Challenge, Easy,  on  Kubernetes

Grant a ServiceAccount Access to a Specific Secret Using RBAC

Scenario

All resources should be created in the finance namespace.

Create a Secret named api-key-v2 with key api-key and value payment-gateway-prod-key-12345. Then create a ServiceAccount named specific-secret-reader-sa.

Create a Role named single-secret-getter-role granting only the get verb on secrets, restricted to api-key-v2 via resourceNames. Bind it to the ServiceAccount using a RoleBinding named single-secret-getter-binding.

#This should return `yes`.
kubectl auth can-i get secret/api-key-v2 -n finance \
  --as=system:serviceaccount:finance:specific-secret-reader-sa

#This should return `no`.
kubectl auth can-i get secret/other-secret -n finance \
  --as=system:serviceaccount:finance:specific-secret-reader-sa
Hint 1

Use kubectl create role -h and kubectl create rolebinding -h to see available flags for creating a Role with specific verbs, resources, and resourceNames, then binding it to a ServiceAccount. See the official docs: Using RBAC Authorization

Test Cases

How to Author Challenges on iximiuz Labs

Instead of providing a subpar online editing experience, iximiuz Labs offers a helper CLI tool called labctl, allowing you to use your favorite text editor (or a full-featured IDE) to write content from the comfort of your local machine.

Install labctl CLI

curl -sf https://labs.iximiuz.com/cli/install.sh | sh

This will download and install the latest version of the labctl CLI. You only need to do this once per workstation.

Authorize labctl

labctl auth login

This will open a browser window asking you to authorize labctl to access your account. You need to do it after a fresh install of labctl and repeat it whenever the auth session expires.

Pull challenge content

labctl content pull challenge restrict-service-account-access-to-a-specific-secret-using-rbac-86ce814f

This will create a local copy of the challenge content in a directory named restrict-service-account-access-to-a-specific-secret-using-rbac-86ce814f. You only need to do this once per challenge.

Stream your changes

labctl content push -fw challenge restrict-service-account-access-to-a-specific-secret-using-rbac-86ce814f

Run this command in a separate terminal to continuously upload your changes to the server while editing the challenge in your favorite text editor or IDE.

You can also use labctl to create, list, and delete your content. Learn more about the available commands: labctl content --help

Start challenge