Is it possible to share secrets across namespaces in Kubernetes?

Is there a way to share secrets across namespaces in Kubernetes? My use case is: I have the same private registry for all my namespaces and I want to avoid creating the same secret for each. Secret API objects reside in a namespace. They can only be referenced by pods in that same namespace.

How to create secrets across namespaces in kubectl?

kubectl currently does not support creating secrets across namespaces. They are available to a single namespace. Rancher supports it creating secrets at the project level. it will replicate the secret to all namespaces in the project (present and future). also, functionality is not in the rancher cli yet.

Sharing secret across namespaces

People also ask

How do you share the secrets across namespaces in Kubernetes?

As being an API object kubernetes secrets can not be shared between the namespaces,so the other way would be to copy the Kubernetes secrets from one namespace to another namespace and we can achieve this by using the pipe “|” operator.

How do I move secrets from one namespace to another?

If you need to copy a secret from one namespace to another, you will get an error because the 'namespace' is still embedded in the yaml and cannot be overridden with the final apply. By using a sed replacement as a filter, you can do a quick transformation and get your desired result.

Is namespace a secret?

Secret API objects reside in a namespace. They can only be referenced by pods in that same namespace.

Can two pods in different namespaces communicate?

Namespaces are used to isolate resources within the control plane. For example if we were to deploy a pod in two different namespaces, an administrator running the “get pods” command may only see the pods in one of the namespaces. The pods could communicate with each other across namespaces however.

Secret API objects reside in a namespace. They can only be referenced by pods in that same namespace. Basically, you will have to create the secret for every namespace.

https://kubernetes.io/docs/concepts/configuration/secret/#details

They can only be referenced by pods in that same namespace. But you can just copy secret from one name space to other. Here is a example of copying localdockerreg secret from default namespace to dev:

kubectl get secret localdockerreg --namespace=default --export -o yaml | kubectl apply --namespace=dev -f -

###UPDATE### In Kubernetes v1.14 --export flag is deprecated. So, the following Command with -oyaml flag will work without a warning in forthcoming versions.

kubectl get secret localdockerreg --namespace=default -oyaml | kubectl apply --namespace=dev -f -

or below if source namespace is not necessarily default

kubectl get secret localdockerreg --namespace=default -oyaml | grep -v '^\s*namespace:\s' | kubectl apply --namespace=dev -f -

The accepted answer is correct: Secrets can only be referenced by pods in that same namespace. So here is a hint if you are looking to automate the "sync" or just copy the secret between namespaces.

Automated (operator)

For automating the share or syncing secret across namespaces use ClusterSecret operator:

https://github.com/zakkg3/ClusterSecret

Using sed:

kubectl get secret <secret-name> -n <source-namespace> -o yaml \
| sed s/"namespace: <source-namespace>"/"namespace: <destination-namespace>"/\
| kubectl apply -n <destination-namespace> -f -

Use jq

If you have jq, we can use the @Evans Tucker solution

kubectl get secret cure-for-covid-19 -n china -o json \
 | jq 'del(.metadata["namespace","creationTimestamp","resourceVersion","selfLink","uid"])' \
 | kubectl apply -n rest-of-world -f -

Secrets are namespaced resources, but you can use a Kubernetes extension to replicate them. We use this to propagate credentials or certificates stored in secrets to all namespaces automatically and keep them in sync (modify the source and all copies are updated). See Kubernetes Reflector (https://github.com/EmberStack/kubernetes-reflector).

The extension allows you to automatically copy and keep in sync a secret across namespaces via annotations:

On the source secret add the annotations:

 annotations:
   reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"

This will create a copy of the secret in all namespaces. You can limit the namespaces in which a copy is created using:

reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "namespace-1,namespace-2,namespace-[0-9]*"

The extension supports ConfigMaps and cert-manager certificates as well. Disclainer: I am the author of the Kubernetes Reflector extension.

--export is deprecated

sed is not the appropriate tool for editing YAML or JSON.

Here's an example that uses jq to delete the namespace and other metadata we don't want:

kubectl get secret cure-for-covid-19 -n china -o json \
 | jq 'del(.metadata["namespace","creationTimestamp","resourceVersion","selfLink","uid"])' \
 | kubectl apply -n rest-of-world -f -

Another option would be to use kubed, as recommended by the kind folks at Jetstack who gave us cert-manager. Here is what they link to.

Related questions
                            
                                'namespace' but is used like a 'type'
                            
                                What does "var FOO = FOO || {}" (assign a variable or an empty object to that variable) mean in Javascript?
                            
                                Why an unnamed namespace is a "superior" alternative to static? [duplicate]
                            
                                C# namespace alias - what's the point?
                            
                                Why doesn't ANSI C have namespaces?
                            
                                Define all functions in one .R file, call them from another .R file. How, if possible?
                            
                                "Could not load type [Namespace].Global" causing me grief
                            
                                Troubleshooting "The use statement with non-compound name ... has no effect"
                            
                                Is there a better way to express nested namespaces in C++ within the header
                            
                                Using std Namespace
                            
                                Correct way to define C++ namespace methods in .cpp file
                            
                                Namespace and class with the same name?
                            
                                R: use magrittr pipe operator in self written package
                            
                                This is Sparta, or is it?
                            
                                how to ignore namespaces with XPath
                            
                                Adding System.Web.Script reference in class library
                            
                                PHP namespaces and "use"
                            
                                "using namespace" in c++ headers [duplicate]
                            
                                Should the folders in a solution match the namespace?
                            
                                Superiority of unnamed namespace over static?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With

Sharing secret across namespaces

Tags:

namespaces

kubernetes

People also ask

Automated (operator)

Using sed:

Use jq

Recent Activity

Donate For Us