1

I am setting up a namespace for my application that has statefulsets, deployments, and secrets into that namespace. Using RBAC, I am defining specific roles and binding them to a service account that is used by the deployment/statefulset. This works as expected.

Now when I try to test if the secrets are secure by not assigning any service account to the deployment, it still pulls down the secrets. The default service account in the namespace is bound with the view clusterrole which should not have access to secrets.

Any clue what is happening here?

Thanks in advance.

Rico
  • 58,485
  • 12
  • 111
  • 141
Revanth Reddy
  • 149
  • 2
  • 9

2 Answers2

1

I believe you need to assign a RoleBinding to the default service account on your namespace. For example:

kubectl create rolebinding myapp-view-binding --clusterrole=view --serviceaccount=default:default --namespace=default

The view role should prevent you from reading secrets.

Rico
  • 58,485
  • 12
  • 111
  • 141
  • Hello @Rico Thank you for responding. I am already doing it. Associated the view role to my name space's default serviceaccount. But still no luck. `roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: view subjects: - kind: ServiceAccount name: default namespace: my-namespace` – Revanth Reddy Oct 01 '18 at 03:52
  • Are you using the service account for your namespace? (`my-namespace`) – Rico Oct 01 '18 at 04:10
0

Now when I try to test if the secrets are secure by not assigning any service account to the deployment...

If you don't assign a service account to your deployment, the default service account in the deployment's namespace will be used.

... it still pulls down the secrets

Try set the automountServiceAccountToken: false on the pod. That will ensure the service account token is not automatically mounted. So something like:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-pod
spec:
  ...
  template:
    ...
    spec:
      serviceAccountName: default
      automountServiceAccountToken: false
ivan.sim
  • 8,972
  • 8
  • 47
  • 63
  • 1
    Yes I am doing that and on the container, I dont see a secret mounted at /var/run/../../.. but the pod is still able to pull the secrets within the same namespace. wondering if I have to disable anything else to avoid this – Revanth Reddy Nov 12 '18 at 21:53