3

I have a secret which contains very sensitive information. I want to make sure that this secret can only be accessed by a certain service account and nobody else.

Using RBAC, I can tell which user can access which resources. But is there some way where I can tell that this secret can only be accessed by this user?

codego123
  • 171
  • 2
  • 12

2 Answers2

2

  • as far as i know , There is no straight forward way to get that info (might require write a script to that iterates through rolebindings & clusterrolebindings).

  • Recently found a plugin called kubectl who-can on kubectl-who-can that fetches those kind details with one command.

confused genius
  • 2,876
  • 2
  • 16
  • 29
0

It is possible to get it done with Validating webhook where the API request fields are parsed and checked for matching users. OPA can be used to do some heavy lifting.

Chetan
  • 53
  • 5
  • 1
    As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Mar 01 '22 at 13:19