Kubernetes supports x509 client certs for authorization [1]. The CN is used for the username and group membership can be indicated by using the certificate’s Organization fields. To include multiple group memberships, include multiple organization fields in the certificate.
We have a Vault cluster running with the ldap backend enabled and configured to authenticate users against Active Directory. They can generate a client certificate for Kubernetes authentication. We use the Organization field to confine users to the kubernetes namespaces we created for the different groups.
Vault is configured with a PKI role that allows domain templating and we use the alias of an entity to set the CN to the username of the authenticated user ({{ identity.entity.aliases.auth_ldap_12345678.name }}).
We have users that belong to multiple groups. To accomodate these users having access to multiple namespaces we have created a PKI role for every group and set the Organization field to the name of the group in Active Directory.
Although this is automated to a large extend it is still a bit cumbersome and I would like to reduce this to a single PKI role that can set multiple Organization fields based on the group memberships in Active Directory of the users.
My first hurdle is to get access to the groups an Active Directory user is a member of. The LDAP auth plugin is working and policy mapping based on group membership works as well, but the groups don’t seem to be accessible via the mapped Vault entity. Is this correct or am I missing something? If this is correct will make a feature request to make the group memberships available in the entity like the username already is.
The second part would be to allow for templating of the Organization field in a PKI role. As far as I can see, and have tested, this currently not possible. Is this also correct. If so, I will make a feature request for this as well.