kubectl create secret generic mysecret --from-file=mysecret=/home/user/secret.txt
How do I limit access to this secret? I only want certain pods to have access to this secret.
Kubernetes version: 1.17.0
Installation method: brew
Host OS: Mac
You’d create a service account for use by the pod and then attach a role/clusterrole to it with a restricted set of rules like and attach it to the pod with a rolebinding.
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: access-secret
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: access-super-secret-role
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: access-super-secret-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: access-super-secret-role
subjects:
- kind: ServiceAccount
name: access-secret
Check out the rbac documentation for more info:
1 Like
Isn’t it true that also any user able to create a Pod in the default namespace will be able to mount the Secret in a container and see it?