Restricting secret mounting for pods

demarcoo · November 20, 2023, 10:02am

I want to limit the access of a pod when accessing secrets. I have created service accounts for each deployment that I have and I have limited the secrets that each deployment is able to access.

For example, access to secret ‘A’ is allowed for deployment A. However, deployment A also require access to secret ‘B’ which will be mounted as volume. While secret ‘B’ is not specified in the role that is associated with the service account, the pod can still be created (which is not expected). Any idea on how to achieve this security goal?

tl;dr

I have RBAC implemented but I guess mounting secret is not restricted by RBAC.

fox-md · November 27, 2023, 8:08pm

Hi,
I had a similar question some time ago and this is what I got Ability to create pods allows access to secrets in the same namespace · Issue #116188 · kubernetes/kubernetes · GitHub
Long story short: it seems there is no way to restrict pod to access secrets. Service account has nothing to do with it.

Topic		Replies	Views
RBAC for K8s secrets limited to certain pods in same namespace General Discussions	2	907	August 15, 2020
How to restrict access to sensitive environment variables in K8S's Pod General Discussions security	4	2789	March 7, 2022
Does restricting the access based on service account is really secured General Discussions	5	1627	November 13, 2019
Service Account Access control General Discussions	0	484	October 24, 2019
Access restriction on confidential VM General Discussions	0	272	December 20, 2022

Restricting secret mounting for pods

Related topics