Sync Secrets

Secrets like registry credentials often need to exist in multiple Namespaces so Pods there have access. Manually duplicating those Secrets is time consuming and error prone. This policy will copy a Secret called `regcred` which exists in the `default` Namespace to new Namespaces when they are created. It will also push updates to the copied Secrets should the source Secret be changed.

Policy Definition

/other/sync-secrets/sync-secrets.yaml


 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: sync-secrets
 5  annotations:
 6    policies.kyverno.io/title: Sync Secrets
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/subject: Secret
 9    policies.kyverno.io/minversion: 1.6.0
10    policies.kyverno.io/description: >-
11      Secrets like registry credentials often need to exist in multiple
12      Namespaces so Pods there have access. Manually duplicating those Secrets
13      is time consuming and error prone. This policy will copy a
14      Secret called `regcred` which exists in the `default` Namespace to
15      new Namespaces when they are created. It will also push updates to
16      the copied Secrets should the source Secret be changed.      
17spec:
18  rules:
19  - name: sync-image-pull-secret
20    match:
21      any:
22      - resources:
23          kinds:
24          - Namespace
25    generate:
26      apiVersion: v1
27      kind: Secret
28      name: regcred
29      namespace: "{{request.object.metadata.name}}"
30      synchronize: true
31      clone:
32        namespace: default
33        name: regcred

yaml

Create policy issue