Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Sharing secret across namespaces

Tags:

namespaces

kubernetes

People also ask

How do you share the secrets across namespaces in Kubernetes?

As being an API object kubernetes secrets can not be shared between the namespaces,so the other way would be to copy the Kubernetes secrets from one namespace to another namespace and we can achieve this by using the pipe “|” operator.

How do I move secrets from one namespace to another?

If you need to copy a secret from one namespace to another, you will get an error because the 'namespace' is still embedded in the yaml and cannot be overridden with the final apply. By using a sed replacement as a filter, you can do a quick transformation and get your desired result.

Is namespace a secret?

Secret API objects reside in a namespace. They can only be referenced by pods in that same namespace.

Can two pods in different namespaces communicate?

Namespaces are used to isolate resources within the control plane. For example if we were to deploy a pod in two different namespaces, an administrator running the “get pods” command may only see the pods in one of the namespaces. The pods could communicate with each other across namespaces however.

Secret API objects reside in a namespace. They can only be referenced by pods in that same namespace. Basically, you will have to create the secret for every namespace.

https://kubernetes.io/docs/concepts/configuration/secret/#details


They can only be referenced by pods in that same namespace. But you can just copy secret from one name space to other. Here is a example of copying localdockerreg secret from default namespace to dev:

kubectl get secret localdockerreg --namespace=default --export -o yaml | kubectl apply --namespace=dev -f -

###UPDATE### In Kubernetes v1.14 --export flag is deprecated. So, the following Command with -oyaml flag will work without a warning in forthcoming versions.

kubectl get secret localdockerreg --namespace=default -oyaml | kubectl apply --namespace=dev -f -

or below if source namespace is not necessarily default

kubectl get secret localdockerreg --namespace=default -oyaml | grep -v '^\s*namespace:\s' | kubectl apply --namespace=dev -f -

The accepted answer is correct: Secrets can only be referenced by pods in that same namespace. So here is a hint if you are looking to automate the "sync" or just copy the secret between namespaces.

Automated (operator)

For automating the share or syncing secret across namespaces use ClusterSecret operator:

https://github.com/zakkg3/ClusterSecret

Using sed:

kubectl get secret <secret-name> -n <source-namespace> -o yaml \
| sed s/"namespace: <source-namespace>"/"namespace: <destination-namespace>"/\
| kubectl apply -n <destination-namespace> -f -

Use jq

If you have jq, we can use the @Evans Tucker solution

kubectl get secret cure-for-covid-19 -n china -o json \
 | jq 'del(.metadata["namespace","creationTimestamp","resourceVersion","selfLink","uid"])' \
 | kubectl apply -n rest-of-world -f -

Secrets are namespaced resources, but you can use a Kubernetes extension to replicate them. We use this to propagate credentials or certificates stored in secrets to all namespaces automatically and keep them in sync (modify the source and all copies are updated). See Kubernetes Reflector (https://github.com/EmberStack/kubernetes-reflector).

The extension allows you to automatically copy and keep in sync a secret across namespaces via annotations:

On the source secret add the annotations:

 annotations:
   reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"

This will create a copy of the secret in all namespaces. You can limit the namespaces in which a copy is created using:

reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "namespace-1,namespace-2,namespace-[0-9]*"

The extension supports ConfigMaps and cert-manager certificates as well. Disclainer: I am the author of the Kubernetes Reflector extension.


--export is deprecated

sed is not the appropriate tool for editing YAML or JSON.

Here's an example that uses jq to delete the namespace and other metadata we don't want:

kubectl get secret cure-for-covid-19 -n china -o json \
 | jq 'del(.metadata["namespace","creationTimestamp","resourceVersion","selfLink","uid"])' \
 | kubectl apply -n rest-of-world -f -

Another option would be to use kubed, as recommended by the kind folks at Jetstack who gave us cert-manager. Here is what they link to.

Related questions

'namespace' but is used like a 'type'
What does "var FOO = FOO || {}" (assign a variable or an empty object to that variable) mean in Javascript?
Why an unnamed namespace is a "superior" alternative to static? [duplicate]
C# namespace alias - what's the point?
Why doesn't ANSI C have namespaces?
Define all functions in one .R file, call them from another .R file. How, if possible?
"Could not load type [Namespace].Global" causing me grief
Troubleshooting "The use statement with non-compound name ... has no effect"
Is there a better way to express nested namespaces in C++ within the header
Using std Namespace
Correct way to define C++ namespace methods in .cpp file
Namespace and class with the same name?
R: use magrittr pipe operator in self written package
This is Sparta, or is it?
how to ignore namespaces with XPath
Adding System.Web.Script reference in class library
PHP namespaces and "use"
"using namespace" in c++ headers [duplicate]
Should the folders in a solution match the namespace?
Superiority of unnamed namespace over static?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!