'Restrict access of a K8s secret to a particular service account
I have a secret which contains very sensitive information. I want to make sure that this secret can only be accessed by a certain service account and nobody else.
Using RBAC, I can tell which user can access which resources. But is there some way where I can tell that this secret can only be accessed by this user?
Solution 1:[1]
as far as i know , There is no straight forward way to get that info (might require write a script to that iterates through rolebindings & clusterrolebindings).
Recently found a plugin called
kubectl who-canon kubectl-who-can that fetches those kind details with one command.
Solution 2:[2]
It is possible to get it done with Validating webhook where the API request fields are parsed and checked for matching users. OPA can be used to do some heavy lifting.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | confused genius |
| Solution 2 | Chetan |