Hi everyone ! I try to configure the kubernetes authentication backend but I’m facing an issue when I try to authenticate a serviceaccount.
After some research I didn’t find any solution.
Vault log:
2020-08-18T15:39:20.102Z [ERROR] auth.kubernetes.auth_kubernetes_e36498cf: login unauthorized due to: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"tokenreviews.authentication.k8s.io is forbidden: User \"system:serviceaccount:vault:vault-auth\" cannot create resource \"tokenreviews\" in API group \"authentication.k8s.io\" at the cluster scope","reason":"Forbidden","details":{"group":"authentication.k8s.io","kind":"tokenreviews"},"code":403}
Kubernetes resources:
serviceaccounts:
$ kubectl get serviceaccounts -n vault vault-auth -o yaml
apiVersion: v1
automountServiceAccountToken: false
kind: ServiceAccount
metadata:
creationTimestamp: "2020-08-18T15:18:05Z"
name: vault-auth
namespace: vault
resourceVersion: "6276132075"
selfLink: /api/v1/namespaces/vault/serviceaccounts/vault-auth
uid: 3d563e0e-5f59-4806-916e-3731e4ac53da
secrets:
- name: vault-auth-token-gwcgj
clusterrolebinding:
$ kubectl get clusterrolebinding vault-auth -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: "2020-08-18T13:22:22Z"
name: vault-auth
resourceVersion: "6276132018"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/vault-auth
uid: 66b1c102-4f49-4746-a459-4cd02e44ad97
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault-auth
namespace: vault
clusterrole:
$ kubectl get clusterrole system:auth-delegator -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: "2019-10-25T13:43:39Z"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:auth-delegator
resourceVersion: "5746514639"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/system%3Aauth-delegator
uid: ac0eee16-186b-4849-8933-6f33c6c982d7
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
Concerning vault, it is configured by Terraform based on k8s datasource.
Thanks for your help !