This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/ $ vault policy write webapp - << EOF | |
> path "secret/data/webapp/config" { | |
> capabilities = ["read"] | |
> } | |
> EOF | |
>>Success! Uploaded policy: webapp | |
/ $ vault token create -policy=webapp -ttl=744h | |
>>Key Value | |
>>--- ----- | |
>>token hvs.CAESIHOD5eMOX3BG850WnddTyDkkF...MdzQzOE1wd0ZMTXY4OGhuOXU |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/ $ vault kv get secret/webapp/config | |
>>====== Secret Path ====== | |
>>secret/data/webapp/config | |
>>======= Metadata ======= | |
>>Key Value | |
>>... | |
>>====== Data ====== | |
>>Key Value | |
>>--- ----- | |
>>password Losungwort |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kubectl config use-context vaultcluster | |
>>Switched to context "vaultcluster". | |
kubectl get pods | |
>>NAME READY STATUS RESTARTS AGE | |
>>vault-0 1/1 Running 0 1h | |
>>vault-1 1/1 Running 0 1h | |
>>vault-2 1/1 Running 0 1h | |
>>vault-agent-injector-5d85ff9d44-kwhc8 1/1 Running 0 1h | |
kubectl exec --stdin=true --tty=true vault-0 -- /bin/sh | |
>>/ $ vault login |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kubectl exec -it -n playground demo-non-privileged-dp-65f45f4fcd-g7r48 -- /bin/bash | |
>>root@demo-non-privileged-dp-65f45f4fcd-g7r48:/# kubectl get secrets | |
>>Error from server (Forbidden): secrets is forbidden: User "system:serviceaccount:playground:non-privileged-sa" cannot list resource "secrets" in API group "" in the namespace "playground" | |
>>root@demo-non-privileged-dp-65f45f4fcd-g7r48:/# kubectl get pods | |
>>NAME READY STATUS RESTARTS AGE | |
>>demo-dp-7756f78b4c-4zfpr 1/1 Running 0 4m38s | |
>>demo-non-privileged-dp-65f45f4fcd-g7r48 1/1 Running 0 3m17s | |
>>root@demo-non-privileged-dp-65f45f4fcd-g7r48:/# exit | |
>>exit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
resource "kubernetes_role" "non_privileged" { | |
metadata { | |
name = "non-privileged-cr" | |
namespace = kubernetes_namespace.playground.id | |
} | |
rule { | |
api_groups = [""] | |
resources = ["secrets"] | |
verbs = [""] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
terraform apply --auto-approve | |
>>Terraform will perform the following actions: | |
>>... | |
>>Plan: 2 to add, 0 to change, 0 to destroy. | |
>>... | |
>>kubernetes_deployment.demo-non-privileged: Creating... | |
>>kubernetes_deployment.demo-non-privileged: Still creating... [10s elapsed] | |
>>kubernetes_deployment.demo-non-privileged: Still creating... [20s elapsed] | |
>>... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
resource "kubernetes_deployment" "demo-non-privileged" { | |
metadata { | |
name = "demo-non-privileged-dp" | |
namespace = kubernetes_namespace.playground.id | |
} | |
spec { | |
replicas = 1 | |
selector { | |
match_labels = { | |
app = "demo-non-privileged-lb" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
resource "kubernetes_service_account" "non_privileged" { | |
metadata { | |
name = "non-privileged-sa" | |
namespace = kubernetes_namespace.playground.id | |
annotations = { | |
"kubernetes.io/enforce-mountable-secrets" = true | |
} | |
} | |
#secret { | |
#} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kubectl exec -it -n playground demo-dp-7756f78b4c-5glk8 -- /bin/bash | |
>>root@demo-dp-7756f78b4c-5glk8:/# ls /etc/sensitive/ | |
>>password username | |
>>root@demo-dp-7756f78b4c-5glk8:/# cat /etc/sensitive/username ; echo | |
>>Nutzername | |
>>root@demo-dp-7756f78b4c-5glk8:/# cat /etc/sensitive/password ; echo | |
>>Losungwort | |
>>root@demo-dp-7756f78b4c-5glk8:/# kubectl get secret top-secret-ks -n playground | |
>>Error from server (Forbidden): secrets "top-secret-ks" is forbidden: User "system:serviceaccount:playground:secret-privileged-sa" cannot get resource "secrets" in API group "" in the namespace "playground" | |
>>root@demo-dp-7756f78b4c-5glk8:/# exit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
resource "kubernetes_deployment" "demo" { | |
metadata { | |
name = "demo-dp" | |
namespace = kubernetes_namespace.playground.id | |
} | |
spec { | |
replicas = 1 | |
selector { | |
match_labels = { | |
app = "demo-lb" |
NewerOlder