Using Vault Kubernetes Auth Method with no DNS route to cluster

Kampe · August 15, 2020, 7:50am

Hello! Hoping someone can solve this for me - or not…

I’m attempting to use the k8s auth method and am hitting a wall as my clusters are not contactable by my vault servers, but my clusters can contact my vault servers at a FQDN. Why does vault need to be so tightly bound to a service account that it needs to reach back into my cluster to auth it again? Can’t I just set up the relationship to allow my cluster to retrieve secrets without my vault having to know about every cluster’s address?

Is there a way around this?

martinhristov90 · August 21, 2020, 8:16am

Hello Kampe,

Regarding this :

Why does vault need to be so tightly bound to a service account that it needs to reach back into my cluster to auth it again?

Vault needs to contact the K8S API and more specifically TokenReview endpoint, so it can verify the validity of the JWT provided by the pod that wants to authenticate to Vault.

Regarding this :

 Can’t I just set up the relationship to allow my cluster to retrieve secrets without my vault having to know about every cluster’s address?

I do not think that this would be possible, although I might be wrong. ’

Martin