Преглед изворни кода

deploy: 02886122ea9a595cc467ef6504cc2aaf3072fb82

paul-the-alien[bot] пре 5 година
родитељ
комит
802c4a6362

+ 2 - 16
api-overview/index.html

@@ -945,23 +945,9 @@ ESO.</p>
 privileges. It will create/read/update secrets in all namespaces and has access
 to secrets stored in some external API. Ensure that the credentials you provide
 give ESO the least privilege necessary.</p>
-<p>Design your <code>SecretStore</code>/<code>ClusterSecretStore</code> carefully! Use annotations on
-namespaces to restrict access of application developers to read only certain
+<p>Design your <code>SecretStore</code>/<code>ClusterSecretStore</code> carefully! Be sure to restrict
+access of application developers to read only certain
 keys in a shared environment.</p>
-<div class="highlight"><pre><span></span><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">v1</span>
-<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Namespace</span>
-<span class="nt">metadata</span><span class="p">:</span>
-  <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">team-a</span>
-  <span class="nt">annotations</span><span class="p">:</span>
-    <span class="c1"># annotation that defines which keys can be read</span>
-    <span class="c1"># the annotation value is a regular expression</span>
-    <span class="nt">external-secrets.io/permitted-key-name</span><span class="p">:</span> <span class="s">&quot;a/development/*&quot;</span>
-</pre></div>
-
-<div class="admonition bug">
-<p class="admonition-title">Not implemented</p>
-<p>This is currently <strong>not yet</strong> implemented. Feel free to contribute.</p>
-</div>
 <p>You should also consider using Kubernetes' admission control system (e.g.
 <a href="https://www.openpolicyagent.org/">OPA</a> or <a href="https://kyverno.io/">Kyverno</a>) for
 fine-grained access control.</p>

+ 2 - 13
guides-multi-tenancy/index.html

@@ -763,21 +763,10 @@ to the external API. The CSS is shared by all tenants within the cluster.
 Application Developers do reference it in a <code>ExternalSecret</code> but can not create
 a ClusterSecretStores or SecretStores on their own. Now all application
 developers have access to all the secrets. You probably want to limit access to
-certain keys or prefixes that should be used. ESO provides a very simple
-mechanic to limit access to certain keys on a namespace basis by using
-annotations on the <code>Kind=Namespace</code> resource. More advanced validation should be
+certain keys or prefixes that should be used. ESO does not provide a mechanic
+to limit access to certain keys per namespace. More advanced validation should be
 done with an Admission Webhook, e.g. with <a href="https://kyverno.io/">Kyverno</a> or
 <a href="https://www.openpolicyagent.org/">Open Policy Agent</a>).</p>
-<div class="highlight"><pre><span></span><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">v1</span>
-<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Namespace</span>
-<span class="nt">metadata</span><span class="p">:</span>
-  <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">team-a</span>
-  <span class="nt">annotations</span><span class="p">:</span>
-    <span class="c1"># annotation that defines which keys can be read</span>
-    <span class="c1"># the annotation value is a regular expression</span>
-    <span class="nt">external-secrets.io/permitted-key-name</span><span class="p">:</span> <span class="s">&quot;a/development/*&quot;</span>
-</pre></div>
-
 <p>This setup suites well if you have one central bucket that contains all of your
 secrets and your Cluster Administrators should manage access to it. This setup
 is very simple but does not scale very well.</p>

+ 0 - 12
provider-aws-parameter-store/index.html

@@ -854,18 +854,6 @@ Please estimate your costs before using ESO. Cost depends on the RefreshInterval
 <li>Directly provide AWS credentials to the External Secrets Operator pod by using environment variables.</li>
 </ul>
 <p>Additionally, before fetching a secret from a store, ESO is able to assume role (as a proxy so to speak). It is advisable to use multiple roles in a multi-tenant environment.</p>
-<p>You can limit the range of roles which can be assumed by this particular namespace by using annotations on the namespace resource. The annotation value is evaluated as a regular expression.</p>
-<div class="admonition bug">
-<p class="admonition-title">Not implemented</p>
-<p>This is currently <strong>not</strong> implemented. Feel free to contribute.</p>
-</div>
-<div class="highlight"><pre><span></span><span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Namespace</span>
-<span class="nt">metadata</span><span class="p">:</span>
-  <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">iam-example</span>
-  <span class="nt">annotations</span><span class="p">:</span>
-    <span class="c1"># annotation key is configurable</span>
-    <span class="nt">iam.amazonaws.com/permitted</span><span class="p">:</span> <span class="s">&quot;arn:aws:iam::123456789012:role/foo.*&quot;</span>
-</pre></div>
                 
