Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: manual rolebindings for global namespaces #2934

Merged
merged 6 commits into from
Dec 12, 2024
Merged

docs: manual rolebindings for global namespaces #2934

Changes from 4 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
eeca47f
docs: manual rolebindings for global namespaces
fykaa Nov 15, 2024
105977b
address reviews by @krancour
fykaa Nov 15, 2024
1d0df32
update warning and ns-name for rb
fykaa Nov 15, 2024
e2a377e
nit
fykaa Nov 15, 2024
f100b88
divide section into notes, info and warnings
fykaa Nov 20, 2024
1048484
nit: role -> clusterrole
fykaa Dec 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 36 additions & 7 deletions docs/docs/30-how-to-guides/20-managing-credentials.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ sidebar_label: Managing credentials

# Managing Credentials

To manage the progression of freight from stage to stage, Kargo will often
To manage the progression of Freight from Stage to Stage, Kargo will often
require read/write permissions on private GitOps repositories and read-only
permissions on private container image and/or Helm chart repositories.

Expand Down Expand Up @@ -106,6 +106,41 @@ Refer to
[the advanced section of the installation guide](./10-installing-kargo.md#advanced-installation)
for more details.

While doing this you must ensure that the Kargo controller has the appropriate
permissions to read `Secret` resources in these namespaces. This is necessary because,
as of Kargo v1.0.0, the controller does not have cluster-wide access to `Secret`s. Permissions
are granted dynamically on a per-Project basis as `Projects` are created.
krancour marked this conversation as resolved.
Show resolved Hide resolved

You can do so by creating your own `RoleBinding`s to permit the Kargo
controller(s) to read Secret(s) from each of those namespaces:

```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kargo-controller-read-secrets
namespace: kargo-global-creds
subjects:
- kind: ServiceAccount
name: kargo-controller
namespace: kargo
roleRef:
kind: Role
name: kargo-controller-read-secrets
apiGroup: rbac.authorization.k8s.io
```

:::warning
Setting `controller.serviceAccount.clusterWideSecretReadingEnabled` setting to
`true` during Kargo installation will grant Kargo controllers cluster-wide read
permission on `Secret` resources.

__This is highly discouraged, especially in sharded environments where this
permission would have the undesirable effect of granting remote Kargo
controllers read permissions on all `Secret`s throughout the Kargo control
plane's cluster -- including `Secret`s having nothing to do with Kargo.__
:::

fykaa marked this conversation as resolved.
Show resolved Hide resolved
:::note
Any matching credentials (exact match _or_ pattern match) found in a project's
own `Namespace` take precedence over those found in any global credentials
Expand All @@ -125,12 +160,6 @@ searched in lexical order by name. Only after no exact match _and_ no pattern
match is found in one global credentials `Namespace` does Kargo search the next.
:::

:::caution
It is important to understand the security implications of this feature. Any
credentials stored in a global credentials `Namespace` will be available to
_all_ Kargo projects.
:::

## Managing Credentials with the CLI

The Kargo CLI can be used to manage credentials in a project's `Namespace.`
Expand Down