Menu
I have some containers that will be runnin users code in them. In order to strengthen security, I want to prevent them from having access to kubernetes api via the service account mechanism, but don't want to turn it off globally. The documentation says you can switch the service account name but only to another valid name. Are there alternatives that I missed? Can you restrict the account to have 0 permissions? Can you overmount the volume with a different one thats empty? Any other ideas?
695
The easiest hack is to mount an emptyDir over the location that the serviceAccount secret would have been mounted. Something like:
containers:
- name: running-user-code
image: something-i-dont-trust
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: no-api-access-please
readOnly: true
volumes:
- name: no-api-access-please
emptyDir: {}
There is more discussion in Kubernetes Issue #16779 on potential solutions (and that's where I stole the emptyDir example from).
183
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
