Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to limit serviceaccount to read only specified secrets/configmaps #378

Open
simonsystem opened this issue Dec 12, 2024 · 1 comment · May be fixed by #383
Open

Ability to limit serviceaccount to read only specified secrets/configmaps #378

simonsystem opened this issue Dec 12, 2024 · 1 comment · May be fixed by #383

Comments

@simonsystem
Copy link

simonsystem commented Dec 12, 2024
edited
Loading

For security reason, we would like to restrict access for the sidecar service-account to get only one named secret with the resourceNames option.

See the following role:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: allow-only-one-secrets
rules:
  - apiGroups:
      - ""
    resources:
      - secrets
    resourceNames:
      - my-holy-secret
    verbs:
      - get

Poorly, the sidecar is using the list_namespaced_secret and list_namespaced_config_map functions here. So it will result in a forbidden response from K8S-API (403).

Error from server (Forbidden): secrets is forbidden: User "system:serviceaccount:default:sidecar" cannot list resource "secrets" in API group "" in the namespace "default"

I suggest adding functionality to fetch/get only specefied secrets/configmaps from K8S-API using read_namespaced_secret and read_namespaced_config_map.

An idea would be to add another environment variable RESOURCE_NAME for having a comma-separated list of secrets/configmaps being fetched.
@simonsystem simonsystem linked a pull request Dec 19, 2024 that will close this issue
Open
@simonsystem simonsystem changed the title Ability to limit serviceaccount access to one secret only Ability to limit serviceaccount to read only specified secrets/configmaps Dec 20, 2024
@simonsystem
Copy link
Author

simonsystem commented Dec 20, 2024
edited
Loading

Duplicate of #172

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add ability to fetch only specific resources by name simonsystem/k8s-sidecar
1 participant
@simonsystem