-
Notifications
You must be signed in to change notification settings - Fork 873
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Token review permission missing when using external vault address #376
Comments
Hi @gokuatkai, that's correct, no role is setup for Vault to use. This would be a nice enhancement to add, though, so labeling this as such. |
so it only consists of a clusterrolebinding and a serviceaccount, maybe it can be a separate chart ? |
We already do create SA and CRB, however, that's only triggered when Vault server is installed via Helm. Basically we can add an additional value to also create those if Vault is external. |
We want Vault to perform token reviews with Kubernetes even if we are using an external Vault. We need to create the ServiceAccount, Secret and ClusterRoleBinding with the system:auth-delegator role to enable delegated authentication and authorization checks [1]. These SA and RBAC objects are created when we deploy the Vault server. In order to enable the creation of these objects when using an external Vault, we remove the condition on external mode. We also improve the visibility of the options we move the serviceAccount options from the server into the global section. User might want to provide a sensible name (in global.serviceAccount.name) to the service account such as: vault-auth. refs hashicorp#376 [1] https://www.vaultproject.io/docs/auth/kubernetes#configuring-kubernetes
We want Vault to perform token reviews with Kubernetes even if we are using an external Vault. We need to create the ServiceAccount, Secret and ClusterRoleBinding with the system:auth-delegator role to enable delegated authentication and authorization checks [1]. These SA and RBAC objects are created when we deploy the Vault server. In order to enable the creation of these objects when using an external Vault, we remove the condition on external mode. We also improve the visibility of the options we move the serviceAccount options from the server into the global section. User might want to provide a sensible name (in global.serviceAccount.name) to the service account such as: vault-auth. refs hashicorp#376 [1] https://www.vaultproject.io/docs/auth/kubernetes#configuring-kubernetes
We want Vault to perform token reviews with Kubernetes even if we are using an external Vault. We need to create the ServiceAccount, Secret and ClusterRoleBinding with the system:auth-delegator role to enable delegated authentication and authorization checks [1]. These SA and RBAC objects are created when we deploy the Vault server. In order to enable the creation of these objects when using an external Vault, we remove the condition on external mode. We also improve the visibility of the options we move the serviceAccount options from the server into the global section. User might want to provide a sensible name (in global.serviceAccount.name) to the service account such as: vault-auth. refs hashicorp#376 [1] https://www.vaultproject.io/docs/auth/kubernetes#configuring-kubernetes
We want Vault to perform token reviews with Kubernetes even if we are using an external Vault. We need to create the ServiceAccount, Secret and ClusterRoleBinding with the system:auth-delegator role to enable delegated authentication and authorization checks [1]. These SA and RBAC objects are created when we deploy the Vault server. In order to enable the creation of these objects when using an external Vault, we remove the condition on external mode. User might want to provide a sensible name (in global.serviceAccount.name) to the service account such as: vault-auth. refs hashicorp#376 [1] https://www.vaultproject.io/docs/auth/kubernetes#configuring-kubernetes
We want Vault to perform token reviews with Kubernetes even if we are using an external Vault. We need to create the ServiceAccount, Secret and ClusterRoleBinding with the system:auth-delegator role to enable delegated authentication and authorization checks [1]. These SA and RBAC objects are created when we deploy the Vault server. In order to enable the creation of these objects when using an external Vault, we remove the condition on external mode. User might want to provide a sensible name (in global.serviceAccount.name) to the service account such as: vault-auth. refs #376 [1] https://www.vaultproject.io/docs/auth/kubernetes#configuring-kubernetes
Has this been solved now (with #392 being merged)? |
@MPV Yep, looks like it! Closing this, #392 was included in v0.8.0: https://github.com/hashicorp/vault-helm/blob/master/CHANGELOG.md#080-october-20th-2020 |
Using an external vault address (aka external mode) does not create
ClusterRoleBinding
forsystem:auth-delegator
and make the request unable to authenticate:Pod:
Server:
The text was updated successfully, but these errors were encountered: