Incomplete restrict secret permissions description

[joebowbeer]

The existing documentation for restricting secret access is misleading, as it implies that access to secrets can be (completely) restricted by enabling secret permission restrictions for keda-operator and metricServer.

In addition to improving the documentation, it would be helpful if the docs explained how to update the helm chart in order to completely restrict access.

I installed the KEDA helm chart v2.13.1 with all secret restrictions enabled

  permissions:
    operator:
      restrict:
        secret: true
    metricServer:
      restrict:
        secret: true

but keda-operator still has "get" access to all secrets by way of a different rule in the keda-operator ClusterRole:

- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - get

Discussion: kedacore/keda#4730

Related: kedacore/keda-docs#1307

Expected Behavior

kubectl auth can-i get secrets --as=system:serviceaccount:keda:keda-operator
no

Actual Behavior

kubectl auth can-i get secrets --as=system:serviceaccount:keda:keda-operator
yes

Steps to Reproduce the Problem

1. Install KEDA helm chart
2. Enable secret restrictions for keda-operator and metricServer
3. Run kubectl auth can-i get secrets

Specifications

• KEDA Version: 2.13.0

[JorTurFer]

Let's discuss the topic in the docs repo issue to not duplicate the threads: kedacore/keda-docs#1307