Skip to content

Instantly share code, notes, and snippets.

@k4kratik
Created October 2, 2023 12:47
Show Gist options
  • Save k4kratik/5864d652a384601cb4a2718a902ba20b to your computer and use it in GitHub Desktop.
Save k4kratik/5864d652a384601cb4a2718a902ba20b to your computer and use it in GitHub Desktop.
required RBAC permissions for vault to be deployed in K8s
kind: ServiceAccount
apiVersion: v1
metadata:
name: vault
namespace: vault-operator
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: vault
namespace: vault-operator
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["*"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "update", "patch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: vault
namespace: vault-operator
roleRef:
kind: Role
name: vault
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: vault
---
# This binding allows the deployed Vault instance to authenticate clients
# through Kubernetes ServiceAccounts (if configured so).
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: vault-auth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault
namespace: vault-operator
---
#! Now we need to create the token manually (1.24+)
#! https://stackoverflow.com/a/72258300
apiVersion: v1
kind: Secret
metadata:
name: vault-sa-token-manual
namespace: vault-operator
annotations:
kubernetes.io/service-account.name: vault
type: kubernetes.io/service-account-token
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment