Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Limit access to Kubernetes secret by RBAC

Tags:

kubernetes

rbac

I have set up Kubernetes secrets.

kubectl create secret generic mysecret --from-file=mysecret=/home/ubuntu/secret.txt

And this secret can be converted to plaintext using the same kubectl command:

kubectl get secret mysecret -o yaml
# and base64 decode

How do I limit access to this secret? I only want a certain pods and only me as an operator to have access to this secret.

like image 847
enerudfwqenq Avatar asked Sep 11 '18 04:09

enerudfwqenq

People also ask

How do I protect Kubernetes secrets?

Protecting secrets in container environments A common approach to getting more secure secret management on Kubernetes is to introduce an external secret management solution, such as Hashicorp Vault, AWS Secrets Manager, Azure Key Vault, or Google Secret Manager.

What are RBAC roles Kubernetes?

RBAC in Kubernetes is the mechanism that enables you to configure fine-grained and specific sets of permissions that define how a given user, or group of users, can interact with any Kubernetes object in the cluster or a particular cluster namespace.

1 Answers

OK, so you need to define a (cluster) role and then bind it to you (== human user is the target entity) and/or to a service account (== app is the target entity) which you then use in the pod instead of the default one.

The respective secretadmin role (or choose whatever name you prefer) would look something like this (vary verbs as required):

$ kubectl create clusterrole secretadmin \
          --verb=get --verb=list --verb=create --verb=update  \
          --resource=secret \
          --namespace=mysuperproject

Once you've defined the role, you can attach (or: bind) it to a certain entity. Let's go through the case of the service account (similar then for a human user, just simpler). So first we need to create the service account, here called thepowerfulapp which you will then use in your deployment/pod/whatever:

$ kubectl -n mysuperproject create sa thepowerfulapp

And now it's time to tie everything together with the following binding called canadminsecret

$ kubectl create clusterrolebinding canadminsecret \
          --role=secretadmin \
          --serviceaccount=mysuperproject:thepowerfulapp \
          --namespace=mysuperproject
like image 105
Michael Hausenblas Avatar answered Oct 23 '22 01:10

Michael Hausenblas
Sign in to Comment

Related questions

Are there issues with running user pods on a Kubernetes master node?
How do I set up a Kubernetes Ingress rule with a regex path?
Yaml templates in Kubernetes
kubernetes helm: "lost connection to pod" and "transport is closing" errors
do we really need port for a headless service?
How to secure the read-only port 10255 in Google Kubernetes Engine (GKE)?
Kubernetes service deploying in default namespace instead of defined namespace using Helm
Changing hostname breaks Rabbitmq when running on Kubernetes
Accessing Postgres RDS from Kubernetes cluster in AWS
Profiling Java application in kubernetes
Is it possible to health check a Kubernetes API server over HTTP or TCP?
List all controllers running in Kubernetes
Kubernetes: PersistentVolumeClaim error, Forbidden: is immutable after creation except resources.requests for bound claims
kubectl exec fails "cannot validate certificate because it doesn't contain any IP SANs"
How do I control a kubernetes PersistentVolumeClaim to bind to a specific PersistentVolume?
Can we install Kubernetes in a complete offline mode with kubeadm?
How is the preemption notice handled?
ServiceMonitor not found in monitoring.coreos.com/v1
Kubernetes: Populate certificates into keystores
Are Kubernete's ConfigMaps Writable?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!