vault-使用kubernetes作為認證後端

vault使用kubernetes認證

配置

vault可以使用kubernetes的serviceaccount進 行認證

#在kubernetes為vault建立serviceaccount賬号，用于調用api
kubectl create sa vault-auth
#找到vault-auth的token以及ca
kubectl get secret |grep vault-auth-token |awk '{print $1}'|xargs kubectl get -o yaml secret           

把圖中的ca.crt以及token用base64解碼得到證書

# 使用vault-cli配置kubernetes認證 vault auth enable kubernetes 
#token_reviewer_jwt是上圖中token用base64解碼的值 # kubernetes_host是kubernetes-api-server的位址 # kubernetes_ca_cert是上圖中ca.crt用base64解碼的值存儲的檔案路徑， vault write auth/kubernetes/config \
 token_reviewer_jwt="reviewer_service_account_jwt" \
 kubernetes_host=https://192.168.99.100:8443 \
 [email protected]            

# 允許vault調用kubernetes的sa-api # cat rbac.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: role-tokenreview-binding namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:auth-delegator subjects: - kind: ServiceAccount name: vault-auth namespace: default #kubectl apply -f rbac.yaml           

使用kubernetes的serviceaccount認證

vault建立role

vault write auth/kubernetes/role/demo \
 bound_service_account_names=vault-auth \
 bound_service_account_namespaces=default \
 policies=default \
 ttl=1h           

認證

#role對應vault裡面建立的role，jwt對應kubernetes裡面serviceaccount的token
curl https://vault:8200/auth/kubernetes/login -XPOST -d '{"role": "demo", "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."}'           

本文轉自SegmentFault-

vault-使用kubernetes作為認證後端