Question about Vault 0.11.0 and Kubernetes 1.21.9 compatibility

Hello and nice to meet you all :blush: hope everything is going great, I have the following question about Kubernetes and vault compatibility

Right now, I am using a vault version 0.11.0 with storage backend consul 1.2.2 and where are using vault auth Kubernetes method to connect to a cluster version 1.20.8 right now, and everything es working great.

We have in mind in a short future to migrate our Kubernetes cluster to version 1.21.9 and I was reading this document Kubernetes - Auth Methods | Vault by HashiCorp that says we need to set disable_iss_validation=true when we write to our auth/Kubernetes/config and add that parameter.

I test this inside my vault 0.11.0 by writing some example config like:

vault write auth/kubernetes/config \
token_reviewer_jwt=$MY_TOKEN_REVIEWER \
kubernetes_host=$MY_KUBERNETES_HOST \
kubernetes_ca_cert=@my_kubernetes_ca_cert \
disable_iss_validation=true

When I executed it , I could see that data was written successful !, but when I try to read the configuration, with vault read auth/Kubernetes/config
I don’t see the disable_iss_validation parameter.
So my question is, if I change to version 1.21.9 I would see some errors in “iss validation” and could not use the disable_iss_validation=true parameter?

Thank you very much for your help

Are you really using Vault 0.11.0, released in 2018 ?!?

You urgently need to upgrade.

You need a much more recent version to be compatible with Kubernetes 1.21

1 Like

This may have something to do with your version of vault. That variable may not have existed in that version (I have not verified this). Any reason you’re on such an old version?

With 1.9 and 1.10 I tested it and it worked.

A) Can you post the output of vault auth list ?
If your auth path is kubernetes then it should work. I use specific names for mine since I have a prod and a test cluster.

B) Example:

$ vault read -field=disable_iss_validation auth/kubernetes-lab/config
true
1 Like

Hello maxb, you are right I think this will be the next step to upgrade our vault version

Hello Aram, thanks for your Answer,

Here is my otput after I run
vault read -field=disable_iss_validation auth/kubernetes/config
to a valid auth Kubernetes method

It seems my old vault 0.11.0 don’t support the disable_is_validation, Is there any workaround for this kind of version, or the upgrade version is the recommended path?

Thanks a lot