我的书签
添加书签
移除书签How-To: Limit the secrets that can be read from secret stores
In addition to scoping which applications can access a given component, for example a secret store component (see Scoping components), a named secret store component itself can be scoped to one or more secrets for an application. By defining and/or deniedSecrets list, applications can be restricted to access only specific secrets.
Follow to define a configuration CRD.
The secrets section under the Configuration spec contains the following properties:
The following table lists the properties for secret scopes:
The and deniedSecrets list values take priorty over the defaultAccess.
| 场景 | 默认权限 | 允许的密钥 | 被拒绝的密钥 | 权限 |
|---|---|---|---|---|
| 1 - 仅默认访问 | 拒绝/允许 | 为空 | 为空 | 拒绝/允许 |
| 2 - 默认拒绝允许列表 | 拒绝 | [“s1”] | 为空 | 只能访问”s1” |
| 3 - 默认允许拒绝列表 | 允许 | 为空 | [“s1”] | 仅限”s1”无法访问 |
| 4 - 默认允许允许列表 | 允许 | [“s1”] | 为空 | 只能访问”s1” |
| 5 - 默认拒绝拒绝列表 | 拒绝 | 为空 | [“s1”] | 拒绝 |
| 6 - 两个列表的默认拒绝/允许 | 拒绝/允许 | [“s1”] | [“s2”] | 只能访问”s1” |
In Kubernetes cluster, the native Kubernetes secret store is added to Dapr application by default. 在某些情况下,可能有必要拒绝某个应用程序访问 Dapr 密钥。 要添加此配置,请按照下面的步骤:
Define the following appconfig.yaml and apply it to the Kubernetes cluster using the command kubectl apply -f appconfig.yaml.
For applications that need to be deined access to the Kubernetes secret store, follow these instructions, and add the following annotation to the application pod.
To allow a Dapr application to have access to only certain secrets, define the following :
This example defines configuration for secret store named vault. 密钥仓库的默认访问权限是deny,而有些密钥可以通过应用程序基于allowedSecrets列表访问。 Follow to apply configuration to the sidecar.
定义以下 config.yaml:
上面的配置明确禁止从名为 vault 的密钥仓库访问 secret1 和 ,但允许访问所有其他密钥。 Follow these instructions to apply configuration to the sidecar.
