helm-external-secrets/site/guides-multi-tenancy/index.html

<!doctype html>
<html lang="en" class="no-js">
  <head>
    
      <meta charset="utf-8">
      <meta name="viewport" content="width=device-width,initial-scale=1">
      
      
      
      
      <link rel="icon" href="../assets/images/favicon.png">
      <meta name="generator" content="mkdocs-1.1, mkdocs-material-7.1.8">
    
    
      
        <title>Multi Tenancy - External Secrets Operator</title>
      
    
    
      <link rel="stylesheet" href="../assets/stylesheets/main.ca7ac06f.min.css">
      
        
        <link rel="stylesheet" href="../assets/stylesheets/palette.f1a3b89f.min.css">
        
      
    
    
    
      
        
        <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
        <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback">
        <style>:root{--md-text-font-family:"Roboto";--md-code-font-family:"Roboto Mono"}</style>
      
    
    
    
    
      

  


  

  


  <script>function gtag(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer||[],gtag("js",new Date),gtag("config","G-QP38TD8K7V"),document.addEventListener("DOMContentLoaded",function(){"undefined"!=typeof location$&&location$.subscribe(function(t){gtag("config","G-QP38TD8K7V",{page_path:t.pathname})})})</script>
  <script async src="https://www.googletagmanager.com/gtag/js?id=G-QP38TD8K7V"></script>


    
    
  </head>
  
  
    
    
    
    
    
    <body dir="ltr" data-md-color-scheme="" data-md-color-primary="none" data-md-color-accent="none">
  
    
    <script>function __prefix(e){return new URL("..",location).pathname+"."+e}function __get(e,t=localStorage){return JSON.parse(t.getItem(__prefix(e)))}</script>
    
    <input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
    <input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
    <label class="md-overlay" for="__drawer"></label>
    <div data-md-component="skip">
      
        
        <a href="#shared-clustersecretstore" class="md-skip">
          Skip to content
        </a>
      
    </div>
    <div data-md-component="announce">
      
    </div>
    
      <header class="md-header" data-md-component="header">
  <nav class="md-header__inner md-grid" aria-label="Header">
    <a href=".." title="External Secrets Operator" class="md-header__button md-logo" aria-label="External Secrets Operator" data-md-component="logo">
      
  
  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54z"/></svg>

    </a>
    <label class="md-header__button md-icon" for="__drawer">
      <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2z"/></svg>
    </label>
    <div class="md-header__title" data-md-component="header-title">
      <div class="md-header__ellipsis">
        <div class="md-header__topic">
          <span class="md-ellipsis">
            External Secrets Operator
          </span>
        </div>
        <div class="md-header__topic" data-md-component="header-topic">
          <span class="md-ellipsis">
            
              Multi Tenancy
            
          </span>
        </div>
      </div>
    </div>
    
    
    
      <label class="md-header__button md-icon" for="__search">
        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
      </label>
      
<div class="md-search" data-md-component="search" role="dialog">
  <label class="md-search__overlay" for="__search"></label>
  <div class="md-search__inner" role="search">
    <form class="md-search__form" name="search">
      <input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" data-md-state="active" required>
      <label class="md-search__icon md-icon" for="__search">
        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
      </label>
      <button type="reset" class="md-search__icon md-icon" aria-label="Clear" tabindex="-1">
        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41z"/></svg>
      </button>
    </form>
    <div class="md-search__output">
      <div class="md-search__scrollwrap" data-md-scrollfix>
        <div class="md-search-result" data-md-component="search-result">
          <div class="md-search-result__meta">
            Initializing search
          </div>
          <ol class="md-search-result__list"></ol>
        </div>
      </div>
    </div>
  </div>
</div>
    
    
      <div class="md-header__source">
        
<a href="https://github.com/external-secrets/external-secrets/" title="Go to repository" class="md-source" data-md-component="source">
  <div class="md-source__icon md-icon">
    
    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
  </div>
  <div class="md-source__repository">
    External Secrets Operator
  </div>
</a>
      </div>
    
  </nav>
</header>
    
    <div class="md-container" data-md-component="container">
      
      
        
      
      <main class="md-main" data-md-component="main">
        <div class="md-main__inner md-grid">
          
            
              
              <div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
                <div class="md-sidebar__scrollwrap">
                  <div class="md-sidebar__inner">
                    


<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
  <label class="md-nav__title" for="__drawer">
    <a href=".." title="External Secrets Operator" class="md-nav__button md-logo" aria-label="External Secrets Operator" data-md-component="logo">
      
  
  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54z"/></svg>

    </a>
    External Secrets Operator
  </label>
  
    <div class="md-nav__source">
      
<a href="https://github.com/external-secrets/external-secrets/" title="Go to repository" class="md-source" data-md-component="source">
  <div class="md-source__icon md-icon">
    
