search

superluminar-io / super-eks

super-eks is a CDK construct that provides a preconfigured EKS installation with batteries included.
Apache License 2.0
44 stars 4 forks source link

fix: Enforce namespace annotations for secrets #380

Closed skomp closed 2 years ago

skomp commented 2 years ago

Fixes #379 by enforcing an annotation on the namespace to allow reading a secret, basically not allowing default access.

skomp commented 2 years ago

Namespace annotations are now required, otherwise external secrets will fail like this:

{"level":50,"message_time":"2021-12-02T12:04:15.366Z","pid":18,"hostname":"external-secrets-kubernetes-external-secrets-68fb9c59f-k92k2","payload":{"err":{"type":"Error","message":"not allowed to fetch secret: default/test: Namespace annotation is required","stack":"Error: not allowed to fetch secret: default/test: Namespace annotation is required\n    at Poller._upsertKubernetesSecret (/app/lib/poller.js:162:14)\n    at processTicksAndRejections (internal/process/task_queues.js:95:5)\n    at async Poller._poll (/app/lib/poller.js:128:7)"}},"msg":"failure while polling the secret default/test"}