Yuri Fenyuk YurgenUA

## new-vault-token.sh
/ $ vault policy write webapp - << EOF
> path "secret/data/webapp/config" {
>   capabilities = ["read"]
> }
> EOF
>>Success! Uploaded policy: webapp
/ $ vault token create -policy=webapp -ttl=744h
>>Key                  Value
>>---                  -----
>>token                hvs.CAESIHOD5eMOX3BG850WnddTyDkkF...MdzQzOE1wd0ZMTXY4OGhuOXU

## display-vault-secrets.sh
/ $ vault kv get secret/webapp/config
>>====== Secret Path ======
>>secret/data/webapp/config
>>======= Metadata =======
>>Key                Value
>>...
>>====== Data ======
>>Key         Value
>>---         -----
>>password    Losungwort

## login-to-vault.sh
kubectl config use-context vaultcluster
>>Switched to context "vaultcluster".
kubectl get pods
>>NAME                                    READY   STATUS    RESTARTS   AGE
>>vault-0                                 1/1     Running   0          1h
>>vault-1                                 1/1     Running   0          1h
>>vault-2                                 1/1     Running   0          1h
>>vault-agent-injector-5d85ff9d44-kwhc8   1/1     Running   0          1h
kubectl exec --stdin=true --tty=true vault-0 -- /bin/sh
>>/ $ vault login

## check-no-secrets.sh
kubectl exec -it -n playground demo-non-privileged-dp-65f45f4fcd-g7r48 -- /bin/bash
>>root@demo-non-privileged-dp-65f45f4fcd-g7r48:/# kubectl get secrets
>>Error from server (Forbidden): secrets is forbidden: User "system:serviceaccount:playground:non-privileged-sa" cannot list resource "secrets" in API group "" in the namespace "playground"
>>root@demo-non-privileged-dp-65f45f4fcd-g7r48:/# kubectl get pods
>>NAME                                      READY   STATUS    RESTARTS   AGE
>>demo-dp-7756f78b4c-4zfpr                  1/1     Running   0          4m38s
>>demo-non-privileged-dp-65f45f4fcd-g7r48   1/1     Running   0          3m17s
>>root@demo-non-privileged-dp-65f45f4fcd-g7r48:/# exit
>>exit

## service-account-default-2.tf
resource "kubernetes_role" "non_privileged" {
  metadata {
    name      = "non-privileged-cr"
    namespace = kubernetes_namespace.playground.id
  }

  rule {
    api_groups = [""]
    resources  = ["secrets"]
    verbs      = [""]

## deploy-non-priviledge.sh
terraform apply --auto-approve
>>Terraform will perform the following actions:
>>...
>>Plan: 2 to add, 0 to change, 0 to destroy.
>>...
>>kubernetes_deployment.demo-non-privileged: Creating...
>>kubernetes_deployment.demo-non-privileged: Still creating... [10s elapsed]
>>kubernetes_deployment.demo-non-privileged: Still creating... [20s elapsed]
>>...

## deployment-default.tf
resource "kubernetes_deployment" "demo-non-privileged" {
  metadata {
    name      = "demo-non-privileged-dp"
    namespace = kubernetes_namespace.playground.id
  }
  spec {
    replicas = 1
    selector {
      match_labels = {
        app = "demo-non-privileged-lb"

## service-account-default.tf
resource "kubernetes_service_account" "non_privileged" {
  metadata {
    name      = "non-privileged-sa"
    namespace = kubernetes_namespace.playground.id
    annotations = {
      "kubernetes.io/enforce-mountable-secrets" = true
    }
  }
  #secret {
  #}

## check-secrets.sh
kubectl exec -it -n playground demo-dp-7756f78b4c-5glk8 -- /bin/bash
>>root@demo-dp-7756f78b4c-5glk8:/# ls /etc/sensitive/
>>password  username
>>root@demo-dp-7756f78b4c-5glk8:/# cat /etc/sensitive/username ; echo
>>Nutzername
>>root@demo-dp-7756f78b4c-5glk8:/# cat /etc/sensitive/password ; echo
>>Losungwort
>>root@demo-dp-7756f78b4c-5glk8:/# kubectl get secret top-secret-ks -n playground
>>Error from server (Forbidden): secrets "top-secret-ks" is forbidden: User "system:serviceaccount:playground:secret-privileged-sa" cannot get resource "secrets" in API group "" in the namespace "playground"
>>root@demo-dp-7756f78b4c-5glk8:/# exit

