Warning: This project is in alpha phase and breaking changes are usual.
Kubevaulter are helper tools to handle secrets stored in vault inside your kubernetes cluster.
For authentication against vault, kubevaulter-init uses the Kubernetes service account token mounted by default into each pod by Kubernetes automatically. The token should reside under /var/run/secrets/kubernetes.io/serviceaccount/token and is signed by the Kubernetes signing CA
To use these tools vault must be correctly configured and
reachable from within the kubernetes cluster.
kubernetes must support
RBAC
and the api-server must be started with the flags
--authorization-mode=RBAC and
--service-account-lookup.
Also the correct service accounts and clusterRoles and RoleBindings must exist
This ClusterRole should exist by default, if not it has to be created.
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: null
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:auth-delegator
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- createOne service account need to exist with which vault authenticates against the kubernetes api.
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault-authFor each pod that accesses secrets in vault, a service account should exist to authenticate against vault. This can also be the default namespace service account, depending on the needs.
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: role-tokenreview-binding
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault-auth
namespace: defaultTo use authentication via service account tokens, the Kubernetes Auth Backend must be enabled and configured correctly. Also policies must exist to manage access of the role to vault secret paths
$ vault auth-enable kubernetes
Successfully enabled 'kubernetes' at 'kubernetes'!vault write auth/kubernetes/role/DEMO \
bound_service_account_names=DEMO-SA\
bound_service_account_namespaces=DEMO-NS \
policies=DEMO-POLICY \
ttl=1hpath "secret/*" {
capabilities = ["create"]
}
path "secret/foo" {
capabilities = ["read"]
}
path "auth/token/lookup-self" {
capabilities = ["read"]
}To configure Kubevaulter, a config file called config in yaml, toml or json format must exist in . or ./config folder of the containers. The location could be overwritten by specifying the environment variable KV_ the general config looks like this
logging:
logLevel: "debug" #defaults to "info"
logFormat: "json" #default to "text"
vault:
endpointUrl: "http://localhost:8200"
secretBackend: "demo-secret" # defaults to "secret"
role: "DEMO"
jwtPath: "/var/run/secrets/kubernetes.io/serviceaccount/token" # defaults to "/var/run/secrets/kubernetes.io/serviceaccount/token"
failOnEmptySecret: true
authPath: auth/foo/login # defaults to auth/kubernetes/login
caCert:- kubevaulter-init an init container to render vault secrets into templates from specific path in the pod filesystem
- kubevaulter-recursive an init container to recursively traverse through a folder structure and rendereing templates with secret values from vault
- kubevaulter-generator creates random strings and stores them in specified vault paths
- kubevaulter-executor executing applications inside the container while providing secret values from vault as parameters to this application