https://flyte.org logo
#ask-the-community
Title
# ask-the-community
g

Geert

02/06/2024, 6:37 PM
Hi 👋 is there a recommended approach to securing project/user-specific secrets? As I understand Flyte does not come with RBAC. We have set up authentication with an IdP, and Secrets are logically separated through namespaces, but what is stopping a user from running a workflow in a different project and extracting all secrets?
a

Andy Czerwonka

02/06/2024, 6:49 PM
I’m also interested in this answer, mostly in the context or running a multi-tenant architecture.
g

Geert

02/06/2024, 7:21 PM
Pasting some context I found for reference, it seems this has been a need for many years already • https://github.com/flyteorg/flyte/issues/555#issuecomment-874085422https://discuss.flyte.org/t/15995921/unr3c6y4t-and-unw4vp36v-i-have-a-question-about-the-okta-set • Oldest issue I could find on this by @honnix I think currently there is no way to secure secrets on Flyte on a more fine-grained level than at cluster level, but maybe we can share some ideas?
We would just need something simple and lightweight in our org, I'm thinking of trialing a gRPC interceptor
a

Andy Czerwonka

02/06/2024, 7:50 PM
Then how does multi-tenancy work? I docs speak to it as a first-class feature.
h

honnix

02/06/2024, 8:07 PM
Internally we have an authentication/authorization gateway sitting in front of flyteadmin, handling this type of things. The gateway connects to flyteadmin using a static key, so any other direct connect to flyteadmin will no pass flyteadmin auth. Just food for thought.