How-To: Scope components to one or more applications

Limit component access to particular Dapr instances

Dapr components are namespaced (separate from the Kubernetes namespace concept), meaning a Dapr runtime instance can only access components that have been deployed to the same namespace.

When Dapr runs, it matches it’s own configured namespace with the namespace of the components that it loads and initializes only the ones matching its namespaces. All other components in a different namespace are not loaded.

Namespaces

Namespaces can be used to limit component access to particular Dapr instances.

In self hosted mode, a developer can specify the namespace to a Dapr instance by setting the NAMESPACE environment variable. If the NAMESPACE environment variable is set, Dapr does not load any component that does not specify the same namespace in its metadata.

For example given this component in the production namespace

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Component
  3. metadata:
  4. name: statestore
  5. namespace: production
  6. spec:
  7. type: state.redis
  8. version: v1
  9. metadata:
  10. - name: redisHost
  11. value: redis-master:6379

To tell Dapr which namespace it is deployed to, set the environment variable:

MacOS/Linux:

  1. export NAMESPACE=production
  2. # run Dapr as usual

Windows:

  1. setx NAMESPACE "production"
  2. # run Dapr as usual

Let’s consider the following component in Kubernetes:

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Component
  3. metadata:
  4. name: statestore
  5. namespace: production
  6. spec:
  7. type: state.redis
  8. version: v1
  9. metadata:
  10. - name: redisHost
  11. value: redis-master:6379

In this example, the Redis component is only accessible to Dapr instances running inside the production namespace.

Using namespaces with service invocation

When using service invocation an application in a namespace you have to qualify it with the namespace. For example calling the ping method on myapp which is scoped to the production namespace would be like this.

  1. https://localhost:3500/v1.0/invoke/myapp.production/method/ping

Or using a curl command from an external DNS address, in this case api.demo.dapr.team would be like this.

MacOS/Linux:

  1. curl -i -d '{ "message": "hello" }' \
  2. -H "Content-type: application/json" \
  3. -H "dapr-api-token: ${API_TOKEN}" \
  4. https://api.demo.dapr.team/v1.0/invoke/myapp.production/method/ping

Using namespaces with pub/sub

Read Pub/Sub and namespaces for more information on scoping components.

Application access to components with scopes

Developers and operators might want to limit access for one database to a certain application, or a specific set of applications. To achieve this, Dapr allows you to specify scopes on the component YAML. Application scopes added to a component limit only the applications with specific IDs to be able to use the component.

The following example shows how to give access to two Dapr enabled apps, with the app IDs of app1 and app2 to the Redis component named statestore which itself is in the production namespace

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Component
  3. metadata:
  4. name: statestore
  5. namespace: production
  6. spec:
  7. type: state.redis
  8. version: v1
  9. metadata:
  10. - name: redisHost
  11. value: redis-master:6379
  12. scopes:
  13. - app1
  14. - app2

Example

Last modified September 17, 2021 : Merge pull request #1757 from georgestevens99/1440SecretKeyRefExplanation (620a5f8)