Recently, with Vault Enterprise 1.13.0 you released awesome feature group_policy_application_mode that allows secrets sharing across multiple independent namespaces. In the article you described the case with userpass authentication and identity/entity.
However, it’s not clear how does this feature work with kubernetes authentication plugin.
Please find scenario below:
In namesapce /dev/gcp we set up kubernetes authentication for cluster that includes 3 roles for microservices.
In namespace /shared we have secrets in the path kv/data/.
We want to allow microservices do authentication in namesapce /dev/gcp and read secrets from path kv/data/ in namespace /shared.
Initially we don’t have any identity/entities connected with kubernets authentication, because the amount of clients could be various from 1 to 100 and k8s namespaces and service accounts also could be different.
Could you please review this case and provide example how we can configure cross namespace access for kubernetes authentication?