I have a vault setup in k8s with k8s auth enabled to allow vault agent to read secrets and export them as an environment variables to a k8s pod using K8s service account. everything is working fine if I’m using a single k8s namespace.
I am not able to use a service account from A namespace and trying to use it in B namespace after attaching it via a rolebinding in namespace B
step 1 - I created a service account called vault-ro in default namespace and configured it in vault k8s auth role. everything works good for any k8s pod in default namespace. they are able to read secerts from vault.
--- apiVersion: v1 kind: ServiceAccount metadata: name: vault-ro --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: role-tokenreview-binding ##This Role! namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:auth-delegator subjects: - kind: ServiceAccount name: vault-ro namespace: default
now, I want to enable namespace B to use same vault role and k8s service account to read secret from vault. so i created a rolebinding as follow in namespace B
role binding in Namespace B
--- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: role-tokenreview-binding-dev namespace: B roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:auth-delegator subjects: - kind: ServiceAccount name: vault-ro namespace: default
expected behavior, I should be able to spin up a k8s pod with vault-ro service account user and it should able to read secret from vault same way as it does in default namespace but when i try that, i’m getting error as
Error from server (Forbidden): error when creating "test-app-nonprod.yaml": pods "test-app" is forbidden: error looking up service account B/vault-ro: serviceaccount "vault-ro" not found
why it’s not able to reference service account vault-ro from default namespace and still trying to find if it’s present in dev namespace? is it something to do with vault? I tried my best to find from everywhere, all documents saying above should work!
appreciate any help!