TLS Protect for Kubernetes
Log inCreate account

Allow resources to reference a VenafiConnection in another namespacePreview

By default, a VenafiConnection resource can only be used by resources that are in the same namespace as that VenafiConnection resource. Alternatively, the `allowReferencesFrom` field in the VenafiConnection definition allows resources from other namespaces to use the VenafiConnection.



Allow a specific namespace to use the VenafiConnection

The following example shows a label selector that allows resources in the application-team-1 namespace to use the VenafiConnection:

apiVersion: jetstack.io/v1alpha1
kind: VenafiConnection
metadata:
  name: application-team-1-connection
  namespace: jetstack-secure
spec:
  allowReferencesFrom:
    matchLabels:
      "kubernetes.io/metadata.name": application-team-1


  ...
Copy to clipboard

Allow a VenafiConnection to be used from multiple namespaces

The following example shows a label selector that allows all resources in a specified list of namespaces [application-team-1, application-team-2, application-team-3] to use the VenafiConnection:

apiVersion: jetstack.io/v1alpha1
kind: VenafiConnection
metadata:
  name: application-team-1-connection
  namespace: jetstack-secure
spec:
  allowReferencesFrom:
    matchExpressions:
      - { key: "kubernetes.io/metadata.name", operator: In, values: [application-team-1, application-team-2, application-team-3] }


  ...
Copy to clipboard

📖 Learn more about matchExpressions

Allow all namespaces with a label to use the VenafiConnection

The following example shows a label selector that allows all resources in all namespaces with a specified label value to use the VenafiConnection:

apiVersion: jetstack.io/v1alpha1
kind: VenafiConnection
metadata:
  name: application-team-1-connection
  namespace: jetstack-secure
spec:
  allowReferencesFrom:
    matchLabels:
      namespace-owner: application-team-1


  ...
Copy to clipboard

On this page