                   
                 

+ 0 - 12
provider-aws-secrets-manager/index.html

@@ -853,18 +853,6 @@ way users of the <code>SecretStore</code> can only access the secrets necessary.
 <li>Directly provide AWS credentials to the External Secrets Operator pod by using environment variables.</li>
 </ul>
 <p>Additionally, before fetching a secret from a store, ESO is able to assume role (as a proxy so to speak). It is advisable to use multiple roles in a multi-tenant environment.</p>
-<p>You can limit the range of roles which can be assumed by this particular namespace by using annotations on the namespace resource. The annotation value is evaluated as a regular expression.</p>
-<div class="admonition bug">
-<p class="admonition-title">Not implemented</p>
-<p>This is currently <strong>not</strong> implemented. Feel free to contribute.</p>
-</div>
-<div class="highlight"><pre><span></span><span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Namespace</span>
-<span class="nt">metadata</span><span class="p">:</span>
-  <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">iam-example</span>
-  <span class="nt">annotations</span><span class="p">:</span>
-    <span class="c1"># annotation key is configurable</span>
-    <span class="nt">iam.amazonaws.com/permitted</span><span class="p">:</span> <span class="s">&quot;arn:aws:iam::123456789012:role/foo.*&quot;</span>
-</pre></div>
                 
                   
                 

Разлика између датотеке није приказан због своје велике величине
+ 0 - 0
search/search_index.json


+ 19 - 19
sitemap.xml

@@ -2,97 +2,97 @@
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-21</lastmod>
+     <lastmod>2021-05-22</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-21</lastmod>
+     <lastmod>2021-05-22</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-21</lastmod>
+     <lastmod>2021-05-22</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-21</lastmod>
+     <lastmod>2021-05-22</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-21</lastmod>
+     <lastmod>2021-05-22</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-21</lastmod>
+     <lastmod>2021-05-22</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-21</lastmod>
+     <lastmod>2021-05-22</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-21</lastmod>
+     <lastmod>2021-05-22</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-21</lastmod>
+     <lastmod>2021-05-22</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-21</lastmod>
+     <lastmod>2021-05-22</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-21</lastmod>
+     <lastmod>2021-05-22</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-21</lastmod>
+     <lastmod>2021-05-22</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-21</lastmod>
+     <lastmod>2021-05-22</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-21</lastmod>
+     <lastmod>2021-05-22</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-21</lastmod>
+     <lastmod>2021-05-22</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-21</lastmod>
+     <lastmod>2021-05-22</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-21</lastmod>
+     <lastmod>2021-05-22</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-21</lastmod>
+     <lastmod>2021-05-22</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-21</lastmod>
+     <lastmod>2021-05-22</lastmod>
      <changefreq>daily</changefreq>
     </url>
 </urlset>


+ 0 - 12
snippets/provider-aws-access/index.html

@@ -682,18 +682,6 @@
 <li>Directly provide AWS credentials to the External Secrets Operator pod by using environment variables.</li>
 </ul>
 <p>Additionally, before fetching a secret from a store, ESO is able to assume role (as a proxy so to speak). It is advisable to use multiple roles in a multi-tenant environment.</p>
-<p>You can limit the range of roles which can be assumed by this particular namespace by using annotations on the namespace resource. The annotation value is evaluated as a regular expression.</p>
-<div class="admonition bug">
-<p class="admonition-title">Not implemented</p>
-<p>This is currently <strong>not</strong> implemented. Feel free to contribute.</p>
-</div>
-<div class="highlight"><pre><span></span><span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Namespace</span>
-<span class="nt">metadata</span><span class="p">:</span>
-  <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">iam-example</span>
-  <span class="nt">annotations</span><span class="p">:</span>
-    <span class="c1"># annotation key is configurable</span>
-    <span class="nt">iam.amazonaws.com/permitted</span><span class="p">:</span> <span class="s">&quot;arn:aws:iam::123456789012:role/foo.*&quot;</span>
-</pre></div>
                 
                   
                 

Неке датотеке нису приказане због велике количине промена