Mounting ConfigMaps and Secrets Across Namespaces

In some scenarios (for example, sidecar injection), ConfigMaps or secrets in other namespaces may need to be mounted to service pods. With the CCE Cloud Bursting Engine for CCI add-on, you only need to specify the namespaces and ConfigMap or secret names to mount ConfigMaps or secrets in other namespaces to volumes. This simplifies configurations and avoids repeated maintenance of cross-namespace resources.

Constraints

If this function is enabled, ConfigMaps and secrets in other namespaces can be mounted to pods. This breaks the Kubernetes namespace isolation. You must assess the security risks before enabling this function.
You are advised to enable this function only when the forcible scheduling policy is used. If a pod is scheduled to a CCE node, this function cannot be implemented, which may cause pod startup failures.
The add-on version must be v1.5.65 or later. If the add-on version is earlier than v1.5.65, you need to upgrade the add-on.

Procedure

Log in to the CCE console.
Click the name of the target CCE cluster to go to the cluster Overview page.
In the navigation pane, choose Add-ons.
Select the CCE Cloud Bursting Engine for CCI add-on and click Edit.
In the upper left corner, click Edit YAML.
Set enableCrossNamespaceMounting to true and click Submit.

Configure Volume and set the name fields of the referenced resources in the namespace/name format to reference ConfigMaps or secrets in other namespaces.

The following is an example:

volumes:
  - name: volume1
    configMap:
      name: monitoring/prometheus-config
  - name: volume2
    secret:
      secretName: monitoring/prometheus-secret
  - name: volume3
    projected:
      sources:
      - configMap:
          name: monitoring/prometheus-config
      - secret:
          name: monitoring/prometheus-secret

Parent Topic: Storage

Previous topic: Storage

Next topic: Logging