Add "tenant-scoped" mode to External Secrets Operator

[asmaoune]

Is your feature request related to a problem? Please describe.
In a multi-tenant environment using External Secrets Operator (ESO), we face a limitation with the current deployment modes. ESO currently supports two modes:

Cluster-wide: which manages all namespaces in the cluster
Namespace-scoped: limited to a single specific namespace

This creates a challenge in multi-tenant environments where a tenant owns multiple namespaces. We are forced to either deploy one ESO per namespace (creating operational overhead) or use cluster-wide mode (which create security and isolation issues between tenants).

Describe the solution you'd like
I propose adding a third deployment mode: tenant-scoped mode that would allow:

1. Deploying a single ESO instance in a dedicated namespace for each tenant
2. Configuring this ESO to manage all namespaces belonging to that tenant, identified via specific labels
3. Maintaining isolation between tenants while simplifying management

Specifically, this would involve:

• Adding a tenant-scoped configuration option in the Helm chart and deployment options
• Implementing namespace filtering logic based on labels to identify those belonging to the tenant
• Setting up appropriate RBAC permissions to allow the ESO instance to operate only on the tenant's namespaces

Describe alternatives you've considered
Deploying one ESO per namespace: a functional solution but generates significant resource consumption and operational complexity (many instances to maintain).

Additional context
Concrete usage example:

• Tenant namespace: app-tenant-a (with label: tenant=a)
• Tenant's ESO namespace: eso-tenant-a
• ESO deployed in eso-tenant-a automatically manages all namespaces with the label tenant=a

This feature aligns with the trend of multi-tenant architectures on Kubernetes and would significantly improve the operational experience for teams managing such environments.

[gusfcarvalho]

@asmaoune, hi. There is a reason why we cannot achieve this - CRDs would be shared.

You'll never really have multi-namespace, multi-tenancy isolation without extra tools like vcluster (to which, you can use ESO in cluster mode just fine). You way to go here is indeed using namespaced scoped and bear with the overhead it causes.

significant resource consumption

plus if you're worried with <100mCPU <120MiB per namespace, you have bigger fish to fry 😄

[gusfcarvalho]

Plus - this is easier said than done 😄

Adding a tenant-scoped configuration option in the Helm chart and deployment options
Implementing namespace filtering logic based on labels to identify those belonging to the tenant
Setting up appropriate RBAC permissions to allow the ESO instance to operate only on the tenant's namespaces

What happens when a new namespace is created? we are not provisioning RBAC at all with the operator - it has no powers (and should not have powers) to mess with RBAC. Do you intend to change installation configuration deterministically? If so, this problem is better solved on that layer as opposed to this layer.

From my Experience: You'll need to create a custom external-secrets-operator operator to really make this work 😄. See the thread I'll put below.

[gusfcarvalho]

This is very similar to #4704 😄 I think we should move this discussion over there and close this issue as a duplicate. LMK your thoughts.

[asmaoune]

Installing one ESO per tenant doesn't affect the shared nature of CRDs across the cluster. However, the intent of this solution isn't to isolate CRDs between tenants, but to ensure secret segregation and operational independence for each tenant.

when a namespace is created, we can implement a solution to provision the necessary RBAC to ensure the ESO instance has the correct permissions to manage it.

[gusfcarvalho]

when a namespace is created, we can implement a solution to provision the necessary RBAC to ensure the ESO instance has the correct permissions to manage it.

So there’s nothing to do here 🙂if your concerns are not with isolation, you can just use controller classes. this is now a duplicate of #4626 . As this is the only missing bit (starting informers with custom predicates) (and still probably optional for your use case)

Though I need to say your installation will not be supported if you ever need help 😄

Also just to be clear 👆🏽I mean that because this operator will not ever have RBAC powers over itself. That’s security flaw. This is something custom you’d need to build and maintain it yourself (hopefully, with care)

[asmaoune]

We want isolation between tenants, and alse we aim to implement this solution because we cannot deploy a single ESO to manage all namespaces due to RBAC restrictions in the cluster.

[gusfcarvalho]

We want isolation between tenants, and alse we aim to implement this solution because we cannot deploy a single ESO to manage all namespaces due to RBAC restrictions in the cluster.

Yes, I understand that. However, it’s not like you don’t have a better option which is already provided within the open source package (namespaced install).

I am not a fan of creating another installation method which is implicitly shared (instead of the explicit cluster install) or naturally less secur (instead of namespaced install). The only benefits of this is saving a couple of mCPU, because even custom resources wouldn’t be able to be shared across namespaces anyways (I.e. use a SecretStore in ns-a to create secret in ns-b).
This above also means there is no difference for tenant operations at all!

IMO I simply don’t see benefit to the OSS project at all. It just makes everything more messy.

You’d need to share a lot more about your use case other than “it will spend more resources” for me to understand the real reasoning here 😂

[asmaoune]

@gusfcarvalho There is no ClusterRole involved in our setup.
The ESO service account has zero RBAC permissions by default; all access decisions (get, list, watch, create, update, …) are made by our OPA authorization webhook. OPA grants or denies each request on a per-namespace basis, so ESO can act only inside the namespaces that belong to its tenant.

[gusfcarvalho]

The ESO service account has zero RBAC permissions by default; all access decisions (get, list, watch, create, update, …) are made by our OPA authorization webhook. OPA grants or denies each request on a per-namespace basis, so ESO can act only inside the namespaces that belong to its tenant.

good for you 😄 ! We unfortunately cannot add these flags based on the premises that users using it will have some custom setup for their Auth. And once we add it, we need to support for every single user (including the ones which will not do it).

As I said in the other issue - the supported upstream way for your case is to install ESO instances per namespace (not per tenant) on your cluster.

I believe you will be best served by forking this project and adding your own changes to it.

[asmaoune]

@gusfcarvalho I want to inform you that we have forked the project and added our own changes to it.

[gusfcarvalho]

Awesome! 😃. Is the fork publicly available, by any chance? 🙂