Hello guys,
Recently, with Vault Enterprise 1.13.0 you released awesome feature group_policy_application_mode that allows secrets sharing across multiple independent namespaces. In the article you described the case with userpass authentication and identity/entity.
However, it’s not clear how does this feature work with kubernetes authentication plugin.
Please find scenario below:
In namesapce /dev/gcp we set up kubernetes authentication for cluster that includes 3 roles for microservices.
In namespace /shared we have secrets in the path kv/data/.
We want to allow microservices do authentication in namesapce /dev/gcp and read secrets from path kv/data/ in namespace /shared.
Initially we don’t have any identity/entities connected with kubernets authentication, because the amount of clients could be various from 1 to 100 and k8s namespaces and service accounts also could be different.
Could you please review this case and provide example how we can configure cross namespace access for kubernetes authentication?
Thank you.