I want to limit the access of a pod when accessing secrets. I have created service accounts for each deployment that I have and I have limited the secrets that each deployment is able to access.
For example, access to secret ‘A’ is allowed for deployment A. However, deployment A also require access to secret ‘B’ which will be mounted as volume. While secret ‘B’ is not specified in the role that is associated with the service account, the pod can still be created (which is not expected). Any idea on how to achieve this security goal?
I have RBAC implemented but I guess mounting secret is not restricted by RBAC.