Kubernetes secret csi driver restrict secrets in pod

Question

I am using Kubernetes CSI Secret store driver to connect my AKS to my Keyvault. When mounting my the class inside my pods, the volume contains all the secrets (specified in the class yaml). These secrets are now handed over to different apps, yet I do not want all apps to always mount all secrets referenced in the class but rather select distinct secrets on volume level

Is there a way to prevent that like with regular secrets?

Pod excerpt:

        - name: secrets-provider-volume
          mountPath: /etc/.secrets
          readOnly: true
...
      - name: secrets-provider-volume
        csi:
          driver: secrets-store.csi.k8s.io
          readOnly: true
          volumeAttributes:
            secretProviderClass: secretcls

I am looking for something similar to this: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#project-secret-keys-to-specific-file-paths

Have you tried restricting what the SP you used to connect the CSI driver to keyvault is allowed to read? Otherwise I'd the normal RBAC might be able to handle it - just as it would a normal secret. — fredrik, Aug 07 '23 at 17:56
yea, but I still have a bunch of applications and rather then using multiple class I just want to use one and differentiate on deployment/pod level (ps: updated my questions) — Bennimi, Aug 07 '23 at 18:42

Kubernetes secret csi driver restrict secrets in pod

0 Answers0