Isolate Secrets at Service layer in same namespace

4/2/2019

I am trying to find out how can I isolate my Kubernetes Secrets to specific Service.

For example, let say I have two secrets with name private-key and public-key and two Kubernetes Services auth-service and gateway-service.

I want to provide private-key secret to auth-service to generate token and provide public-key to gateway-service to validate generated token. All Secrets and Services are in same namespace.

How can I restrict access of private-key to only auth-service?

-- Nirav
kubernetes
kubernetes-secrets
minikube

1 Answer

4/2/2019

There is no way to achieve that, this is by design in Kubernetes. Secrets in Kubernetes are per namespaces, and any pod in this namespace can mount them. So the only way to achieve that is by using separate namespaces. BTW not only Secrets but also RBAC permissions are per namespace - you cannot limit user permissions to specific object but to the entire namespace.

Also, from a security point of view, you might want to consider a more secure solution for the private key used to sign tokens, like HSM. There are a few cloud options, like Azure KeyVault or AWS CloudHSM that provide this feature.

On a final comment, this is one of the reasons we ended up building our own secrets encryption solution - Kamus. Kamus let you encrypt secrets for a specific service, and only this service can decrypt them. This allows us to have a better granularity of secrets permissions, which Kubernetes secrets mechanism did not provide.

-- Omer Levi Hevroni
Source: StackOverflow