search

nabsul / k8s-ecr-login-renew

Renews Docker login credentials for an AWS ECR container registry.
MIT License
207 stars 51 forks source link

Use the service account in multiple namespaces? #5

Closed Q-Nimbus closed 4 years ago

Q-Nimbus commented 4 years ago

Hi Thank you for the great work on this

I have a query not a bug, I have found that I can only deploy images from the docker registry to the namespace where I deployed the ecr-login-renew

Is it possible to allow this to access multiple namespaces? if so how, apologies for the what is possibly just me not understanding how the permissions work.

Kind Regards,

Scott

nabsul commented 4 years ago

Hi Scott,

I had the same question a few weeks ago. The answer is in this section of the Kubernetes docs: https://kubernetes.io/docs/concepts/configuration/secret/#restrictions

Secrets can only be referenced by Pods in that same namespace.

However, this is a great feature idea, and so that I don't forget this is how I would change the tool:

If you'd like to take on this feature let me know and I'll wait for a pull request. Otherwise, I should be able to find time to implement it in the next couple of weeks.

In the meantime, here's some useful information if you need to get yourself unblocked quicker:

1) You can use a ClusterRole instead of a regular Role when setting up a service account. This will give the pod/cronjob access to all namespaces instead of just one.

And you would need to do one of these two:

2.a) You can deploy k8c-ecr-login-renew cron jobs in each namespace that needs the docker secret.

2.b) Use kubectl to copy one secret to all the other namespaces. You can even create a cron job so that it runs automatically in your cluster.

Personally, I think 2.b is the more "elegant" solution, though it would require a bit more work. "2.a" should be fine if you only have a few namespaces.

Either way, hopefully you won't need either of the above in a couple of weeks.

Cheers.

nabsul commented 4 years ago

Note to self: namespaces can only contain lowercase alphanumerics and dashes. This means we can:

refs:

Q-Nimbus commented 4 years ago

Hi, Thank you for the quick response, unfortunately I am quite new to k8s not sure I could help with the changes, however thank you for the above suggestions I will look forward to the enhancement.

Scott

nabsul commented 4 years ago

@Q-Nimbus No worries, I just didn't want to duplicate the effort.

Making the suggestion for this feature is still a contribution in my book. Do you have any objections to being listed as such?

Q-Nimbus commented 4 years ago

No problem many thanks for your help

Get Outlook for Androidhttps://aka.ms/ghei36

From: Nabeel Sulieman notifications@github.com Sent: Friday, June 5, 2020 8:44:46 PM To: nabsul/k8s-ecr-login-renew k8s-ecr-login-renew@noreply.github.com Cc: Scott Bentley scott@free-flying.com; Mention mention@noreply.github.com Subject: Re: [nabsul/k8s-ecr-login-renew] Use the service account in multiple namespaces? (#5)

@Q-Nimbushttps://github.com/Q-Nimbus No worries, I just didn't want to duplicate the effort.

Making the suggestion for this feature is still a contribution in my book. Do you have any objections to being listed as such?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/nabsul/k8s-ecr-login-renew/issues/5#issuecomment-639700375, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AHY2MNO5LC7YIDWE2253XDDRVE4J5ANCNFSM4NPVH4FA.

nabsul commented 4 years ago

@Q-Nimbus: I've released v1.2 on docker hub. You should now be able to use comma-separated namespace names in the TARGET_NAMESPACE environment variable, as well as the ?/* wildcards to match single or multiple characters respectively.

The latest label in docker hub still points to 1.1. I'd like to give 1.2 some time to bake before moving it.