Vault using Kubernetes auth
This guide will walk you through how to configure Vault running on a Kubernetes cluster to exchange service accounts for a scoped client vault token. This can be useful when you want your services running on a Kubernetes cluster to self auth against vault and not require the need to pass around vault credentials.
Auth Delgators
The first thing we want to setup is a ClusterRoleBinding that has a roleRef which uses system:auth-delagator
This role allows delegated authentication and authorization checks. This is commonly used by add-on API servers for unidified authentication and authorization.
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: role-tokenreview-binding
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault-auth
namespace: defaultNote change the namespace to something more appropriate than default
Next we can create a service account which will get bound to this ClusterRoleBinding. Ensure the namespaces for the SA specified in the ClusterRoleBinding and the SA match.
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault-auth…