Hi all,
This is my first post here so hello everyone.
I am trying to have a pod authenticate to Vault using Kubernetes. It of course fails which is why I hope the community at large might be able to help.
I have a 3 node cluster setup with mutual SSL. When I try and authenticate, I get the following error:
Logs
2020-05-28T14:03:32.188Z [ERROR] auth.kubernetes.auth_kubernetes_b273b73e: login unauthorized due to: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"tokenreviews.authentication.k8s.io is forbidden: User \"system:serviceaccount:vault:vault\" cannot create resource \"tokenreviews\" in API group \"authentication.k8s.io\" at the cluster scope","reason":"Forbidden","details":{"group":"authentication.k8s.io","kind":"tokenreviews"},"code":403}
Audit logs
{"time":"2020-05-28T14:03:32.088516658Z","type":"request","auth":{"token_type":"default"},"request":{"id":"6239f5e4-b013-ee0f-740d-e844e724475a","operation":"update","namespace":{"id":"root"},"path":"auth/kubernetes/login","data":{"jwt":"hmac-sha256:f7419a1c1caa08f62637fcd5242f69339751bfaef4f34f36040d5af244eb7d38","role":"hmac-sha256:0510100a0314572d65134a45f68e8f0acae7ce91275520e1cd35ce66f5058ac0"},"remote_address":"172.31.113.206"}}
{"time":"2020-05-28T14:03:32.188642092Z","type":"response","auth":{"token_type":"default"},"request":{"id":"6239f5e4-b013-ee0f-740d-e844e724475a","operation":"update","namespace":{"id":"root"},"path":"auth/kubernetes/login","data":{"jwt":"hmac-sha256:f7419a1c1caa08f62637fcd5242f69339751bfaef4f34f36040d5af244eb7d38","role":"hmac-sha256:0510100a0314572d65134a45f68e8f0acae7ce91275520e1cd35ce66f5058ac0"},"remote_address":"172.31.113.206"},"response":{},"error":"permission denied"}
The following are the steps I took to get there. I just don’t understand where “system:serviceaccount:vault:vault” comed from
kubectl create serviceaccount vault-auth
kubectl apply -f - << EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: role-tokenreview-binding
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault-auth
namespace: vault
EOF
in vault
vault auth enable kubernetes
vault write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
vault write auth/kubernetes/role/backup \
bound_service_account_names=vault-auth \
bound_service_account_namespaces='vault' \
policies=backup \
ttl=30m
On the pod trying to authenticate
export VAULT_ADDR='https://vault.vault.svc.cluster.local:8200'
export KUBE_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
curl -s --cert client.crt --key client.key --cacert /run/secrets/kubernetes.io/serviceaccount/ca.crt --request POST --data '{"jwt": "'"$KUBE_TOKEN"'", "role": "backup"}' ${VAULT_ADDR}/v1/auth/kubernetes/login|jq
{
"errors": [
"permission denied"
]
}
Thanks for any help you can provide!