K
Q

How to use RBAC to control access to a type of secret resources?

11/29/2017

In my k8s cluster, there are some secret resources which are listed below.

$kubectl get secrets -n istio-system
NAME TYPE
default-token-4wwkb kubernetes.io/service-account-token istio-ca-secret istio.io/ca-root
istio-ca-service-account-token-rl4xm kubernetes.io/service-account-token
istio-egress-service-account-token-vbfwf kubernetes.io/service-account-token
istio-ingress-certs kubernetes.io/tls
istio-ingress-service-account-token-kwr85 kubernetes.io/service-account-token istio-mixer-service-account-token-29qbb kubernetes.io/service-account-token istio-pilot-service-account-token-t6kmf kubernetes.io/service-account-token istio.default istio.io/key-and-cert
istio.istio-ca-service-account istio.io/key-and-cert
istio.istio-egress-service-account istio.io/key-and-cert
istio.istio-ingress-service-account istio.io/key-and-cert
istio.istio-mixer-service-account istio.io/key-and-cert
istio.istio-pilot-service-account istio.io/key-and-cert
istio.test-istio-sa istio.io/key-and-cert
test-istio-sa-token-4zm9k kubernetes.io/service-account-token

Now I want to use rbac to control a service account test-istio-sa, so that test-istio-sa can only access to all secrets of type kubernetes.io/service-account-token, such as istio-ca-service-account-token-rl4xm, and istio-ingress-service-account-token-kwr85.

I create a Role kube-sa-token-reader, and bind it to service account test-istio-sa.

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: istio-system
  name: kube-sa-token-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["secrets/kubernetes.io/service-account-token"] # grant access to all service account tokens
  verbs: ["get", "watch", "list"]
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-kube-sa-token
  namespace: istio-system
subjects:
- kind: ServiceAccount
  name: test-istio-sa
roleRef:
  kind: Role
  name: kube-sa-token-reader
  apiGroup: rbac.authorization.k8s.io

But it seem does not work as expected. $ kubectl auth can-i get secret/kubernetes.io/service-account-token -n istio-system --as system:serviceaccount:istio-system:test-istio-sa

no - Unknown user "system:serviceaccount:istio-system:test-istio-sa"

-- JimmyCYJ
kubernetes
kubernetes-security
rbac

Similar Questions

Kubernetes pod random timeout
IP whitelisting in google container engine with ingress not working
Unable to read from MongoDB slave using Node.js
What are the Kubernetes API resources (within ResourceAttributes) and verbs?

0 Answers