Add Admission Controller to enforce Namespace Annotations for External Secrets

[skomp]

We don't currently set any namespace annotations for external secrets but should provide a sensible default.

Use Case

When adding a namespace, we should automatically add a namespace annotation for external secrets with a proper scope to a path in the AWS Secrets Manager.

Proposed Solution

Implement an admission controller that whenever a namespace is created, attaches an annotation for external secrets and also checks that no more external secrets annotations are added. For instance, when creating namespace a, an external secrets annotation to give access to secrets with the prefix /k8s/a/.* as well as an annotation allowing for global secrets, e.g., /k8s/global/.*.

Other

This might serve as an inspiration: https://aws.amazon.com/blogs/containers/building-serverless-admission-webhooks-for-kubernetes-with-aws-sam/

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

---

This is a 🚀 Feature Request

[github-actions]

This issue is now marked as stale because it hasn't seen activity for a while. Add a comment or it will be closed soon.

[github-actions]

Closing this issue as it hasn't seen activity for a while. Please add a comment @mentioning a maintainer to reopen.