-
|
ClusterRole, the operator service account associated with, grants full access to cluster secrets. Unless I am misinterpreting something this feels like a security concern. What does Tyk operator do with secrets in the cluster? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Hi @illinar Thanks. We need these secrets so that we can perform TLS termination at the Gateway (ingress). Soon, we will also introduce automatic mTLS in the Operator too. We are watching secrets of We attach a finalizer to them so that if / when the Secret is deleted, we can remove that cert from Tyk's certificate store when the certificate is deleted. I need to investigate properly, but maybe we only need |
Beta Was this translation helpful? Give feedback.
Hi @illinar Thanks. We need these secrets so that we can perform TLS termination at the Gateway (ingress). Soon, we will also introduce automatic mTLS in the Operator too.
We are watching secrets of
kubernetes.io/tlstype and loading them into Tyk's certificate storage (if) they are referenced by a Tyk custom resource -ApiDefinition.We attach a finalizer to them so that if / when the Secret is deleted, we can remove that cert from Tyk's certificate store when the certificate is deleted.
I need to investigate properly, but maybe we only need
list,watch,get,update.We could possibly remove
create,patch,deletepermissions.#276