RBAC for K8s secrets limited to certain pods in same namespace

kubectl create secret generic mysecret --from-file=mysecret=/home/user/secret.txt

How do I limit access to this secret? I only want certain pods to have access to this secret.

Kubernetes version: 1.17.0
Installation method: brew
Host OS: Mac

You’d create a service account for use by the pod and then attach a role/clusterrole to it with a restricted set of rules like and attach it to the pod with a rolebinding.

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: access-secret
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: access-super-secret-role
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: access-super-secret-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: access-super-secret-role
subjects:
- kind: ServiceAccount
  name: access-secret

Check out the rbac documentation for more info:

1 Like

Isn’t it true that also any user able to create a Pod in the default namespace will be able to mount the Secret in a container and see it?