

@stale stale bot removed the stale All issues that are marked as stale due to inactivity label Oct 3, 2023
@sdiamond2
Copy link
Author

Status on this please?

@tomkerkhove
Copy link
Member

@JorTurFer Don't we already support this?

@JorTurFer
Copy link
Member

This would help me tremendously, since I appreciate this project and like what it does. Sadly, I can't seem to be able to share secrets between the keda-operator and application namespaces.

Actually you can, currently you can't limit the supported namespaces and it's or KEDA namespace or all namespaces, but this can be a good improvement. Are you willing to contribute with the feature?

@zroubalik
Copy link
Member

Agree, let's have this configurable.

@sdiamond2
Copy link
Author

I wish I could, but I am not sure where to start. I thought it was a simple change. If this is not going to be implemented anytime soon, I may have to look into it or look for another alternative.

Copy link

stale bot commented Feb 6, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale All issues that are marked as stale due to inactivity label Feb 6, 2024
@joebowbeer
Copy link
Contributor

joebowbeer commented Feb 6, 2024

To be clear, KEDA 2.13.0/2.13.1 still has "get" access to all secrets by way of this permissive rule in the keda-operator ClusterRole:

- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - get
kubectl auth can-i get secrets --as=system:serviceaccount:keda:keda-operator
yes

See: kedacore/keda-docs#1307

@stale stale bot removed the stale All issues that are marked as stale due to inactivity label Feb 6, 2024
Copy link

stale bot commented Apr 9, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale All issues that are marked as stale due to inactivity label Apr 9, 2024
Copy link

stale bot commented Apr 17, 2024

This issue has been automatically closed due to inactivity.

@stale stale bot closed this as completed Apr 17, 2024
@github-project-automation github-project-automation bot moved this from Proposed to Ready To Ship in Roadmap - KEDA Core Apr 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature-request All issues for new features that have not been committed to needs-discussion stale All issues that are marked as stale due to inactivity
Projects
Archived in project
Development

No branches or pull requests

5 participants