Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token review permission missing when using external vault address #376

Closed
gokuatkai opened this issue Aug 25, 2020 · 5 comments
Closed

Token review permission missing when using external vault address #376

gokuatkai opened this issue Aug 25, 2020 · 5 comments
Labels
bug Something isn't working enhancement New feature or request

Comments

@gokuatkai
Copy link

Using an external vault address (aka external mode) does not create ClusterRoleBinding for system:auth-delegator and make the request unable to authenticate:

Pod:

2020-08-25T15:14:13.077Z [INFO]  auth.handler: authenticating
2020-08-25T15:14:13.170Z [ERROR] auth.handler: error authenticating: error="Error making API request.

URL: PUT https://my-vault.com:8200/v1/auth/kubernetes/login
Code: 403. Errors:

* permission denied" backoff=2.822450632

Server:

Aug 25 15:13:10 my-vault.com vault[1803]: 2020-08-25T15:13:10.793Z [ERROR] auth.kubernetes.auth_kubernetes_a3c6e8ec: login unauthorized due to: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"tokenreviews.authentication.k8s.io is forbidden: User \"system:serviceaccount:security:vault-testenv-agent-injector\" cannot create resource \"tokenreviews\" in API group \"authentication.k8s.io\" at the cluster scope","reason":"Forbidden","details":{"group":"authentication.k8s.io","kind":"tokenreviews"},"code":403}
@gokuatkai gokuatkai added the bug Something isn't working label Aug 25, 2020
@jasonodonnell jasonodonnell added the enhancement New feature or request label Aug 25, 2020
@jasonodonnell
Copy link
Contributor

Hi @gokuatkai, that's correct, no role is setup for Vault to use. This would be a nice enhancement to add, though, so labeling this as such.

@gokuatkai
Copy link
Author

so it only consists of a clusterrolebinding and a serviceaccount, maybe it can be a separate chart ?

@jasonodonnell
Copy link
Contributor

We already do create SA and CRB, however, that's only triggered when Vault server is installed via Helm. Basically we can add an additional value to also create those if Vault is external.

@jasonodonnell jasonodonnell mentioned this issue Sep 15, 2020
Closed
jfroche added a commit to jfroche/vault-helm that referenced this issue Sep 29, 2020
@jfroche
Enable Vault to review kube tokens when using external Vault
f26d636 
We want Vault to perform token reviews with Kubernetes even if we are
using an external Vault.

We need to create the ServiceAccount, Secret and ClusterRoleBinding with
the system:auth-delegator role to enable delegated authentication and
authorization checks [1].

These SA and RBAC objects are created when we deploy the Vault server.
In order to enable the creation of these objects when using an external
Vault, we remove the condition on external mode.
We also improve the visibility of the options we move the serviceAccount
options from the server into the global section. User might want to
provide a sensible name (in global.serviceAccount.name) to the service
account such as: vault-auth.

refs hashicorp#376

[1] https://www.vaultproject.io/docs/auth/kubernetes#configuring-kubernetes
@jfroche jfroche mentioned this issue Sep 29, 2020
Merged
jfroche added a commit to jfroche/vault-helm that referenced this issue Sep 29, 2020
@jfroche
Enable Vault to review kube tokens when using external Vault
8b5d3d8 
We want Vault to perform token reviews with Kubernetes even if we are
using an external Vault.

We need to create the ServiceAccount, Secret and ClusterRoleBinding with
the system:auth-delegator role to enable delegated authentication and
authorization checks [1].

These SA and RBAC objects are created when we deploy the Vault server.
In order to enable the creation of these objects when using an external
Vault, we remove the condition on external mode.
We also improve the visibility of the options we move the serviceAccount
options from the server into the global section. User might want to
provide a sensible name (in global.serviceAccount.name) to the service
account such as: vault-auth.

refs hashicorp#376

[1] https://www.vaultproject.io/docs/auth/kubernetes#configuring-kubernetes
jfroche added a commit to jfroche/vault-helm that referenced this issue Sep 30, 2020
@jfroche
Enable Vault to review kube tokens when using external Vault
caeaebc 
We want Vault to perform token reviews with Kubernetes even if we are
using an external Vault.

We need to create the ServiceAccount, Secret and ClusterRoleBinding with
the system:auth-delegator role to enable delegated authentication and
authorization checks [1].

These SA and RBAC objects are created when we deploy the Vault server.
In order to enable the creation of these objects when using an external
Vault, we remove the condition on external mode.
We also improve the visibility of the options we move the serviceAccount
options from the server into the global section. User might want to
provide a sensible name (in global.serviceAccount.name) to the service
account such as: vault-auth.

refs hashicorp#376

[1] https://www.vaultproject.io/docs/auth/kubernetes#configuring-kubernetes
jfroche added a commit to jfroche/vault-helm that referenced this issue Oct 16, 2020
@jfroche
Enable Vault to review kube tokens when using external Vault
4778894 
We want Vault to perform token reviews with Kubernetes even if we are
using an external Vault.

We need to create the ServiceAccount, Secret and ClusterRoleBinding with
the system:auth-delegator role to enable delegated authentication and
authorization checks [1].

These SA and RBAC objects are created when we deploy the Vault server.
In order to enable the creation of these objects when using an external
Vault, we remove the condition on external mode.

User might want to provide a sensible name (in global.serviceAccount.name) to the service
account such as: vault-auth.

refs hashicorp#376

[1] https://www.vaultproject.io/docs/auth/kubernetes#configuring-kubernetes
jasonodonnell pushed a commit that referenced this issue Oct 20, 2020
@jfroche
Enable Vault to review kube tokens when using external Vault (#392)
c45f9b9 
We want Vault to perform token reviews with Kubernetes even if we are
using an external Vault.

We need to create the ServiceAccount, Secret and ClusterRoleBinding with
the system:auth-delegator role to enable delegated authentication and
authorization checks [1].

These SA and RBAC objects are created when we deploy the Vault server.
In order to enable the creation of these objects when using an external
Vault, we remove the condition on external mode.

User might want to provide a sensible name (in global.serviceAccount.name) to the service
account such as: vault-auth.

refs #376

[1] https://www.vaultproject.io/docs/auth/kubernetes#configuring-kubernetes
@MPV
Copy link

MPV commented Nov 5, 2020

Has this been solved now (with #392 being merged)?

@tvoran
Copy link
Member

tvoran commented Nov 20, 2020

@MPV Yep, looks like it!

Closing this, #392 was included in v0.8.0: https://github.com/hashicorp/vault-helm/blob/master/CHANGELOG.md#080-october-20th-2020

@tvoran tvoran closed this as completed Nov 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@MPV @tvoran @jasonodonnell @gokuatkai