## deployment.tf
resource "kubernetes_deployment" "demo" {
  metadata {
    name      = "demo-dp"
    namespace = kubernetes_namespace.playground.id
  }
  spec {
    replicas = 1
    selector {
      match_labels = {
        app = "demo-lb"
	/ $ vault policy write webapp - << EOF
	> path "secret/data/webapp/config" {
	> capabilities = ["read"]
	> }
	> EOF
	>>Success! Uploaded policy: webapp
	/ $ vault token create -policy=webapp -ttl=744h
	>>Key Value
	>>--- -----
	>>token hvs.CAESIHOD5eMOX3BG850WnddTyDkkF...MdzQzOE1wd0ZMTXY4OGhuOXU
	/ $ vault kv get secret/webapp/config
	>>====== Secret Path ======
	>>secret/data/webapp/config
	>>======= Metadata =======
	>>Key Value
	>>...
	>>====== Data ======
	>>Key Value
	>>--- -----
	>>password Losungwort
	kubectl config use-context vaultcluster
	>>Switched to context "vaultcluster".
	kubectl get pods
	>>NAME READY STATUS RESTARTS AGE
	>>vault-0 1/1 Running 0 1h
	>>vault-1 1/1 Running 0 1h
	>>vault-2 1/1 Running 0 1h
	>>vault-agent-injector-5d85ff9d44-kwhc8 1/1 Running 0 1h
	kubectl exec --stdin=true --tty=true vault-0 -- /bin/sh
	>>/ $ vault login
	kubectl exec -it -n playground demo-non-privileged-dp-65f45f4fcd-g7r48 -- /bin/bash
	>>root@demo-non-privileged-dp-65f45f4fcd-g7r48:/# kubectl get secrets
	>>Error from server (Forbidden): secrets is forbidden: User "system:serviceaccount:playground:non-privileged-sa" cannot list resource "secrets" in API group "" in the namespace "playground"
	>>root@demo-non-privileged-dp-65f45f4fcd-g7r48:/# kubectl get pods
	>>NAME READY STATUS RESTARTS AGE
	>>demo-dp-7756f78b4c-4zfpr 1/1 Running 0 4m38s
	>>demo-non-privileged-dp-65f45f4fcd-g7r48 1/1 Running 0 3m17s
	>>root@demo-non-privileged-dp-65f45f4fcd-g7r48:/# exit
	>>exit
	resource "kubernetes_role" "non_privileged" {
	metadata {
	name = "non-privileged-cr"
	namespace = kubernetes_namespace.playground.id
	}

	rule {
	api_groups = [""]
	resources = ["secrets"]
	verbs = [""]
	terraform apply --auto-approve
	>>Terraform will perform the following actions:
	>>...
	>>Plan: 2 to add, 0 to change, 0 to destroy.
	>>...
	>>kubernetes_deployment.demo-non-privileged: Creating...
	>>kubernetes_deployment.demo-non-privileged: Still creating... [10s elapsed]
	>>kubernetes_deployment.demo-non-privileged: Still creating... [20s elapsed]
	>>...
	resource "kubernetes_deployment" "demo-non-privileged" {
	metadata {
	name = "demo-non-privileged-dp"
	namespace = kubernetes_namespace.playground.id
	}
	spec {
	replicas = 1
	selector {
	match_labels = {
	app = "demo-non-privileged-lb"
	resource "kubernetes_service_account" "non_privileged" {
	metadata {
	name = "non-privileged-sa"
	namespace = kubernetes_namespace.playground.id
	annotations = {
	"kubernetes.io/enforce-mountable-secrets" = true
	}
	}
	#secret {
	#}
	kubectl exec -it -n playground demo-dp-7756f78b4c-5glk8 -- /bin/bash
	>>root@demo-dp-7756f78b4c-5glk8:/# ls /etc/sensitive/
	>>password username
	>>root@demo-dp-7756f78b4c-5glk8:/# cat /etc/sensitive/username ; echo
	>>Nutzername
	>>root@demo-dp-7756f78b4c-5glk8:/# cat /etc/sensitive/password ; echo
	>>Losungwort
	>>root@demo-dp-7756f78b4c-5glk8:/# kubectl get secret top-secret-ks -n playground
	>>Error from server (Forbidden): secrets "top-secret-ks" is forbidden: User "system:serviceaccount:playground:secret-privileged-sa" cannot get resource "secrets" in API group "" in the namespace "playground"
	>>root@demo-dp-7756f78b4c-5glk8:/# exit
	resource "kubernetes_deployment" "demo" {
	metadata {
	name = "demo-dp"
	namespace = kubernetes_namespace.playground.id
	}
	spec {
	replicas = 1
	selector {
	match_labels = {
	app = "demo-lb"