How do I prevent pods from mounting secrets in the same namespace?

4/30/2020

My namespace contains multiple secrets and pods. The secrets are selectively mounted on pods as volumes using the deployment spec. Is it possible to deny specific secrets from being mounted as volumes in certain pods. I have tested RBAC and it prevents pods from accessing secrets over api. Is there a similar mechanism for mounted secrets considering that there is a security risk in allowing all secrets to be mounted in pods in the same namespace.

-- Basil Paul
kubernetes
kubernetes-pod
rbac

2 Answers

4/30/2020

There is no easy way to do that because the secret is mounted by kubelet. But you could have a validating web-hook configured to intercept all pod creation request coming to Kubernetes API Server. You will write code in the web-hook to validate and only allow the pod creation request if pod spec does not have any invalid or unwanted secrets otherwise it rejects the pod creation request.

Another option would be to get the pod creation request validated by Open Policy Agent where you can write policy to implement similar validation.

-- Arghya Sadhu
Source: StackOverflow

4/30/2020

The other answer is the correct one but in the interest of completeness, you could write an admission controller which checks requests against some kind of policy. This is what the built in NodeRestriction admission controller does to help limit things so the kubelet can only access secrets for pods it is supposed to be running.

-- coderanger
Source: StackOverflow