Restricting secret mounting for pods

I want to limit the access of a pod when accessing secrets. I have created service accounts for each deployment that I have and I have limited the secrets that each deployment is able to access.

For example, access to secret ‘A’ is allowed for deployment A. However, deployment A also require access to secret ‘B’ which will be mounted as volume. While secret ‘B’ is not specified in the role that is associated with the service account, the pod can still be created (which is not expected). Any idea on how to achieve this security goal?


I have RBAC implemented but I guess mounting secret is not restricted by RBAC.

I had a similar question some time ago and this is what I got Ability to create pods allows access to secrets in the same namespace · Issue #116188 · kubernetes/kubernetes · GitHub
Long story short: it seems there is no way to restrict pod to access secrets. Service account has nothing to do with it.