Replies: 2 comments 3 replies
-
Hi @johnny990, thank you for using Bank-Vaults! Do I understand correctly that the problem here is that the configurer stores the root and unseal tokens in a Kubernetes secret? As per the docs this option is only for development purposes, these tokens should be stored in a more secure environment indeed. In |
Beta Was this translation helpful? Give feedback.
-
Hey @johnny990, Technically it should be possible to deploy the Vault Configurer in a different Kubernetes cluster than the tenant Vaults. Since the Configurer communicates with the Vault API to configure policies and roles, it does not have to reside in the same Kubernetes cluster as the Vault it is configuring. You can configure it to connect to the tenant Vaults remotely via their API endpoint, but this is something that will most probably require additional resources to be created. The idea makes sense from a security perspective, as it would reduce the exposure of sensitive tokens (such as the root token) in the tenant clusters. Some key points to keep in mind while implementing this:
|
Beta Was this translation helpful? Give feedback.
-
Hi,
is it possible to deploy vault configurer and vault itself in different clusters? Or is it possible to disable configurer somehow?
I have the following security critical use case:
unsealing vault
which deployed on separate machine highly secured (access restricted only to several trusted persons)unsealing vault
. These tenants less secured, but we'd like to secure vault itself as much as possible (no root tokens in secrets on these tenants, central vault token should allow only autounseal). The ratio is that if somebody get access to tenant vault namespace it will be difficult to get access to tenant vault's secrets without its root token.But this scenario is almost not possible because we have configurer which require root token to configure roles, policies, etc on tenant vaults. If we remove root token, it complains and can't access vault.
So, the idea is to configure tenant vaults externally either by configurer deployed remotely (if it's possible) or via custom external scripts.
Does it make sense? Or it's overengineering without real security benefits?
Beta Was this translation helpful? Give feedback.
All reactions