Member-only story
Vault using Kubernetes auth
This guide will walk you through how to configure Vault running on a Kubernetes cluster to exchange service accounts for a scoped client vault token. This can be useful when you want your services running on a Kubernetes cluster to self auth against vault and not require the need to pass around vault credentials.
Auth Delgators
The first thing we want to setup is a ClusterRoleBinding that has a roleRef which uses system:auth-delagator
This role allows delegated authentication and authorization checks. This is commonly used by add-on API servers for unidified authentication and authorization.
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: role-tokenreview-binding
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault-auth
namespace: defaultNote change the namespace to something more appropriate than default
Next we can create a service account which will get bound to this ClusterRoleBinding. Ensure the namespaces for the SA specified in the ClusterRoleBinding and the SA match.
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault-auth
namespace: defaultRequired information
Before we continue to setup vault we need to extra some data from our cluster and newly created service account.
Service Account Token
export VAULT_SA_NAME=$(kubectl get sa vault-auth --output jsonpath="{.secrets[*]['name']}")Service Account JWT
export SA_JWT_TOKEN=$(kubectl get secret $VAULT_SA_NAME --output 'go-template={{ .data.token }}'| base64 --decode)Service Account CA CRT
export SA_CA_CRT=$(kubectl config view --raw --minify --flatten --output 'jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode)K8 Hostname
export K8S_HOST=$(kubectl config view --raw --minify --flatten --output 'jsonpath={.clusters[].cluster.server}')
