Restricting K8s auth to Service Account only

Hi everyone,

We are using K8s auth to access secrets using ACL template path. This works great and we use custom metadata with aliases to configure access to secret paths that don’t follow namespace/serviceAccount convention.

However as a security concern for ex: A cluster admin can extract sa token and authenticate to vault and access secrets.

Is there a way to deny auth outside of cluster?


In general if a service or person can get hold of a token they can access whatever that token has been granted access to.

From Vault’s perspective it isn’t able detect any difference between a person and a service. The main mitigation is to tightly control who has admin access to the cluster and restrict to the minimal number possible.

Is there a possibility to restrict auth by passing custom headers with additional token or IP whitelisting? I am just looking for ways to harden the login mechanism.

As a cluster admin myself I should not be able to do this outside of the cluster as the SA will be dealing with end user secrets in a large scale devOps automation scenario.

So the idea is to restrict as much as possible for human users that’s all. Do you recommend any approaches to get closer to that?