Allow namespace-use-role access to secrets

[spiffxp]

Putting this up to ask the question: why are cluster admins the only
people allowed to create secrets? I personally would rather delegate
control of a namespace's resource, including its secrets, to the rbac
group.

Bumped into this while helping @ameukam setup triage-party here: https://github.com/kubernetes/k8s.io/pull/967/files#r445789688

/cc @cblecker @thockin @dims

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: spiffxp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [spiffxp]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[spiffxp]

/hold
for comment from requested reviewers

[thockin]

We left Secret out because we thought a) the vast vast majority of use-cases was for TLS certs, which cert-manager handles and b) it was risky for people to exfiltrate TLS certs for something.k8s.io. Maybe that's overly-paranoid? It was a case of "we can add it if we need it. I don't object to adding it back in, but it is unfortunate that we can't easily get finer-grained than that.

…

On Mon, Jun 29, 2020 at 3:33 PM Aaron Crickenberger < ***@***.***> wrote: /hold for comment from requested reviewers — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#988 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABKWAVEUM6BOQOOUMETF6G3RZEJFBANCNFSM4OLUYBLQ> .

[cblecker]

If we already provide list, folks can already exfiltrate secrets. If we want to allow management, but not the ability to view, we could allow create/patch/delete.

[dims]

@spiffxp do we still need this?

[spiffxp]

/close
I'll close this for now. If I have time I'll play around with my alternate account to confirm @cblecker's suggestion. I get the exfiltration of certs concern. Still seems like the status quo leaves us awfully bottlenecked on a few cluster admins.

[k8s-ci-robot]

@spiffxp: Closed this PR.

In response to this:

/close
I'll close this for now. If I have time I'll play around with my alternate account to confirm @cblecker's suggestion. I get the exfiltration of certs concern. Still seems like the status quo leaves us awfully bottlenecked on a few cluster admins.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.