Skip to content

ClusterSecretStore RBAC model for multi-tenant shards #117

Description

@patrick-hermann-sva

Parent: #111

ClusterSecretStore is cluster-scoped → anything in the control plane can pull from it unless RBAC restricts ExternalSecret creation.

Design

  • Per-shard ClusterSecretStore naming convention
  • RBAC restricting ExternalSecret creation to platform-team namespaces
  • Vault policies scoped per shard (vSphere creds only readable by vm-control-plane, etc.)
  • PushSecret target paths in Vault KV v2 isolated per shard

Deliverable

RBAC manifests + Vault policy templates in this repo.

Metadata

Metadata

Assignees

No one assigned

    Labels

    esoExternal Secrets OperatorsecuritySecurity / RBACvaultHashiCorp Vault

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions