vault使用kubernetes认证

配置

vault可以使用kubernetes的serviceaccount进 行认证

#在kubernetes为vault创建serviceaccount账号，用于调用api
kubectl create sa vault-auth
#找到vault-auth的token以及ca
kubectl get secret |grep vault-auth-token |awk '{print $1}'|xargs kubectl get -o yaml secret

把图中的ca.crt以及token用base64解码得到证书

# 使用vault-cli配置kubernetes认证 vault auth enable kubernetes 
#token_reviewer_jwt是上图中token用base64解码的值 # kubernetes_host是kubernetes-api-server的地址 # kubernetes_ca_cert是上图中ca.crt用base64解码的值存储的文件路径， vault write auth/kubernetes/config \
 token_reviewer_jwt="reviewer_service_account_jwt" \
 kubernetes_host=https://192.168.99.100:8443 \
 kubernetes_ca_cert=@ca.crt 

# 允许vault调用kubernetes的sa-api # cat rbac.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: role-tokenreview-binding namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:auth-delegator subjects: - kind: ServiceAccount name: vault-auth namespace: default #kubectl apply -f rbac.yaml

使用kubernetes的serviceaccount认证

vault创建role

vault write auth/kubernetes/role/demo \
 bound_service_account_names=vault-auth \
 bound_service_account_namespaces=default \
 policies=default \
 ttl=1h

认证

#role对应vault里面创建的role，jwt对应kubernetes里面serviceaccount的token
curl https://vault:8200/auth/kubernetes/login -XPOST -d '{"role": "demo", "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."}'

本文转自SegmentFault-vault-使用kubernetes作为认证后端