Secrets management across namespaces without hierarchical relationship for kubernetes auth

Hello guys,

Recently, with Vault Enterprise 1.13.0 you released awesome feature group_policy_application_mode that allows secrets sharing across multiple independent namespaces. In the article you described the case with userpass authentication and identity/entity.

However, it’s not clear how does this feature work with kubernetes authentication plugin.
Please find scenario below:
In namesapce /dev/gcp we set up kubernetes authentication for cluster that includes 3 roles for microservices.
In namespace /shared we have secrets in the path kv/data/.
We want to allow microservices do authentication in namesapce /dev/gcp and read secrets from path kv/data/
in namespace /shared.
Initially we don’t have any identity/entities connected with kubernets authentication, because the amount of clients could be various from 1 to 100 and k8s namespaces and service accounts also could be different.

Could you please review this case and provide example how we can configure cross namespace access for kubernetes authentication?

Thank you.

I’d like to start by saying I no longer work for a company with a Vault Enterprise license, so all I know is what’s in the public documentation… but from that documentation, it looks pretty clear (at least with extensive prior experience with namespaces and the Vault identity system), that for this feature to be used, you would have to pre-create Vault identities for each Kubernetes service account, using custom automation of your own design.

Thank you for reply.