I am trying to install Hashicorp vault-k8s injector on a kubernetes cluster in a restricted environment where we cannot create cluster roles or cluster role binding in order for the platform to confine the deployment to a namespace.
However, we can create roles and role binding.
Hashicorp Vault works with the cluster role
vault-agent-injector-clusterrole
and clusterrolebindings
vault-agent-injector-binding
vault-server-binding
Vault server binding, binds cluster role system:auth-delegator to the ServiceAccount vault and vault-agent-injector-binding binds vault-agent-injector-clusterrole to ServiceAccount vault-agent-injector I was looking for a workaround to setup the deployment with just roles instead of cluster roles. To keep the deployment confined to a namespace I tried to deploy a cluster role with a role binding but that did not seem to work.
I know it might be tricky but if someone has experience with some problem similar to this might help.
Hello @bhartiyashesh,
You are correct in that the Vault server uses the system:auth-delegator
. As a result, it requires ClusterRole(Binding)
to allow Kubernetes service accounts to authenticate to Vault. I am not certain there is a way around this. Kubernetes does not offer a way to verify service account JWTs with a Role(Binding)
at this time. Without the ability to use ClusterRole(Binding)
, you will probably have to deploy an external Vault server that is not on Kubernetes.
As for the the Vault agent injector, it also needs a ClusterRole(Binding)
in order to configure the MutatingWebhook
and inject the Vault agent pods. Without it, you cannot use the automatic injector. If you manage to get an external Vault server and cannot use the injector, you need to manually define the Vault agent as sidecar in all of your deployments. The Vault agent will need to have a configuration that defines the Kubernetes auth method and writes the secrets to a volume. This is what the injector’s sidecar manages for you that you will have to implement yourself.
If you can get a service account for a namespace with ClusterRole
level privileges, you can at least deploy Vault into that namespace and configure the injector to watch the other namespaces you’ll use with Role
level privileges. That is the most common approach, although I understand that it may not be possible to ask for a service account with elevated privileges scoped to a namespace.