    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
  </div>
  <div class="md-source__repository">
    External Secrets Operator
  </div>
</a>
    </div>
  
  <ul class="md-nav__list" data-md-scrollfix>
    
      
      
      

  
  
  
    <li class="md-nav__item">
      <a href=".." class="md-nav__link">
        Introduction
      </a>
    </li>
  

    
      
      
      

  
  
  
    <li class="md-nav__item">
      <a href="../api-overview/" class="md-nav__link">
        Overview
      </a>
    </li>
  

    
      
      
      

  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3" type="checkbox" id="__nav_3" >
      
      <label class="md-nav__link" for="__nav_3">
        API Types
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="API Types" data-md-level="1">
        <label class="md-nav__title" for="__nav_3">
          <span class="md-nav__icon md-icon"></span>
          API Types
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../api-externalsecret/" class="md-nav__link">
        ExternalSecret
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../api-secretstore/" class="md-nav__link">
        SecretStore
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../api-clustersecretstore/" class="md-nav__link">
        ClusterSecretStore
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

    
      
      
      

  
  
    
  
  
    
    <li class="md-nav__item md-nav__item--active md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4" type="checkbox" id="__nav_4" checked>
      
      <label class="md-nav__link" for="__nav_4">
        Guides
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="Guides" data-md-level="1">
        <label class="md-nav__title" for="__nav_4">
          <span class="md-nav__icon md-icon"></span>
          Guides
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../guides-introduction/" class="md-nav__link">
        Introduction
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../guides-getting-started/" class="md-nav__link">
        Getting started
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../guides-templating/" class="md-nav__link">
        Advanced Templating
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../guides-controller-class/" class="md-nav__link">
        Controller Classes
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../guides-all-keys-one-secret/" class="md-nav__link">
        All keys, One secret
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../guides-common-k8s-secret-types/" class="md-nav__link">
        Common K8S Secret Types
      </a>
    </li>
  

          
            
  
  
    
  
  
    <li class="md-nav__item md-nav__item--active">
      
      <input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc">
      
      
      
        <label class="md-nav__link md-nav__link--active" for="__toc">
          Multi Tenancy
          <span class="md-nav__icon md-icon"></span>
        </label>
      
      <a href="./" class="md-nav__link md-nav__link--active">
        Multi Tenancy
      </a>
      
        
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
  
  
  
  
    <label class="md-nav__title" for="__toc">
      <span class="md-nav__icon md-icon"></span>
      Table of contents
    </label>
    <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
      
        <li class="md-nav__item">
  <a href="#shared-clustersecretstore" class="md-nav__link">
    Shared ClusterSecretStore
  </a>
  
</li>
      
        <li class="md-nav__item">
  <a href="#managed-secretstore-per-namespace" class="md-nav__link">
    Managed SecretStore per Namespace
  </a>
  
</li>
      
        <li class="md-nav__item">
  <a href="#eso-as-a-service" class="md-nav__link">
    ESO as a Service
  </a>
  
</li>
      
    </ul>
  
</nav>
      
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../guides-metrics/" class="md-nav__link">
        Metrics
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../guides-using-latest-image/" class="md-nav__link">
        Using Latest Image
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../guides-gitops-using-fluxcd/" class="md-nav__link">
        GitOps using FluxCD
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

    
      
      
      

  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5" type="checkbox" id="__nav_5" >
      
      <label class="md-nav__link" for="__nav_5">
        Provider
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="Provider" data-md-level="1">
        <label class="md-nav__title" for="__nav_5">
          <span class="md-nav__icon md-icon"></span>
          Provider
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_1" type="checkbox" id="__nav_5_1" >
      
      <label class="md-nav__link" for="__nav_5_1">
        AWS
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="AWS" data-md-level="2">
        <label class="md-nav__title" for="__nav_5_1">
          <span class="md-nav__icon md-icon"></span>
          AWS
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../provider-aws-secrets-manager/" class="md-nav__link">
        Secrets Manager
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../provider-aws-parameter-store/" class="md-nav__link">
        Parameter Store
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

          
            
  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_2" type="checkbox" id="__nav_5_2" >
      
      <label class="md-nav__link" for="__nav_5_2">
        Azure
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="Azure" data-md-level="2">
        <label class="md-nav__title" for="__nav_5_2">
          <span class="md-nav__icon md-icon"></span>
          Azure
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../provider-azure-key-vault/" class="md-nav__link">
        Key Vault
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

          
            
  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_3" type="checkbox" id="__nav_5_3" >
      
      <label class="md-nav__link" for="__nav_5_3">
        Google
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="Google" data-md-level="2">
        <label class="md-nav__title" for="__nav_5_3">
          <span class="md-nav__icon md-icon"></span>
          Google
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../provider-google-secrets-manager/" class="md-nav__link">
        Secrets Manager
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

          
            
