2

I'm creating a Kubernetes deployment that needs to pull an image from a private registry.

The private registry requires credentials to authenticate to be able to pull an image, so I've added an imagePullSecret to the default service account in my namespace.

Is it a security issue to give the default service account in my namespace an imagePullSecret so that the pods can pull images from my private registry?

I am unsure of what questions I need to be asking myself to determine if there are any security issues. The official documentation shows an example of how to add an imagePullSecret to the default service account.

I've thought of two alternative ways to achieve what I want, but I am unsure if these are any safer:

  1. Creating a new service account and adding an imagePullSecret
  2. Declaring the imagePullSecret in the actual pods’ spec of the deployment.
57KOzn51JnV
  • 21
  • 1

1 Answers1

2

The main argument against using the default service account as against a specific one, is that every pod in that namespace will get access to the secret by default, as the default service account is applied to each pod.

Whether that's really an issue depends on what other workloads there are in the namespace.

I'd say that from a best practice perspective, you'd be better off creating a specific service account for this deployment and providing the imagePullSecret to that account, that way you are less at risk of inadvertant access.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217