CODEWITHSUNDEEP
kubernetesrbac
Chris Stryczynski
Chris Stryczynski

Reputation: 33861

Does RBAC rules apply to pods?

I have the following pod definition, (notice the explicitly set service account and secret):

apiVersion: v1
kind: Pod
metadata:
  name: pod-service-account-example
  labels:
    name: pod-service-account-example
spec:
  serviceAccountName: example-sa
  containers:
  - name: busybox
    image: busybox:latest
    command: ["sleep", "10000000"]
    env:
      - name: SECRET_KEY
        valueFrom:
          secretKeyRef:
            name: example-secret
            key: secret-key-123

It successfully runs. However if I use the the same service account example-sa, and try to retrieve the example-secret it fails:

kubectl get secret example-secret
Error from server (Forbidden): secrets "example-secret" is forbidden: User "system:serviceaccount:default:example-sa" cannot get resource "secrets" in API group "" in the namespace "default"

Does RBAC not apply for pods? Why is the pod able to retrieve the secret if not?

Upvotes: 0

Views: 73

Answers (1)

Arghya Sadhu
Arghya Sadhu

Reputation: 44549

RBAC applies to service accounts, groups, users and not to pods.When you refer a secret in the env of a pod , service account is not being used to get the secret.Kubelet is getting the secret by using its own kubernetes client credential. Since kubelet is using its own credential to get the secret it does not matter whether the service account has RBAC to get secret or not because its not used.

Service account is used when you want to invoke Kubernetes API from a pod using kubernetes standard client library or Kubectl.

Code snippet of Kubelet for reference.

Upvotes: 1

Related Questions