  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_4" type="checkbox" id="__nav_5_4" >
      
      <label class="md-nav__link" for="__nav_5_4">
        IBM
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="IBM" data-md-level="2">
        <label class="md-nav__title" for="__nav_5_4">
          <span class="md-nav__icon md-icon"></span>
          IBM
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../provider-ibm-secrets-manager/" class="md-nav__link">
        Secrets Manager
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../provider-akeyless/" class="md-nav__link">
        Akeyless
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../provider-hashicorp-vault/" class="md-nav__link">
        HashiCorp Vault
      </a>
    </li>
  

          
            
  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_7" type="checkbox" id="__nav_5_7" >
      
      <label class="md-nav__link" for="__nav_5_7">
        Yandex
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="Yandex" data-md-level="2">
        <label class="md-nav__title" for="__nav_5_7">
          <span class="md-nav__icon md-icon"></span>
          Yandex
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../provider-yandex-lockbox/" class="md-nav__link">
        Lockbox
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

          
            
  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_8" type="checkbox" id="__nav_5_8" >
      
      <label class="md-nav__link" for="__nav_5_8">
        Gitlab
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="Gitlab" data-md-level="2">
        <label class="md-nav__title" for="__nav_5_8">
          <span class="md-nav__icon md-icon"></span>
          Gitlab
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../provider-gitlab-project-variables/" class="md-nav__link">
        Gitlab Project Variables
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

          
            
  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_9" type="checkbox" id="__nav_5_9" >
      
      <label class="md-nav__link" for="__nav_5_9">
        Oracle
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="Oracle" data-md-level="2">
        <label class="md-nav__title" for="__nav_5_9">
          <span class="md-nav__icon md-icon"></span>
          Oracle
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../provider-oracle-vault/" class="md-nav__link">
        Oracle Vault
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../provider-webhook/" class="md-nav__link">
        Webhook
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

    
      
      
      

  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_6" type="checkbox" id="__nav_6" >
      
      <label class="md-nav__link" for="__nav_6">
        References
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="References" data-md-level="1">
        <label class="md-nav__title" for="__nav_6">
          <span class="md-nav__icon md-icon"></span>
          References
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../spec/" class="md-nav__link">
        API specification
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

    
      
      
      

  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_7" type="checkbox" id="__nav_7" >
      
      <label class="md-nav__link" for="__nav_7">
        Contributing
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="Contributing" data-md-level="1">
        <label class="md-nav__title" for="__nav_7">
          <span class="md-nav__icon md-icon"></span>
          Contributing
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../contributing-devguide/" class="md-nav__link">
        Developer guide
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../contributing-process/" class="md-nav__link">
        Contributing Process
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../contributing-coc/" class="md-nav__link">
        Code of Conduct
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

    
      
      
      

  
  
  
    <li class="md-nav__item">
      <a href="../deprecation-policy/" class="md-nav__link">
        Deprecation Policy
      </a>
    </li>
  

    
  </ul>
</nav>
                  </div>
                </div>
              </div>
            
            
              
              <div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
                <div class="md-sidebar__scrollwrap">
                  <div class="md-sidebar__inner">
                    
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
  
  
  
  
    <label class="md-nav__title" for="__toc">
      <span class="md-nav__icon md-icon"></span>
      Table of contents
    </label>
    <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
      
        <li class="md-nav__item">
  <a href="#shared-clustersecretstore" class="md-nav__link">
    Shared ClusterSecretStore
  </a>
  
</li>
      
        <li class="md-nav__item">
  <a href="#managed-secretstore-per-namespace" class="md-nav__link">
    Managed SecretStore per Namespace
  </a>
  
</li>
      
        <li class="md-nav__item">
  <a href="#eso-as-a-service" class="md-nav__link">
    ESO as a Service
  </a>
  
</li>
      
    </ul>
  
</nav>
                  </div>
                </div>
              </div>
            
          
          <div class="md-content" data-md-component="content">
            <article class="md-content__inner md-typeset">
              
                
                  <a href="https://github.com/external-secrets/external-secrets/edit/master/docs/guides-multi-tenancy.md" title="Edit this page" class="md-content__button md-icon">
                    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20.71 7.04c.39-.39.39-1.04 0-1.41l-2.34-2.34c-.37-.39-1.02-.39-1.41 0l-1.84 1.83 3.75 3.75M3 17.25V21h3.75L17.81 9.93l-3.75-3.75L3 17.25z"/></svg>
                  </a>
                
