Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Granting a Kubernetes Service Account permissions for Secrets?

Tags:

kubernetes

rbac

I have a Service Account which I'd like to grant permissions to read/write/update/delete Secrets within a specific namespace. I'm not clear about how exactly Service Accounts, Roles, Bindings, etc. work together to grant the right permissions.

What kubectl invocations or YAML do I need to do to grant these permissions to the service account?

Here's the YAML for the Service Account I have so far:

apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: 2018-10-09T17:45:20Z
  name: testaccount
  namespace: test
  resourceVersion: "369702913"
  selfLink: /api/v1/namespaces/test/serviceaccounts/testaccount
  uid: f742ed5c-c1b3-11e8-8a69-0ade4132ab56
secrets:
- name: testaccount-token-brjxq
like image 282
user108471 Avatar asked Oct 10 '18 15:10

user108471

People also ask

How do you store secrets in Kubernetes?

When you create a Secret with kubectl create -f secret. yaml , Kubernetes stores it in etcd. The Secrets are stored in clear in etcd unless you define an encryption provider. When you define the provider, before the Secret is stored in etcd and after the values are submitted to the API, the Secrets are encrypted.

How service account works in Kubernetes?

Kubernetes service accounts let you give an identity to your Pods, which can be used to: Authenticate Pods to the Kubernetes API server, allowing the Pods to read and manipulate Kubernetes API objects (for example, a CI/CD pipeline that deploys applications to your cluster).

Can I connect one service account to multiple namespaces in Kubernetes?

Namespaces cannot be nested inside one another and each Kubernetes resource can only be in one namespace. Namespaces are a way to divide cluster resources between multiple users (via resource quota).

1 Answers

You need to create Role and Role binding.

Create a role:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 namespace: test
 name: role-test-account
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

Create a role binding:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: role-test-account-binding
 namespace: test
subjects:
- kind: ServiceAccount
  name: test-account
  namespace: test
roleRef:
 kind: Role
 name: role-test-account
 apiGroup: rbac.authorization.k8s.io

You can read more about using RBAC Authorization

like image 124
Atul Verma Avatar answered Oct 12 '22 11:10

Atul Verma
Sign in to Comment

Related questions

Kubernetes - Container image already present on machine
how to use Kubernetes DNS for pods?
kubernetes label name 63 character limit
In Kubernetes, how do I autoscale based on the size of a queue?
nginx ingress sub path redirection
Kubernetes Minikube with local persistent storage
How to fix "Failed to pull image" on microk8s
Different ingress in different Namespace in kubernetes
How to configure Kubernetes to encrypt the traffic between nodes, and pods?
MountVolume.SetUp failed for volume "nfs" : mount failed: exit status 32
Why do pods with completed status still show up in kubctl get pods?
What is the difference between patches vs patchesJson6902 in Kustomize
Is it possible to use Istio without kubernetes or docker?
Kubernetes pods failing on "Pod sandbox changed, it will be killed and re-created"
Deploy WAR in Tomcat on Kubernetes
Kubernetes client-go: watch.Interface vs. cache.NewInformer vs. cache.NewSharedIndexInformer?
How to get a custom healthcheck path in a GCE L7 balancer serving a Kubernetes Ingress?
Kubernetes: should I use HTTPS to communicate between services
Kubernetes: Routing non HTTP Request via Ingress to Container
How do you set-up Mongo replica set on Kubernetes?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!