search

thecodeteam / roadmap

The {code} Team Roadmap
3 stars 1 forks source link

[Proposal] Namespace for Secret Object for ScaleIO plugin volume #191

Closed vladimirvivien closed 6 years ago

vladimirvivien commented 6 years ago

Current configuration for the ScaleIO Kubernetes Secret object defaults to use the namespace of the PV or PodSpec where it is used. This forces the use of secret which may not be intended for users. This proposal introduces a new Spec parameter called SecretNamespace to specify the namespace of the secret referenced in the spec. For instance, assuming your k8s cluster has a namespace called sio_namespace, the following sample config would apply.

Using a Spec

apiVersion: v1
spec:
  volumes:
  - name: vol-0
    scaleIO:
      gateway: https://localhost:443/api
      system: scaleio
      volumeName: vol-0
      secretNamespace: "scio_namespace"
      secretRef:
        name: sio-secret
      fsType: xfs

Using a StorageClass

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: sio-small
provisioner: kubernetes.io/scaleio
parameters:
  gateway: https://localhost:443/api
  system: scaleio
  protectionDomain: default
  secretNamespace: "sio_namespace"
  secretRef: sio-secret
  fsType: xfs
vladimirvivien commented 6 years ago

Closing this. Using RBAC is a better way to safeguard access to Kubernetes secrets based on roles.