Skip to content

Commit

Permalink
Document restrictions of strict scope
Browse files Browse the repository at this point in the history
  • Loading branch information
@AndiDog
AndiDog committed Oct 16, 2019
1 parent 4315de9 commit 75695c6
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 5 deletions.
10 changes: 6 additions & 4 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -174,11 +174,13 @@ Furthermore, namespaces are not the only level at which RBAC configurations can

That said, there are many scenarios where you might not care about this level of protection. For example, the only people who have access to your clusters are either admins or they cannot read any secret resource at all. You might have a use case for moving a sealed secret to other namespaces (e.g. you might not know the namespace name upfront), or you might not know the name of the secret (e.g. it could contain a unique suffix based on the hash of the contents etc).

You can select the "scope":
These are the possible scopes:

* strict (default)
* namespace-wide: you can freely rename the sealed secret within a given namespace
* cluster-wide: you
* `strict` (default): the secret must be sealed with exactly the same *name* and *namespace*. These attributes become *part of the encrypted data* and thus changing name and/or namespace would lead to "decryption error".
* `namespace-wide`: you can freely *rename* the sealed secret within a given namespace
* `cluster-wide`: the secret can be unsealed in *any* namespace and can be given *any* name.

In contrast to the restrictions of *name* and *namespace*, secret *data keys* (e.g. `spec.encryptedData.my-key`) can be renamed at will without losing the ability to decrypt the sealed secret.

The scope is selected with annotations in the input secret you pass to `kubeseal`:

Expand Down
2 changes: 1 addition & 1 deletion pkg/apis/sealed-secrets/v1alpha1/sealedsecret_expansion.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ func (s *SealingScope) Set(v string) error {
// Type implements the pflag.Value interface
func (s *SealingScope) Type() string { return "string" }

// EncryptionLabel returns the label meant to be ysed for encrypting a sealed secret according to scope.
// EncryptionLabel returns the label meant to be used for encrypting a sealed secret according to scope.
func EncryptionLabel(namespace, name string, scope SealingScope) []byte {
var l string
switch scope {
Expand Down

0 comments on commit 75695c6

Please sign in to comment.