I'm trying to figure out how to control access for pods that authenticate with service accounts (SAs). Specifically, how can I ensure that workload pods don't have access to a service account with elevated permissions, like one used by a CI pod? Is this something I need to manage at the operator level, or do service accounts inherently provide protection against an application being compromised? For instance, if an attacker gains access to a lower-permissioned pod's credentials, they could potentially reach the API server, but those credentials don't allow any write access. Any insights would be appreciated!
1 Answer
Service accounts alone don't do much; they need RBAC permissions attached. It's best to keep privileged service accounts in their own namespace, away from shared environments. Also, limit who can create service accounts and set up RBAC roles properly. If you want more control over which service account a pod can use, tools like Gatekeeper can help with that by setting constraints.
Totally get that! It's like we need to enforce some rules at the control-plane level. If you allow users to create deployments, then implement validating policies to restrict which service accounts they can use.