Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-6523

Restrict Secret Access in Custom Auto Scaler

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • openshift-4.15, openshift-4.16, openshift-4.17
    • API
    • False
    • None
    • False
    • Not Selected

      1. Proposed title of this feature request:
      Restrict Secret Access

      2. What is the nature and description of the request?
      By default, Custom Metrics Autoscaler requires adding secrets to the cluster role as following:

      • apiGroups:
      • ""
        resources:
      • external
      • pods
      • secrets
      • services
        verbs:
      • get
      • list
      • watch

      However, this might lead to security risk (especially in production environment) since it will grant permission to read secrets from all namespaces.

      Custom Metrics Autoscaler should have a mechanism to restrict secret access and limited to Custom Metrics Autoscaler namespace.

      It is possible to get more information about this in Keda upstream
      https://keda.sh/docs/2.15/operate/cluster/#restrict-secret-access
      3. Why does the customer need this? (List the business requirements here)

      To have better security, granting less privileges as possible.

      4. List any affected packages or components.

      Custom Metrics Autoscaler

              openshift-jira-automation-bot OpenShift Jira Automation Bot
              rhn-support-akanekar Ankita Kanekar
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: