Have a question regarding setting up the Kubernetes Auth method and Policy setup to authenticate and fetch secrets from Vault.
Kubernetes Setup
I have two apps in a k8s namespace and a service account for vault authentication
Namespace:
finance
Deployments
finance-app1
finance-app2
Service Account
vault-auth
Vault Setup
I have created a Role and Policy created for this namespace
Role
finance-app1-role
“bound_service_account_names”: “vault-auth”,
“bound_service_account_namespaces”: “finance”,
“policies”: [“finance-app1-policy”],
“max_ttl”: 1800000
}
Policy
finance-app1-policy
{
“policy”: "path “secret/finance/app1/*”{
capabilities = [“read”,“list”]
}
}
In Vault, I have one secret store named finance and two folders under that for app1 and app2 that have their secrets.
When authenticating and access secrets from finance-app1. I pass a jwt and the finance-app1-role to get the Vault token and use the token to access the tokens in the finance/app1 secret store.
{
“jwt”:“”,
“role”:“finance-app1-role”
}
What is see is that since the service account is accessible to both apps in the namespace, both finance-app1 and finance-app2 can use the same role and service account to access both finance-app1 and finance-app2 secrets in addition to their own.
I am trying to see if there is a way to lock down the access even further so that only finance-app1 can only access secrets under /finance/app1 in Vault and not finance-app2.
Please help.