1. Answers
  2. Linking ServiceAccounts To Persistent Volume Claims For Access Control

Linking ServiceAccounts to Persistent Volume Claims for Access Control

Introduction

In this guide, we will demonstrate how to link Kubernetes ServiceAccounts to Persistent Volume Claims (PVCs) for access control using Pulumi. This setup ensures that only specific ServiceAccounts have access to the PVCs, enhancing security and access management in your Kubernetes cluster.

Step-by-Step Explanation

Step 1: Create a ServiceAccount

First, we will create a ServiceAccount in the desired namespace.

Step 2: Create a Persistent Volume Claim

Next, we will create a Persistent Volume Claim (PVC) that will be used by the pods.

Step 3: Create a Role and RoleBinding

To grant the ServiceAccount access to the PVC, we will create a Role with the necessary permissions and a RoleBinding to bind the Role to the ServiceAccount.

Step 4: Deploy a Pod using the ServiceAccount and PVC

Finally, we will deploy a Pod that uses the ServiceAccount and mounts the PVC, ensuring that the access control is in place.

Conclusion

By following these steps, you can effectively manage access control for PVCs using ServiceAccounts in your Kubernetes cluster. This approach enhances security by ensuring that only authorized ServiceAccounts can access specific PVCs.

Full Code Example

import * as pulumi from "@pulumi/pulumi";
import * as k8s from "@pulumi/kubernetes";

// Step 1: Create a ServiceAccount
const sa = new k8s.core.v1.ServiceAccount("my-serviceaccount", {
    metadata: {
        namespace: "default",
    },
});

// Step 2: Create a Persistent Volume Claim
const pvc = new k8s.core.v1.PersistentVolumeClaim("my-pvc", {
    metadata: {
        namespace: "default",
    },
    spec: {
        accessModes: ["ReadWriteOnce"],
        resources: {
            requests: {
                storage: "1Gi",
            },
        },
    },
});

// Step 3: Create a Role and RoleBinding
const role = new k8s.rbac.v1.Role("pvc-access-role", {
    metadata: {
        namespace: "default",
    },
    rules: [{
        apiGroups: [""],
        resources: ["persistentvolumeclaims"],
        verbs: ["get", "list", "watch"],
    }],
});

const roleBinding = new k8s.rbac.v1.RoleBinding("pvc-access-rolebinding", {
    metadata: {
        namespace: "default",
    },
    subjects: [{
        kind: "ServiceAccount",
        name: sa.metadata.name,
        namespace: sa.metadata.namespace,
    }],
    roleRef: {
        kind: "Role",
        name: role.metadata.name,
        apiGroup: "rbac.authorization.k8s.io",
    },
});

// Step 4: Deploy a Pod using the ServiceAccount and PVC
const pod = new k8s.core.v1.Pod("my-pod", {
    metadata: {
        namespace: "default",
    },
    spec: {
        serviceAccountName: sa.metadata.name,
        containers: [{
            name: "my-container",
            image: "nginx",
            volumeMounts: [{
                mountPath: "/mnt/data",
                name: "mypvc",
            }],
        }],
        volumes: [{
            name: "mypvc",
            persistentVolumeClaim: {
                claimName: pvc.metadata.name,
            },
        }],
    },
});

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up