Credential Scope
When presented with multiple credential choices, the operator chooses the most specific one: resource scope takes precedence over namespace scope which takes precedence over global scope.
Global scope
Warning
Be careful when using the global scope credential. A user in any namespace in your cluster will have the ability to do everything that the global credential can do. For security best practice we recommend using namespace scoped or resource scoped credentials. See security best practices for more details.The global credential resides in the aso-controller-settings secret deployed as part of operator deployment in
operator’s namespace.
This is the scope configured when configuring credentials via the Helm chart installation.
When updating the aso-controller-settings secret, you must restart the operator pod for the updated secret to
take effect.
Note: The
aso-controller-settingssecret must exist, but the actual global credential portion of the secret is optional. If you do not wish to use a global credential, you must still provide the secret with empty values for theAZURE_SUBSCRIPTION_ID, andAZURE_CLIENT_ID, andAZURE_TENANT_IDstrings.
Namespace scope
A secret named aso-credential in a Kubernetes namespace configures the credential for all resources in that namespace,
overriding the global credential. This credential can be in a different tenant or subscription than the global credential.
Resource scope
A secret with any name can be referenced by the serviceoperator.azure.com/credential-from annotation.
Create this annotation on each resource to configure the credential used for that resource.
The secret containing the credential must be in the same Kubernetes namespace as the resource but may be in a different
tenant or subscription than both the global credential and per-namespace credential.
Note that multiple resources may refer to the same secret.