SharedSecret allows a Secret to be shared across namespaces. Pods can mount the shared Secret by adding a CSI volume to the pod specification using the "csi.sharedresource.openshift.io" CSI driver and a reference to the SharedSecret in the volume attributes:
spec: volumes: - name: shared-secret csi: driver: csi.sharedresource.openshift.io volumeAttributes: sharedSecret: my-share
For the mount to be successful, the pod’s service account must be granted permission to 'use' the named SharedSecret object within its namespace with an appropriate Role and RoleBinding. For compactness, here are example oc
invocations for creating such Role and RoleBinding objects.
oc create role shared-resource-my-share --verb=use --resource=sharedsecrets.sharedresource.openshift.io --resource-name=my-share
oc create rolebinding shared-resource-my-share --role=shared-resource-my-share --serviceaccount=my-namespace:default
Shared resource objects, in this case Secrets, have default permissions of list, get, and watch for system authenticated users.
Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. These capabilities should not be used by applications needing long term support.