Skip to content

Instantly share code, notes, and snippets.

@atheiman

atheiman/README.md

Last active December 20, 2023 17:26
Show Gist options
  • Star 4 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save atheiman/dcdf7b3606dab3ee088c3bc19fa602cf to your computer and use it in GitHub Desktop.
Save atheiman/dcdf7b3606dab3ee088c3bc19fa602cf to your computer and use it in GitHub Desktop.
Download ZIP
Vault Kubernetes Auth Notes
Raw
README.md

Setting up Kubernetes auth backend on Vault. I did this by running Vault server in dev mode in minikube. Files referenced in the commands below are included as other files in this gist.

Run Vault server in the vault-ns namespace in minikube and expose it as a service

kubectl create namespace vault-ns
kubectl --namespace=vault-ns run vault --image=vault --port=8200 -- vault server -dev -dev-listen-address=0.0.0.0:8200 -dev-root-token-id=root-token
kubectl --namespace=vault-ns expose deployment vault --type=NodePort --port=80 --target-port=8200
minikube service --namespace vault-ns vault --url

Connect to Vault locally and do some basic setup config

export VAULT_ADDR="$(minikube service --namespace vault-ns vault --url)" VAULT_TOKEN=root-token
vault audit enable file file_path=stdout
# You can open up another terminal to tail the Vault audit logs if you need help debugging anything
kubectl --namespace=vault-ns logs -f deployment/vault
# Ctrl-C to exit

Create vault-auth service account in the vault-ns namespace and get its token

kubectl --namespace=vault-ns apply -f ./vault-auth-service-account.yaml
export vault_auth_secret_name="$(kubectl --namespace=vault-ns get serviceaccount vault-auth -o jsonpath="{.secrets[*]['name']}")"
export vault_auth_token="$(kubectl --namespace=vault-ns get secret $vault_auth_secret_name -o jsonpath="{.data.token}" | base64 --decode)"
echo $vault_auth_token

Enable and configure Kubernetes auth backend

vault auth enable kubernetes
vault write auth/kubernetes/config \
  kubernetes_host=https://kubernetes.default.svc \
  kubernetes_ca_cert=@${HOME}/.minikube/ca.crt \
  token_reviewer_jwt="${vault_auth_token}"
vault read auth/kubernetes/config

Create a policy and role in the Kubernetes auth backend

vault policy write admin ./admin-policy.hcl
vault policy read admin
# Normally you would not grant "admin" permissions to an app in Vault,
# but I'm just using this policy as an example
vault write auth/kubernetes/role/some-k8s-app \
  bound_service_account_names=some-k8s-app \
  bound_service_account_namespaces=some-k8s-app \
  policies=admin \
  ttl=4h
vault read auth/kubernetes/role/some-k8s-app

Launch a vault client pod in its own namespace to represent an app in Kubernetes

kubectl create namespace some-k8s-app
kubectl --namespace=some-k8s-app create serviceaccount some-k8s-app
kubectl --namespace=some-k8s-app run -i -t vault-client-${RANDOM} \
  --image=vault \
  --env="VAULT_ADDR=http://vault.vault-ns" \
  --restart=Never \
  --serviceaccount='some-k8s-app' -- \
  /bin/sh

Configure and run vault agent to authenticate with vault and generate a vault token

vi /var/vault-agent-config.hcl
vault agent -config=/var/vault-agent-config.hcl -log-level=debug
# Ctrl-C to exit

Use the generated vault token to interact with the vault server

export VAULT_TOKEN="$(cat /var/vault-token)"
vault token lookup # should show the token is from a Kubernetes login
vault secrets list # should successfully authenticate to Vault server
Raw
admin-policy.hcl
# Manage auth methods broadly across Vault
path "auth/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Create, update, and delete auth methods
path "sys/auth/*"
{
capabilities = ["create", "update", "delete", "sudo"]
}
# List auth methods
path "sys/auth"
{
capabilities = ["read"]
}
# List existing policies via CLI
path "sys/policy"
{
capabilities = ["read"]
}
# Create and manage ACL policies via CLI
path "sys/policy/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Create and manage ACL policies via API
path "sys/policies/acl/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# List, create, update, and delete key/value secrets
path "secret/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage secret engines broadly across Vault
path "sys/mounts/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# List existing secret engines
path "sys/mounts"
{
capabilities = ["read"]
}
# Read health checks
path "sys/health"
{
capabilities = ["read", "sudo"]
}
Raw
vault-agent-config.hcl
pid_file = "/var/vault-agent-pidfile"
auto_auth {
method "kubernetes" {
mount_path = "auth/kubernetes"
config = {
role = "some-k8s-app"
}
}
sink "file" {
config = {
path = "/var/vault-token"
}
}
}
Raw
vault-auth-service-account.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault-auth
namespace: vault-ns
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: vault-auth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault-auth
namespace: vault-ns
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment