A few weeks ago, a colleague shared a Kubernetes documentation called "Good practices for Kubernetes Secrets" and asked me if we were following all these practices in our environment. In short, no. But that's not the point here.
While reading through the documentation, I noticed a recommendation I never heard before: restricting Secret access to a specific ServiceAccount. I decided to try this configuration to understand how it works.
The configuration is a two-step process. First, we need to add an annotation in the Secret with the name of the ServiceAccount. Second, in the ServiceAccount, add the name of the Secret(s) this account will have permission to use and another annotation. At the end, restart your Pod(s) for the configuration take effect. If your
Let's see this in action!
For this example, I have:
a Pod running Redis (already configured to use a ServiceAccount)
a Secret (redis-password )
a ServiceAccount (redis)
First, we add the annotation in the Secret redis:
metadata:
annotations:
kubernetes.io/service-account.name: redis
With this configuration, we bound the Secret with the ServiceAccount redis.
Second, in the Secret, add the enforce-mountable-secrets annotation and the Secret name:
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
kubernetes.io/enforce-mountable-secrets: "true"
...
secrets:
- name: airflow-redis-password
If the ServiceAccount tries to use the Secret and the it is not listed in the ServiceAccount, the Pod will not initiate and you'll see an error similar to this:
Warning FailedCreate 21s (x14 over 62s) statefulset-controller create Pod redis in StatefulSet redis failed
error: pods "redis-0" is forbidden: container redis with envVar REDIS_PASSWORD referencing secret.secretName="redis-password" is not allowed because service account redis does not reference that secret
⚠️ IMPORTANT ⚠️
There is a major caveat on this configuration. I was testing this in a K8s 1.30.3 and notice that if I use a ServiceAccount that does not have the enforce-mountable-secrets annotation, it would be able to mount the Secret. Make sure that all the Secrets are annotated, specially the default one! Or I just did something wrong, you tell me...
Comments