In my k8s cluster, there are some secret resources which are listed below.
$kubectl get secrets -n istio-system
NAME TYPE
default-token-4wwkb kubernetes.io/service-account-token
istio-ca-secret istio.io/ca-root
istio-ca-service-account-token-rl4xm kubernetes.io/service-account-token
istio-egress-service-account-token-vbfwf kubernetes.io/service-account-token
istio-ingress-certs kubernetes.io/tls
istio-ingress-service-account-token-kwr85 kubernetes.io/service-account-token
istio-mixer-service-account-token-29qbb kubernetes.io/service-account-token
istio-pilot-service-account-token-t6kmf kubernetes.io/service-account-token
istio.default istio.io/key-and-cert
istio.istio-ca-service-account istio.io/key-and-cert
istio.istio-egress-service-account istio.io/key-and-cert
istio.istio-ingress-service-account istio.io/key-and-cert
istio.istio-mixer-service-account istio.io/key-and-cert
istio.istio-pilot-service-account istio.io/key-and-cert
istio.test-istio-sa istio.io/key-and-cert
test-istio-sa-token-4zm9k kubernetes.io/service-account-token
Now I want to use rbac to control a service account test-istio-sa, so that test-istio-sa can only access to all secrets of type kubernetes.io/service-account-token, such as istio-ca-service-account-token-rl4xm, and istio-ingress-service-account-token-kwr85.
I create a Role kube-sa-token-reader, and bind it to service account test-istio-sa.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: istio-system
name: kube-sa-token-reader
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["secrets/kubernetes.io/service-account-token"] # grant access to all service account tokens
verbs: ["get", "watch", "list"]
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-kube-sa-token
namespace: istio-system
subjects:
- kind: ServiceAccount
name: test-istio-sa
roleRef:
kind: Role
name: kube-sa-token-reader
apiGroup: rbac.authorization.k8s.io
But it seem does not work as expected.
$ kubectl auth can-i get secret/kubernetes.io/service-account-token -n istio-system --as system:serviceaccount:istio-system:test-istio-sa
no - Unknown user "system:serviceaccount:istio-system:test-istio-sa"