How to disable the use of a default service account by a statefulset/deployments in kubernetes

Question

I am setting up a namespace for my application that has statefulsets, deployments, and secrets into that namespace. Using RBAC, I am defining specific roles and binding them to a service account that is used by the deployment/statefulset. This works as expected.

Now when I try to test if the secrets are secure by not assigning any service account to the deployment, it still pulls down the secrets. The default service account in the namespace is bound with the view clusterrole which should not have access to secrets.

Any clue what is happening here?

Thanks in advance.

Answer 1

I believe you need to assign a RoleBinding to the default service account on your namespace. For example:

kubectl create rolebinding myapp-view-binding --clusterrole=view --serviceaccount=default:default --namespace=default

The view role should prevent you from reading secrets.

Answer 2

Now when I try to test if the secrets are secure by not assigning any service account to the deployment...

If you don't assign a service account to your deployment, the default service account in the deployment's namespace will be used.

... it still pulls down the secrets

Try set the automountServiceAccountToken: false on the pod. That will ensure the service account token is not automatically mounted. So something like:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-pod
spec:
  ...
  template:
    ...
    spec:
      serviceAccountName: default
      automountServiceAccountToken: false