How to work with Vault k8s auth type on multiple namespace services?

Hi all,
I need help/guidelines for the following scenario:
i have a Vault service installed on some cluster in namespace “vault”. it have a serviceAccount named vault-auth which i have registered into vault

vault write auth/kubernetes/role/webapp \
        bound_service_account_names=vault-auth \
        bound_service_account_namespaces=default \

now i am trying to use several services from different namespaces to communicate with vault using the same serviceaccount vault-auth.
After some reading i understand that serviceaccount should have unique name for each namespace.
what is the right way to handle this situation? i dont want to manually execute

vault write auth/kubernetes/role/webapp \
        bound_service_account_names=vault-auth \
        bound_service_account_namespaces=default \
        policies=demo-policy \

each time i am adding a new service.
what is the right way to handle this scenario?
should i install vault on each namespace? or is there some easy way to make it vault per cluster and multiple services could use it from multiple namespaces?

Thanks in advance

I think it depends on your security objectives.

If it’s OK to have all service-accounts across various namespaces authenticated as a single entity and have access to the same set of secrets, then simply change bound_service_account_namespaces=default to bound_service_account_namespaces="*". This will allow service accounts called vault-auth from any namespace authenticate to Vault using the webapp role.

If you need more restrictive access policies, then you’ll need to create additional roles or create a default role but then leverage policy templating based on the Identity Entities and/or Aliases that get created. Obviously running that command manually for every role would become burdensome so you’ll want to develop some sort of onboarding process that would handle that step for you (there’s many different ways to do this and ultimately is dependent on what tools you’re able to use in your environment).

thanks a lot!
thanks to your answer i found that there is also an option to add bound_service_account_names="*"
this both configurations is exactly what i need.
i just hope this is ok in terms of security

It depends on the need of your organization. If you’re creating separate namespaces in k8s there’s probably a reason for that, including a security related one. Personally, I would at least create a role per namespace or equivalent using Templated Policies so that your microservices only have access to the secrets they need access to. Granting very broad access creates more risk of exposure and possibly unintended modifications to your secrets.

yes policies are a good idea. what i will do is
only admin can ‘modify’.
services have only ‘read’ policy divided per domain (several services can be under same domain)

thanks again!