Type '/' to Search

»Bootstrapping Kubernetes Auth Method

In this example, we will walk through how to set up the Kubernetes Auth Method.

This assumes the following commands will be run inside a Vault pod running in Kubernetes.

You will optionally need the following variables:

# JWT is a service account token that has access to the Kubernetes TokenReview API
# You can retrieve this from inside a pod at: /var/run/secrets/kubernetes.io/serviceaccount/token
JWT=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)

# Address of Kubernetes itself as viewed from inside a running pod
KUBERNETES_HOST=https://${KUBERNETES_PORT_443_TCP_ADDR}:443

# Kubernetes internal CA
KUBERNETES_CA_CERT=$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt)

# JWT is a service account token that has access to the Kubernetes TokenReview API# You can retrieve this from inside a pod at: /var/run/secrets/kubernetes.io/serviceaccount/tokenJWT=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
# Address of Kubernetes itself as viewed from inside a running podKUBERNETES_HOST=https://${KUBERNETES_PORT_443_TCP_ADDR}:443
# Kubernetes internal CAKUBERNETES_CA_CERT=$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt)

Exec into the Vault pod:

kubectl exec -it vault-0 /bin/sh

kubectl exec -it vault-0 /bin/sh

Then run the following command to configure the Kubernetes Auth Method:

vault write auth/kubernetes/config \
   token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
   kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
   kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt

vault write auth/kubernetes/config \   token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \   kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \   kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt

From here you can continue to configure Vault from the Kubernetes Auth Method documentation.