Allow resources to reference a Venafi Connection in another namespace¶
By default, a Venafi Connection resource can only be used by resources that are in the same namespace as that Venafi Connection resource
Alternatively, the allowReferencesFrom
field in the Venafi Connection definition allows resources from other namespaces to use the Venafi
Allow a specific namespace to use the Venafi Connection¶
The following example shows a label selector that allows resources in the application-team-1
namespace to use the VenafiConnection
:
apiVersion: jetstack.io/v1alpha1
kind: VenafiConnection
metadata:
name: application-team-1-connection
namespace: venafi
spec:
allowReferencesFrom:
matchLabels:
"kubernetes.io/metadata.name": application-team-1
...
Allow a Venafi Connection to be used from multiple namespaces¶
The following example shows a label selector that allows all resources in a specified list of namespaces [application-team-1
, application-team-2
, application-team-3
] to use the Venafi Connection:
apiVersion: jetstack.io/v1alpha1
kind: VenafiConnection
metadata:
name: application-team-1-connection
namespace: venafi
spec:
allowReferencesFrom:
matchExpressions:
- { key: "kubernetes.io/metadata.name", operator: In, values: [application-team-1, application-team-2, application-team-3] }
...
Note
See the Kubernetes documentation for more information about matchExpressions
.
Allow all namespaces with a label to use the Venafi Connection¶
The following example shows a label selector that allows all resources in all namespaces with a specified label value to use the Venafi Connection:
apiVersion: jetstack.io/v1alpha1
kind: VenafiConnection
metadata:
name: application-team-1-connection
namespace: venafi
spec:
allowReferencesFrom:
matchLabels:
namespace-owner: application-team-1
...