                
                  <h1>Multi Tenancy</h1>
                
                <p>External Secrets Operator provides different modes of operation to fulfill
ogranizational needs. This guide outlines the flexibility of ESO and should give
you a first impression of how you can employ this operator in your organization.</p>
<p>For a multi-tenant deployment you should first examine your organizational
structure:</p>
<ol>
<li>what roles (i.e. <em>Application Developers</em>, <em>Cluster Admins</em>, ...) do you have
   in your organization,</li>
<li>what responsibilities do they have and</li>
<li>how does that map to Kubernetes RBAC roles.</li>
</ol>
<p>Further, you should examine how your external API provider manages access
control for your secrets. Can you limit access by secret names (e.g.
<code>db/dev/*</code>)? Or only on a bucket level? Please keep in mind that not all
external APIs provide fine-grained access management for secrets.</p>
<p><strong>Note:</strong> The following examples should <strong>not</strong> be considered as best practice
but rather as a example to show how to combine different mechanics and
techniques for tenant isolation.</p>
<h3 id="shared-clustersecretstore">Shared ClusterSecretStore</h3>
<p><img alt="Shared CSS" src="../pictures/diagrams-multi-tenancy-shared.png" /></p>
<p>A Cluster Administrator deploys a <code>ClusterSecretStore</code> (CSS) and manages access
to the external API. The CSS is shared by all tenants within the cluster.
Application Developers do reference it in a <code>ExternalSecret</code> but can not create
a ClusterSecretStores or SecretStores on their own. Now all application
developers have access to all the secrets. You probably want to limit access to
certain keys or prefixes that should be used. ESO does not provide a mechanic
to limit access to certain keys per namespace. More advanced validation should be
done with an Admission Webhook, e.g. with <a href="https://kyverno.io/">Kyverno</a> or
<a href="https://www.openpolicyagent.org/">Open Policy Agent</a>).</p>
<p>This setup suites well if you have one central bucket that contains all of your
secrets and your Cluster Administrators should manage access to it. This setup
is very simple but does not scale very well.</p>
<h3 id="managed-secretstore-per-namespace">Managed SecretStore per Namespace</h3>
<p><img alt="Shared CSS" src="../pictures/diagrams-multi-tenancy-managed-store.png" /></p>
<p>Cluster Administrators manage one or multipe <code>SecretStores</code> per Namespace. Each
SecretStore uses it's own <em>role</em> that limits access to a small set of keys. The
peculiarity of this is approach is, that <strong>access is actually managed by the
external API</strong> which provides the roles. The Cluster Administrator does just the
wiring. This approach may be desirable if you have an external entity - let's
call it <strong>Secret Administrator</strong> - that manages access and lifecycle of the
secrets.</p>
<h3 id="eso-as-a-service">ESO as a Service</h3>
<p><img alt="Shared CSS" src="../pictures/diagrams-multi-tenancy-self-service.png" /></p>
<p>Every namespace is self-contained. Application developers manage <code>SecretStore</code>,
<code>ExternalSecret</code> and secret infrastructure on their own. Cluster Administrators
<em>just</em> provide the External Secrets Operator as a service.</p>
<p>This makes sense if application developers should be completely autonomous while
a central team provides common services.</p>
                
              
              
                


              
            </article>
          </div>
        </div>
        
      </main>
      
        
<footer class="md-footer">
  
    <nav class="md-footer__inner md-grid" aria-label="Footer">
      
        
        <a href="../guides-common-k8s-secret-types/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Common K8S Secret Types" rel="prev">
          <div class="md-footer__button md-icon">
            <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
          </div>
          <div class="md-footer__title">
            <div class="md-ellipsis">
              <span class="md-footer__direction">
                Previous
              </span>
              Common K8S Secret Types
            </div>
          </div>
        </a>
      
      
        
        <a href="../guides-metrics/" class="md-footer__link md-footer__link--next" aria-label="Next: Metrics" rel="next">
          <div class="md-footer__title">
            <div class="md-ellipsis">
              <span class="md-footer__direction">
                Next
              </span>
              Metrics
            </div>
          </div>
          <div class="md-footer__button md-icon">
            <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4z"/></svg>
          </div>
        </a>
      
    </nav>
  
  <div class="md-footer-meta md-typeset">
    <div class="md-footer-meta__inner md-grid">
      <div class="md-footer-copyright">
        
        Made with
        <a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
          Material for MkDocs
        </a>
        
      </div>
      
    </div>
  </div>
</footer>
      
    </div>
    <div class="md-dialog" data-md-component="dialog">
      <div class="md-dialog__inner md-typeset"></div>
    </div>
    <script id="__config" type="application/json">{"base": "..", "features": [], "translations": {"clipboard.copy": "Copy to clipboard", "clipboard.copied": "Copied to clipboard", "search.config.lang": "en", "search.config.pipeline": "trimmer, stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.placeholder": "Type to start searching", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.term.missing": "Missing", "select.version.title": "Select version"}, "search": "../assets/javascripts/workers/search.b0710199.min.js", "version": {"provider": "mike"}}</script>
    
    
      <script src="../assets/javascripts/bundle.76f349be.min.js"></script>
      
    
  </body>
</html>