We are evaluating following pretty regular scenario: sharing a Vault Server between multiple development teams and configuring Kubernetes Auth Method for the workloads of those teams running on shared Kubernetes Cluster in different Namespaces. Each team get its own Vault namespace and all the Kubernetes Auth Method configurations (config, role, policy) are done separately in every Vault namespace. For the case when the configuration is done by some admin or security team, it works well. Admin team has an TokenReview server account token and ensures, that Kubernetes namespaces mentioned in Roles are really assosiated with development team’s Vault namespaces. But in case if all the Vault Namespace configuration (including Kubernetes Auth Method) is done by development team itself this cannot be garantied anymore. All the teams must know the TokenReview service account token, and can define whathewer they want in their Kubernetes Config Roles. That’s no go as for me.
Does it really means, having an admin team configuring all the tenant namespaces is only scenario we can choose in this case or I miss here something?
If I were doing this, I would be looking to automate as much of the Kubernetes and Vault namespace configuration as possible.
For example, even if I hand over Kubernetes and/or Vault administration to a different team, I would still be standardizing the setup using Terraform, Ansible, etc. Using something like learn-vault-configuration/kubernetes/vault-auth-method/main.tf at main · hashicorp-education/learn-vault-configuration · GitHub to provision the k8s auth method (setting this up for tutorials specifically to see the token, do not use in production).
Instead of handing over the token as an output, write it to a Vault secret not accessible by the other teams, only your automation platform. When that team needs to configure Vault, instead of doing so manually they are triggering a run of a workflow (similar to learn-vault-configuration/vault/auth/kubernetes/main.tf at main · hashicorp-education/learn-vault-configuration · GitHub) to enable the auth method in Vault.
That team never sees the secrets, and your admin team standardizes everything in some automation tool to guarantee the configuration matches your standards.