Does'nt configMap referencing in POD requires ServiceAccount? - kubernetes

Curious as to how configMaps can be referenced in PODs without appropriate serviceAccount and asscoiated RBAC rules ?
Sample POD Yaml mounting configMap
- mountPath: /kubernetes-vault
name: kubernetes-vault
- emptyDir: {}
name: vault-token
- configMap:
defaultMode: 420
name: kubernetes-vault
name: kubernetes-vault
But the associated ServiceAccount and it's corresponding RBAC ( Role and RoleBinding ) does'nt have any rules specifying access rules for this configMap (kubernetes-vault)
Role & Rule for the POD
- apiGroups:
- '*'
- services
- pods
- endpoints
- get
- list
- watch
Couple of Qs
does'nt access to configMap required appropriate ServiceAccount with access rules specified specifically for configMap access ?
if yest which rule mentioned above governs configMap Access
if not , what objects are governed by RBAC rules ?

doesn't access to configMap required appropriate ServiceAccount with access rules specified specifically for configMap access ?
It will when a ServiceAccount is performing that action, yes, but volumes: are performed by a mixture of kube-apiserver, kube-controller, and the calling credential that interacts with the apiserver. By the time the Pod's volumes mount, all those security checks are a done deal -- one can verify that behavior by running any Pod and suppressing its ServiceAccount and observe that the volume mounts still take place
If one has objects which should only be accessed by a limited set of users, that should happen at the Role level to prevent the users from scheduling Pods that touch the sensitive items.
if not , what objects are governed by RBAC rules ?
As far as I know, everything is governed by RBAC rules, and even if they aren't to your satisfaction, the system offers Validating Admission Controllers which allow extremely fine-grained access rules


How can I access Microk8s in Read only mode?

I would like to read state of K8s using µK8s, but I don't want to have rights to modify anything. How to achieve this?
The following will give me full access:
microk8s.kubectl Insufficient permissions to access MicroK8s. You can either try again with sudo or add the user digital to the 'microk8s' group:
sudo usermod -a -G microk8s digital sudo chown -f -R digital ~/.kube
The new group will be available on the user's next login.
on Unix/Linux we can just set appropriate file/directory access
permission - just rx, decrease shell limits (like max memory/open
file descriptors), decrease process priority (nice -19). We are
looking for similar solution for K8S
This kind of solutions in Kubernetes are handled via RBAC (Role-based access control). RBAC prevents unauthorized users from viewing or modifying the cluster state. Because the API server exposes a REST interface, users perform actions by sending HTTP requests to the server. Users authenticate themselves by including credentials in the request (an authentication token, username and password, or a client certificate).
As for REST clients you get GET, POST, PUT,DELETE etc. These are send to specific URL paths that represents specific REST API resources (Pods, Services, Deployments and so).
RBAC auth is configured with two groups:
Roles and ClusterRoles - this specify which actions/verbs can be performed
RoleBinding and ClusterRoleBindings - this bind the above roles to a user, group or service account.
As you might already find out the ClusterRole is the one your might be looking for. This will allow to restrict specific user or group against the cluster.
In the example below we are creating ClusterRole that can only list pods. The namespace is omitted since ClusterRoles are not namepsaced.
kind: ClusterRole
name: pod-viewer
- apiGroups: [""]
resources: ["pods"]
verbs: ["list"]
This permission has to be bound then via ClusterRoleBinding :
# This cluster role binding allows anyone in the "manager" group to list pods in any namespace.
kind: ClusterRoleBinding
name: list-pods-global
- kind: Group
name: manager # Name is case sensitive
kind: ClusterRole
name: pod-viewer
Because you don't have the enough permissions on your own you have to reach out to appropriate person who manage those to create user for you that has the ClusterRole: View. View role should be predefined already in cluster ( kubectl get clusterrole view)
If you wish to read more Kubernetes docs explains well its whole concept of authorization.

