Granting a Kubernetes Service Account permissions for Secrets?

Question

I have a Service Account which I\'d like to grant permissions to read/write/update/delete Secrets within a specific namespace. I\'m not clear about how exactly Service Accounts,

Answer 1

So you have your SA testaccount. Let's assume your app (the one that manipulates the secrets) has a container image myorg/myapp:01. You'd launch it then as follows:

$ kubectl -n test run myapp \
    --image=myorg/myapp:01 \
    --serviceaccount=testaccount

But what about the permissions? Well, doesn't really matter if you do this before or after the app has launched, but at some point in time, do:

$ kubectl create clusterrole secretmanipulator \
    --verb=get --verb=list --verb=watch \
    --verb=create --verb=update --verb=patch --verb=delete \
    --resource=secrets 

$ kubectl -n test create rolebinding allowsecretmanipulation \
    --clusterrole=secretmanipulator \
    --serviceaccount=test:testaccount 

Note that I created a cluster role above and used a role binding then to attach it to your SA. Why? It's more reusable like that. Of course a simple role would also work here but then you'd need to re-create it for every namespace.