We are bringing the best of Tectonic to Red Hat OpenShift to build the most secure, hybrid Kubernetes application platform.
This guide shows a simple example of how to set up and authenticate against the Kubernetes auth backend. For more details consult the Vault documentation on the Kubernetes Auth Backend.
This example will:
To enable and configure the auth backend with the necessary roles and policies, make the Vault client requests authenticate with the root token.
Configure port forwarding between the local machine and the active Vault node:
kubectl -n default get vault example -o jsonpath='{.status.vaultStatus.active}' | xargs -0 -I {} kubectl -n default port-forward {} 8200
Open a new terminal. Use this terminal for the rest of this guide.
Export the following environment for the Vault CLI environment.
Replace the <root-token>
with the root token generated during initialization.
export VAULT_ADDR='https://localhost:8200'
export VAULT_SKIP_VERIFY="true"
export VAULT_TOKEN=<root-token>
vault-tokenreview
:kubectl -n default create serviceaccount vault-tokenreview
vault-tokenreview
service account to access the Kubernetes TokenReview API:kubectl -n default create -f example/k8s_auth/vault-tokenreview-binding.yaml
vault-tokenreview
service account:SECRET_NAME=$(kubectl -n default get serviceaccount vault-tokenreview -o jsonpath='{.secrets[0].name}')
TR_ACCOUNT_TOKEN=$(kubectl -n default get secret ${SECRET_NAME} -o jsonpath='{.data.token}' | base64 --decode)
Enable the Kubernetes auth backend:
vault auth-enable kubernetes
Configure the backend with the Kubernetes master server URL and certificate-authority-data.
vault write auth/kubernetes/config kubernetes_host=<server-url> kubernetes_ca_cert=@ca.crt token_reviewer_jwt=$TR_ACCOUNT_TOKEN
The Kubernetes backend authorizes an entity by granting it a role mapped to a service account. A role is configured with policies which control the entity's access to paths and operations in Vault.
Create a new policy demo-policy
using example policy file policy.hcl
.
vault write sys/policy/demo-policy policy=@example/k8s_auth/policy.hcl
Create a new role demo-role
configured for the service account default
and policy demo-policy
:
vault write auth/kubernetes/role/demo-role \
bound_service_account_names=default \
bound_service_account_namespaces=default \
policies=demo-policy \
ttl=1h
The backend can now be used to authenticate Vault requests using the service account default
.
Now use the service account token to authenticate for the role demo-role
default
service account:SECRET_NAME=$(kubectl -n default get serviceaccount default -o jsonpath='{.secrets[0].name}')
DEFAULT_ACCOUNT_TOKEN=$(kubectl -n default get secret ${SECRET_NAME} -o jsonpath='{.data.token}' | base64 --decode)
$ vault write auth/kubernetes/login role=demo-role jwt=${DEFAULT_ACCOUNT_TOKEN}
Key Value
--- -----
token 74603479-607d-4ab8-a406-d0456d9f3d65
token_accessor 4893b0a1-f42a-bfd8-cd9c-c14b9bdb6095
token_duration 1h0m0s
token_renewable true
token_policies [default demo-policy]
token_meta_role "demo-role"
token_meta_service_account_name "default"
token_meta_service_account_namespace "default"
token_meta_service_account_secret_name "default-token-fndln"
token_meta_service_account_uid "aaf6c23c-b04a-11e7-9aea-0245c85cf1cc"
VAULT_TOKEN
to the value of the key token
from the output of the last step:export VAULT_TOKEN=74603479-607d-4ab8-a406-d0456d9f3d65
With the above VAULT_TOKEN
set, the Vault requests will be authenticated according to the role demo-role
and the policy demo-policy
.
Confirm that the policy enables secret creation only under the path "secret/demo/":
$ vault write secret/demo/foo value=bar
Success! Data written to: secret/demo/foo
Reject requests on non-"secret/demo/" path:
$ vault write secret/foo value=bar
Error writing data to secret/foo: Error making API request.
URL: PUT https://localhost:8200/v1/secret/foo
Code: 403. Errors:
* permission denied
kubectl -n default delete serviceaccount vault-tokenreview
kubectl -n default delete clusterrolebinding vault-tokenreview-binding