Minikube: Restricted PodSecurityPolicy is not restricting when trying to create a privileged container

I have enabled podsecuritypolicy in minikube. By default it has created two psp - privileged and restricted.
privileged true * RunAsAny RunAsAny RunAsAny RunAsAny false *
restricted false RunAsAny MustRunAsNonRoot MustRunAs MustRunAs false configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim
I have also created a linux user - kubexz, for which I have created ClusterRole and RoleBinding to restrict for only managing pods on kubexz namespace, and use the restricted psp.
kind: ClusterRole
name: only-edit
- apiGroups: [""]
resources: ["pods"]
verbs: ["create", "delete", "deletecollection", "patch", "update", "get", "list", "watch"]
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
resourceNames: ["restricted"]
verbs: ["use"]
kind: RoleBinding
name: kubexz-rolebinding
namespace: kubexz
- kind: User
name: kubexz
kind: ClusterRole
name: only-edit
I have set the kubeconfig file in my kubexz user $HOME/.kube. The RBAC is working fine - From kubexz user I am only able to create and manage pod resources in the kubexz namespace as expected.
But when I post a pod manifest with securityContext.privileged: true, the restricted podsecuritypolicy is not stopping me to create that pod. I should not be able to create a pod with privilege container. But the pod is getting created. Not sure what am I missing
apiVersion: v1
kind: Pod
name: new-pod
hostPID: true
- name: justsleep
image: alpine
command: ["/bin/sleep", "999999"]
privileged: true
I have followed PodsecurityPolicy using minikube.
This work by default only while using Minikube 1.11.1 with Kubernetes 1.16.x or higher.
Note for older versions of minikube:
Older versions of minikube do not ship with the pod-security-policy addon, so the policies that addon enables must be separately applied to the cluster
What I did:
1. Start minikube with the PodSecurityPolicy admission controller and the pod-security-policy addon enabled.
minikube start --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy --addons=pod-security-policy
The pod-security-policy addon must be enabled along with the admission controller to prevent issues during bootstrap.
2. Create authenticated user:
In this regard, Kubernetes does not have objects which represent normal user accounts. Normal users cannot be added to a cluster through an API call.
Even though normal user cannot be added via an API call, but any user that presents a valid certificate signed by the cluster’s certificate authority (CA) is considered authenticated. In this configuration, Kubernetes determines the username from the common name field in the ‘subject’ of the cert (e.g., “/CN=bob”). From there, the role based access control (RBAC) sub-system would determine whether the user is authorized to perform a specific operation on a resource.
Here you can find example how you can properly prepare X509 Client Certs and configure KubeConfig file accordingly.
The most important part is to define properly the common name (CN) and the organization field (O):
openssl req -new -key DevUser.key -out DevUser.csr -subj "/CN=DevUser/O=development"
The common name (CN) of the subject will be used as username for authentication request. The organization field (O) will be used to indicate group membership of the user.
Finally I have created your configuration based on standard minikube setup and can't recreate your issue either due to hostPID: true or securityContext.privileged: true
To consider:
a). Verify if your client certificate for authentication and kubeconfig file were created/setup properly especially common name (CN) and organization field (O).
b). Make sure you are switching between proper context while performing requests on behalf of different users.
f.e. kubectl get pods --context=NewUser-context

Automatically create Kubernetes resources after namespace creation

I have 2 teams:
devs: they create a new Kubernetes namespace each time they deploy a branch/tag of their app
ops: they manage access control to the cluster with (cluster)roles and (cluster)rolebindings
The problem is that 'devs' cannot kubectl their namespaces until 'ops' have created RBAC resources. And 'devs' cannot create RBAC resources themselves as they don't have the list of subjects to put in the rolebinding resource (sharing the list is not an option).
I have read the official documentation about Admission webhooks but what I understood is that they only act on the resource that triggered the webhook.
Is there a native and/or simple way in Kubernetes to apply resources whenever a new namespace is created?
I've come up with a solution by writing a custom controller.
With the following custom resource deployed, the controller injects the role and rolebinding in namespaces matching dev-.* and fix-.*:
kind: NamespaceResourcesInjector
name: nri-test
- dev-.*
- fix-.*
- |
kind: Role
name: dev-role
- apiGroups: [""]
resources: ["pods","pods/portforward", "services", "deployments", "ingresses"]
verbs: ["list", "get"]
- apiGroups: [""]
resources: ["pods/portforward"]
verbs: ["create"]
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["list", "get"]
- |
kind: RoleBinding
name: dev-rolebinding
- kind: User
name: dev
kind: Role
name: dev-role
The controller is still in early stages of development but I'm using it successfully in more and more clusters.
Here it is for those interested:
Yes, there is a native way but not an out of the box feature.
You can do what you have described by using/creating an operator. Essentially extending Kubernetes APIs for your need.
As operator is just an open pattern which can implement things in many ways, in the scenario you gave one way the control flow could look like could be:
Operator with privileges to create RBAC is deployed and subscribed to changes to a k8s namespace object kind
Devs create namespace containing an agreed label
Operator is notified about changes to the cluster
Operator checks namespace validation (this can also be done by a separate admission webhook)
Operator creates RBAC in the newly created namespace
If RBACs are cluster wide, same operator can do the RBAC cleanup once namespace is deleted
It's kind of related to how the user is authenticated to the cluster and how they get a kubeconfig file.You can put a group in the client certificate or the bearer token that kubectl uses from the kubeconfig. Ahead of time you can define a clusterrole having a clusterrolebinding to that group which gives them permission to certain verbs on certain resources(for example ability to create namespace)
Additionally you can use an admission webhook to validate if the user is supposed to be part of that group or not.

