2

I want to access specific secret from POD , I dont want POD to have access to other secrets(which are not needed).

I have created an service account with no access to secrets ( not even "get").

apiVersion: v1
kind: ServiceAccount
metadata:
  name: no-access-to-secrets
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: no-access-to-secrets
rules:
- apiGroups:  [""] 
  verbs:  [""]
  resources:
    - ""
  resourceNames:
    - ""
      
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: no-access-to-secrets
subjects:
- kind: ServiceAccount
  name: no-access-to-secrets
roleRef:
  kind: Role
  name: no-access-to-secrets
  apiGroup: rbac.authorization.k8s.io

Expectation: I have assigned this service account to POD, so POD should complain or failed to start due to lack of access to the secret.

...
template:
    metadata:
      labels:
        app: app-name
    spec:
      serviceAccountName: no-access-to-secrets
envFrom:
  - secretRef:
     name: my-secret

...

but to my surprise, the pod is started with reading a secret as env vars. So confused, help me here.

I dont know where I am doing wrong here.

Slok
  • 576
  • 1
  • 12
  • 27
  • Your role/rolebinding will be applicable to your application that is running inside your pod. – Kamol Hasan Nov 18 '20 at 05:45
  • You need to determine the role/rolebinding of the user/identity who created the pod. – Kamol Hasan Nov 18 '20 at 05:46
  • Thanks for reply, Agreed that role/rolebinding helps in restricting access to k8s resources using apiserver calls. But how can i restrict access to secrets on POD creation time or scaledup scenarios ? Anyway I will try your creating POD with sa. – Slok Nov 18 '20 at 06:12
  • Hi, Did creating a pod with a SA work? – Piotr Malec Nov 18 '20 at 16:12
  • yes I am able to create a POD with SA Account , POD starts up and working fine. but SA dont have access to secrets used by POD Spec. – Slok Nov 23 '20 at 08:01
  • did you find it out? perhaps it would be good to post an answer – Alexander Meise Jul 22 '22 at 15:16

0 Answers0