Granting a Kubernetes Service Account permissions for Secrets?
You need to create Role and Role binding.
Create a role:
kind: RoleapiVersion: rbac.authorization.k8s.io/v1metadata: namespace: test name: role-test-accountrules:- apiGroups: [""] resources: ["secrets"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
Create a role binding:
kind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata: name: role-test-account-binding namespace: testsubjects:- kind: ServiceAccount name: test-account namespace: testroleRef: kind: Role name: role-test-account apiGroup: rbac.authorization.k8s.io
You can read more about using RBAC Authorization
So you have your SA testaccount
. Let's assume your app (the one that manipulates the secrets) has a container image myorg/myapp:01
. You'd launch it then as follows:
$ kubectl -n test run myapp \ --image=myorg/myapp:01 \ --serviceaccount=testaccount
But what about the permissions? Well, doesn't really matter if you do this before or after the app has launched, but at some point in time, do:
$ kubectl create clusterrole secretmanipulator \ --verb=get --verb=list --verb=watch \ --verb=create --verb=update --verb=patch --verb=delete \ --resource=secrets $ kubectl -n test create rolebinding allowsecretmanipulation \ --clusterrole=secretmanipulator \ --serviceaccount=test:testaccount
Note that I created a cluster role above and used a role binding then to attach it to your SA. Why? It's more reusable like that. Of course a simple role would also work here but then you'd need to re-create it for every namespace.