CODEWITHSUNDEEP
kubernetescloudamazon-iamhashicorp-vault
Bardia Heydari
Bardia Heydari

Reputation: 774

How to manage service account token usage in K8s?

When a ServiceAccount created in Kubernetes a secret will be created too. This secret contains ServiceAccountToken. This token can be used in CI pipelines, even in kubectl and any where else to access the cluster. Assume a developer in company copy this token for himself (and no ones know that) and after he left the company he still have access to our Kubernetes cluster. I want to limit his access. How can I do that?

Upvotes: 2

Views: 3395

Answers (2)

Jonas
Jonas

Reputation: 128995

Assume a developer in company copy this token for himself (and no ones know that) and after he left the company he still have access to our Kubernetes cluster. I want to limit his access. How can I do that?

Yes, this is a risk that you have to mitigate.

In Kubernetes, you can now use tokens that are only valid for a short time, e.g. an hour. If you can, use Service Account from a projected volume. See also No more forever tokens. In fact, I think this is a better approach for most Service Account usage - from a security standpoint.

If you use a Kubernetes-native CI/CD Pipeline, e.g. by using Tekton you can deploy using these newer tokens that are rotated regularly.

If you deploy from outside the cluster, @Arghya Sadhu provided a good alternative, by using an authentication proxy.

Using Kubernetes at a cloud provider?

If you use Kubernetes at a cloud provider and deploy from a CI/CD outside of the cluster, they usually have federated identity solutions, e.g. AWS IAM roles for EKS service accounts or Google Workload Identity for GKE

Upvotes: 3

Arghya Sadhu
Arghya Sadhu

Reputation: 44657

Using a service account to interact with a kubernetes cluster from outside the cluster using kubectl or CI/CD systems is not the best approach from security point of view. You should rather use a authenticating proxy wherein generation and rotation of short lived JWT token is delegated to an external OpenId/oAuth complaint authorization system.

Service accounts should only be used from a pod running inside the cluster and you can limit the authorization of the service account by RBAC Role and RoleBinding. Keep in mind that currently service account tokens are not rotated by kubernetes.

Upvotes: 2

Related Questions