top of page
Search
Writer's pictureRafael Natali
Oct 42 min read

Restrict K8s Secret access to a specific ServiceAccount

A few weeks ago, a colleague shared a Kubernetes documentation called "Good practices for Kubernetes Secrets" and asked me if we were following all these practices in our environment. In short, no. But that's not the point here.


While reading through the documentation, I noticed a recommendation I never heard before: restricting Secret access to a specific ServiceAccount. I decided to try this configuration to understand how it works.

The configuration is a two-step process. First, we need to add an annotation in the Secret with the name of the ServiceAccount. Second, in the ServiceAccount, add the name of the Secret(s) this account will have permission to use and another annotation. At the end, restart your Pod(s) for the configuration take effect. If your


Let's see this in action!


For this example, I have:

  • a Pod running Redis (already configured to use a ServiceAccount)

  • a Secret (redis-password )

  • a ServiceAccount (redis)


First, we add the annotation in the Secret redis:

metadata:
  annotations:
    kubernetes.io/service-account.name: redis

With this configuration, we bound the Secret with the ServiceAccount redis.


Second, in the Secret, add the enforce-mountable-secrets annotation and the Secret name:

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    kubernetes.io/enforce-mountable-secrets: "true"
...
secrets:
- name: airflow-redis-password

If the ServiceAccount tries to use the Secret and the it is not listed in the ServiceAccount, the Pod will not initiate and you'll see an error similar to this:

Warning  FailedCreate      21s (x14 over 62s)   statefulset-controller  create Pod redis in StatefulSet redis failed
error: pods "redis-0" is forbidden: container redis with envVar REDIS_PASSWORD referencing secret.secretName="redis-password" is not allowed because service account redis does not reference that secret

⚠️ IMPORTANT ⚠️


There is a major caveat on this configuration. I was testing this in a K8s 1.30.3 and notice that if I use a ServiceAccount that does not have the enforce-mountable-secrets annotation, it would be able to mount the Secret. Make sure that all the Secrets are annotated, specially the default one! Or I just did something wrong, you tell me...


Reference


92 views0 comments

Comments

bottom of page