Hi 👋 is there a recommended approach to securing project/user-specific secrets? As I understand Flyte does not come with RBAC. We have set up authentication with an IdP, and Secrets are logically separated through namespaces, but what is stopping a user from running a workflow in a different project and extracting all secrets?

I’m also interested in this answer, mostly in the context or running a multi-tenant architecture.

Pasting some context I found for reference, it seems this has been a need for many years already • https://github.com/flyteorg/flyte/issues/555#issuecomment-874085422 • https://discuss.flyte.org/t/15995921/unr3c6y4t-and-unw4vp36v-i-have-a-question-about-the-okta-set • Oldest issue I could find on this by @steep-jackal-21573 I think currently there is no way to secure secrets on Flyte on a more fine-grained level than at cluster level, but maybe we can share some ideas?

Then how does multi-tenancy work? I docs speak to it as a first-class feature.

Internally we have an authentication/authorization gateway sitting in front of flyteadmin, handling this type of things. The gateway connects to flyteadmin using a static key, so any other direct connect to flyteadmin will no pass flyteadmin auth. Just food for thought.