Hi everyone. I work at an environment that has a lot of kubernetes clusters but with a single vault cluster. The k8s clusters are running on-prem servers and are running on kubeadm/microk8s. Is there a way to integrate all these k8s clusters to a single vault cluster, if so how? Would I have to enable k8s auth(i.e vault enable k8s & vault write configs) for every k8s cluster please take note I am talking around the 500+.
Hi there.
That might work though it would be helpful to have more context.
For instance,
-
Whats’ the expected average xaccts/s for the typical k8s cluster and its workloads?
-
What is the distance – in a geographic sense and in “network distance” – between Vault and the edge clusters? And thus what is acceptable latency?
-
How resilient do you need to be to network partitions?
-
What is acceptable maintenance window for Vault downtime during upgrades and such?
Even without answers to those questions I would probably lean toward building some more redundancy and locality considerations into the design.
Yes, exactly that.
You would need to pick a naming scheme for all these kubernetes auth methods in Vault - e.g. auth/kubernetes/<name-of-cluster>
- and furthermore pods running in each cluster would need a way to discover the name of their cluster, so they can talk to the correct auth method within Vault.