Secrets shall have an optional policy

vmware-tanzu / secrets-manager

VMware Secrets Manager is a lightweight secrets manager to protect your sensitive data. It’s perfect for edge deployments where energy and footprint requirements are strict—See more: https://vsecm.com/

https://vsecm.com/

BSD 2-Clause "Simplified" License

153 stars 25 forks source link

Secrets shall have an optional policy #394

Open v0lkan opened 8 months ago

v0lkan commented 8 months ago

When creating a secret, the operator can enforce a policy.

The policy can be global, per workload, or per secret (based on workload/secret-name unique key)

The policy shall be externally created, and if there is a policy, creating secrets against that policy shall be denied.

The operator can delete the policy, of course, but their deletion (and policy creation) actions shall be logged for audit purposes.

v0lkan commented 7 months ago

Not sure this falls within the domain of VSecM.

This is more of the ballpark domain of tools like OPA.

v0lkan commented 7 months ago

Maybe we can create a demo that uses OPA to achieve this functionality. But that also might mean sentinel shall know how to query OPA.