Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Limit access to Kubernetes secret by RBAC

I have set up Kubernetes secrets.

kubectl create secret generic mysecret --from-file=mysecret=/home/ubuntu/secret.txt

And this secret can be converted to plaintext using the same kubectl command:

kubectl get secret mysecret -o yaml
# and base64 decode

How do I limit access to this secret? I only want a certain pods and only me as an operator to have access to this secret.

like image 847
enerudfwqenq Avatar asked Sep 11 '18 04:09

enerudfwqenq


People also ask

How do I protect Kubernetes secrets?

Protecting secrets in container environments A common approach to getting more secure secret management on Kubernetes is to introduce an external secret management solution, such as Hashicorp Vault, AWS Secrets Manager, Azure Key Vault, or Google Secret Manager.

What are RBAC roles Kubernetes?

RBAC in Kubernetes is the mechanism that enables you to configure fine-grained and specific sets of permissions that define how a given user, or group of users, can interact with any Kubernetes object in the cluster or a particular cluster namespace.


1 Answers

OK, so you need to define a (cluster) role and then bind it to you (== human user is the target entity) and/or to a service account (== app is the target entity) which you then use in the pod instead of the default one.

The respective secretadmin role (or choose whatever name you prefer) would look something like this (vary verbs as required):

$ kubectl create clusterrole secretadmin \
          --verb=get --verb=list --verb=create --verb=update  \
          --resource=secret \
          --namespace=mysuperproject

Once you've defined the role, you can attach (or: bind) it to a certain entity. Let's go through the case of the service account (similar then for a human user, just simpler). So first we need to create the service account, here called thepowerfulapp which you will then use in your deployment/pod/whatever:

$ kubectl -n mysuperproject create sa thepowerfulapp

And now it's time to tie everything together with the following binding called canadminsecret

$ kubectl create clusterrolebinding canadminsecret \
          --role=secretadmin \
          --serviceaccount=mysuperproject:thepowerfulapp \
          --namespace=mysuperproject
like image 105
Michael Hausenblas Avatar answered Oct 23 '22 01:10

Michael Hausenblas