Kubernetes Authentication denied

edoardo-c · June 3, 2020, 4:22am

Hi @rooftop90,
I wanted to get back to give a bit more information on what my problem was and how you helped fix it.

The problem was due to how I created the auth/kubernetes/role/backup,

edoardo-c:

vault write auth/kubernetes/config \
    token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
    kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
    kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt

What I was doing was using the vault-0’s sa token which ended up being sa/vault.

By doing the following, you specify the use of sa/vault-auth and therefore configure auth/kubernetes/config correctly.

rooftop90:

export VAULT_SA_NAME=$(kubectl -n default get sa vault-auth -o jsonpath="{.secrets[*]['name']}")
export SA_JWT_TOKEN=$(kubectl -n default get secret $VAULT_SA_NAME -o jsonpath="{.data.token}" | base64 --decode; echo)

Thanks again for your help!