How to use RBAC to control access to a type of secret resources?

1.1k Views Asked by JimmyCYJ At 20 October 2024 at 00:34

In my k8s cluster, there are some secret resources which are listed below.

$kubectl get secrets -n istio-system
NAME TYPE
default-token-4wwkb kubernetes.io/service-account-token istio-ca-secret istio.io/ca-root
istio-ca-service-account-token-rl4xm kubernetes.io/service-account-token
istio-egress-service-account-token-vbfwf kubernetes.io/service-account-token
istio-ingress-certs kubernetes.io/tls
istio-ingress-service-account-token-kwr85 kubernetes.io/service-account-token istio-mixer-service-account-token-29qbb kubernetes.io/service-account-token istio-pilot-service-account-token-t6kmf kubernetes.io/service-account-token istio.default istio.io/key-and-cert
istio.istio-ca-service-account istio.io/key-and-cert
istio.istio-egress-service-account istio.io/key-and-cert
istio.istio-ingress-service-account istio.io/key-and-cert
istio.istio-mixer-service-account istio.io/key-and-cert
istio.istio-pilot-service-account istio.io/key-and-cert
istio.test-istio-sa istio.io/key-and-cert
test-istio-sa-token-4zm9k kubernetes.io/service-account-token

Now I want to use rbac to control a service account test-istio-sa, so that test-istio-sa can only access to all secrets of type kubernetes.io/service-account-token, such as istio-ca-service-account-token-rl4xm, and istio-ingress-service-account-token-kwr85.

I create a Role kube-sa-token-reader, and bind it to service account test-istio-sa.

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: istio-system
  name: kube-sa-token-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["secrets/kubernetes.io/service-account-token"] # grant access to all service account tokens
  verbs: ["get", "watch", "list"]

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-kube-sa-token
  namespace: istio-system
subjects:
- kind: ServiceAccount
  name: test-istio-sa
roleRef:
  kind: Role
  name: kube-sa-token-reader
  apiGroup: rbac.authorization.k8s.io

But it seem does not work as expected. $ kubectl auth can-i get secret/kubernetes.io/service-account-token -n istio-system --as system:serviceaccount:istio-system:test-istio-sa

no - Unknown user "system:serviceaccount:istio-system:test-istio-sa"

Original Q&A

How to use RBAC to control access to a type of secret resources?

There are 0 best solutions below

Related Questions in KUBERNETES

Related Questions in RBAC

Related Questions in KUBERNETES-SECURITY

Trending Questions

Popular # Hahtags

Popular Questions