vault使用kubernetes認證
配置
vault可以使用kubernetes的serviceaccount進 行認證
#在kubernetes為vault建立serviceaccount賬号,用于調用api
kubectl create sa vault-auth
#找到vault-auth的token以及ca
kubectl get secret |grep vault-auth-token |awk '{print $1}'|xargs kubectl get -o yaml secret
把圖中的ca.crt以及token用base64解碼得到證書
# 使用vault-cli配置kubernetes認證 vault auth enable kubernetes
#token_reviewer_jwt是上圖中token用base64解碼的值 # kubernetes_host是kubernetes-api-server的位址 # kubernetes_ca_cert是上圖中ca.crt用base64解碼的值存儲的檔案路徑, vault write auth/kubernetes/config \
token_reviewer_jwt="reviewer_service_account_jwt" \
kubernetes_host=https://192.168.99.100:8443 \
[email protected]
# 允許vault調用kubernetes的sa-api # cat rbac.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: role-tokenreview-binding namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:auth-delegator subjects: - kind: ServiceAccount name: vault-auth namespace: default #kubectl apply -f rbac.yaml
使用kubernetes的serviceaccount認證
vault建立role
vault write auth/kubernetes/role/demo \
bound_service_account_names=vault-auth \
bound_service_account_namespaces=default \
policies=default \
ttl=1h
認證
#role對應vault裡面建立的role,jwt對應kubernetes裡面serviceaccount的token
curl https://vault:8200/auth/kubernetes/login -XPOST -d '{"role": "demo", "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."}'
本文轉自SegmentFault-
vault-使用kubernetes作為認證後端