Allow resources to reference a Connection for CyberArk Certificate Manager in another namespace¶
By default, a Connection resource can only be used by resources that are in the same namespace as that Connection resource.
Alternatively, the allowReferencesFrom
field in the Connection resource definition allows resources from other namespaces to use the Connection resource. The allowReferencesFrom
field is a namespace selector that specifies what namespaces this Connection resource is allowed to be used from.
- If not set or set to
null
, the Connection resource can only be used within its namespace. - An empty selector
{}
matches all namespaces. - If set to a non-empty selector, the Connection resource can only be used from namespaces that match the selector. This possibly excludes the namespace the Connection resource is in.
Allow a specific namespace to use the Connection resource¶
The following example shows a label selector that allows resources in the application-team-1
namespace to use the VenafiConnection
:
apiVersion: jetstack.io/v1alpha1
kind: VenafiConnection
metadata:
name: application-team-1-connection
namespace: venafi
spec:
allowReferencesFrom:
matchLabels:
"kubernetes.io/metadata.name": application-team-1
...
Allow a Connection resource to be used from multiple namespaces¶
The following example shows a label selector that allows all resources in a specified list of namespaces [application-team-1
, application-team-2
, application-team-3
] to use the Connection resource:
apiVersion: jetstack.io/v1alpha1
kind: VenafiConnection
metadata:
name: application-team-1-connection
namespace: venafi
spec:
allowReferencesFrom:
matchExpressions:
- { key: "kubernetes.io/metadata.name", operator: In, values: [application-team-1, application-team-2, application-team-3] }
...
Note
See the Kubernetes documentation for more information about matchExpressions
.
Allow all namespaces with a label to use the Connection resource¶
The following example shows a label selector that allows all resources in all namespaces with a specified label value to use the Connection resource:
apiVersion: jetstack.io/v1alpha1
kind: VenafiConnection
metadata:
name: application-team-1-connection
namespace: venafi
spec:
allowReferencesFrom:
matchLabels:
namespace-owner: application-team-1
...