Skip to content

Allow resources to reference a Connection for CyberArk Certificate Manager in another namespace

By default, a Connection resource can only be used by resources that are in the same namespace as that Connection resource.

Alternatively, the allowReferencesFrom field in the Connection resource definition allows resources from other namespaces to use the Connection resource. The allowReferencesFrom field is a namespace selector that specifies what namespaces this Connection resource is allowed to be used from.

  • If not set or set to null, the Connection resource can only be used within its namespace.
  • An empty selector {} matches all namespaces.
  • If set to a non-empty selector, the Connection resource can only be used from namespaces that match the selector. This possibly excludes the namespace the Connection resource is in.

Allow a specific namespace to use the Connection resource

The following example shows a label selector that allows resources in the application-team-1 namespace to use the VenafiConnection:

apiVersion: jetstack.io/v1alpha1
kind: VenafiConnection
metadata:
  name: application-team-1-connection
  namespace: venafi
spec:
  allowReferencesFrom:
    matchLabels:
      "kubernetes.io/metadata.name": application-team-1

  ...

Allow a Connection resource to be used from multiple namespaces

The following example shows a label selector that allows all resources in a specified list of namespaces [application-team-1, application-team-2, application-team-3] to use the Connection resource:

apiVersion: jetstack.io/v1alpha1
kind: VenafiConnection
metadata:
  name: application-team-1-connection
  namespace: venafi
spec:
  allowReferencesFrom:
    matchExpressions:
      - { key: "kubernetes.io/metadata.name", operator: In, values: [application-team-1, application-team-2, application-team-3] }

  ...

Note

See the Kubernetes documentation for more information about matchExpressions.

Allow all namespaces with a label to use the Connection resource

The following example shows a label selector that allows all resources in all namespaces with a specified label value to use the Connection resource:

apiVersion: jetstack.io/v1alpha1
kind: VenafiConnection
metadata:
  name: application-team-1-connection
  namespace: venafi
spec:
  allowReferencesFrom:
    matchLabels:
      namespace-owner: application-team-1

  ...