How to mount same volume on to all pods in a kubernetes namespace

We have a namespace in kubernetes where I would like some secrets (files like jks,properties,ts,etc.) to be made available to all the containers in all the pods (we have one JVM per container & one container per pod kind of Deployment).
I have created secrets using kustomization and plan to use it as a volume for spec of each Deployment & then volumeMount it for the container of this Deployment. I would like to have this volume to be mounted on each of the containers deployed in our namespace.
I want to know if kustomize (or anything else) can help me to mount this volume on all the deployments in this namespace?
I have tried the following patchesStrategicMerge
apiVersion: apps/v1
kind: Deployment
namespace: myNamespace
- name: pull-secret
- volumeMounts:
- name: secret-files
mountPath: "/secrets"
readOnly: true
- name: secret-files
secretName: mySecrets
- key: key1
path: ...somePath
- key: key2
path: ...somePath
It requires name in metadata section which does not help me as all my Deployments have different names.
Inject Information into Pods Using a PodPreset
You can use a PodPreset object to inject information like secrets, volume mounts, and environment variables etc into pods at creation time.
Update: Feb 2021. The PodPreset feature only made it to alpha. It was removed in v1.20 of kubernetes. See release note
The v1alpha1 PodPreset API and admission plugin has been removed with
no built-in replacement. Admission webhooks can be used to modify pods
on creation. (#94090, #deads2k) [SIG API Machinery, Apps, CLI, Cloud
Provider, Scalability and Testing]
PodPresent ( is one way to do this but for this all pods in your namespace should match the label you specify in PodPresent spec.
Another way (which is most popular) is to use Dynamic Admission Control ( and write a Mutating webhook in your cluster which will edit your pod spec and add all the secrets you want to mount. Using this you can also make other changes in your pod spec like mounting volumes, adding label and many more.
Standalone kustomize support a patch to many resources. Here is an example Patching multiple resources at once. the built-in kustomize in kubectl doesn't support this feature.
To mount secret as volume you need to update yaml construct for your pod/deployment manifest files and rebuild them.
apiVersion: v1
kind: Pod
name: my-pod
- name: my-container
image: nginx
- name: my-secret-volume
mountPath: /etc/secretpath
- name: my-secret-volume
secretName: my-secret
kustomize (or anything else) will not mount it for you.

How to secure kubernetes secrets?

I am trying to avoid kubernetes secrets view-able by any user.
I tried sealed secrets, but that is just hiding secrets to be stored in version control.
As soon as I apply that secret, I can see the secret using the below command.
kubectl get secret mysecret -o yaml
This above command is still showing base64 encoded form of secret.
How do I avoid someone seeing the secret ( even in base64 format) with the above simple command.
You can use Hashicrop Vault or kubernetes-external-secrets (
Or if you just want to restrict only, then you should create a read-only user and restrict the access for the secret for the read-only user using role & role binding.
Then if anyone tries to describe secret then it will throw access denied error.
Sample code:
kind: Role
name: test-secrets
namespace: default
- apiGroups:
- ""
- pods
- get
- list
- watch
- create
- delete
- apiGroups:
- ""
- pods/exec
- create
kind: RoleBinding
name: test-secrets
namespace: default
kind: Role
name: test-secrets
- apiGroup:
kind: User
name: demo
The above role has no access to secrets. Hence the demo user gets access denied.
There is no way to accomplish this with Kubernetes internal tools. You will always have to rely on a third-party tool.
Hashicorps Vault is one very often used solution, which is very powerful and supports some very nice features, like Dynamic Secrets or Envelope Encryption. But it can also get very complex in terms of configuration. So you need to decide for yourself what kind of solution you need.
I would recommend you using Sealed-Secrets. It encrypts your secrets and you can push the encrypted secrets safely in your repository. It has not such a big feature list, but it does exactly what you described.
You can Inject Hashicrop Vault secrets into Kubernetes pods via Init containers and keep them up to date with a sidecar container.
More details here