app in its own namespace with a service account available in any namespace

12/16/2020

I have a very specific scenario I'm trying to solve for:

  • Using Kubernetes (single cluster)
  • Installing Vault on that cluster
  • sending GitLab containers to the same cluster.

I need to install Vault in such a way that:

  1. Vault lives in it's own namespace (easy/solved)
  2. Vault's service account (vault-auth) is available to all other namespaces (unsolved)

GitLab's default behavior is to put all apps/services into their own namespaces with the Project ID; EG: repo_name+project_id. It's predictable but the two options are:

  1. When the app is in its own namespace it cannot access the Vault service account in the 'vault' Namespace. It requires you to create a vault service account in each application namespace; hot garbage, or...
  2. Put ALL apps + Vault in the default namespace and applications can easily find the 'vault-auth' service account. Messy but totally works.

To use GitLab in the way it is intended (and I don't disagree) is to leave each app in it's own namespace. The question then becomes:

How would one create the Kubernetes Service Account for Vault (vault-auth) so that Vault the application is in it's own namespace but the service account itself is available to ALL namespaces?

Then, no matter the namespace that GitLab creates, the containers have equal access to the 'vault-auth' service account.

-- todd_dsm
gitlab
hashicorp-vault
kubernetes
namespaces
service-accounts

0 Answers