Hi everyone. I work at an environment that has a lot of kubernetes clusters but with a single vault cluster. The k8s clusters are running on-prem servers and are running on kubeadm/microk8s. Is there a way to integrate all these k8s clusters to a single vault cluster, if so how? Would I have to enable k8s auth(i.e vault enable k8s & vault write configs) for every k8s cluster please take note I am talking around the 500+.
That might work though it would be helpful to have more context.
Whats’ the expected average xaccts/s for the typical k8s cluster and its workloads?
What is the distance – in a geographic sense and in “network distance” – between Vault and the edge clusters? And thus what is acceptable latency?
How resilient do you need to be to network partitions?
What is acceptable maintenance window for Vault downtime during upgrades and such?
Even without answers to those questions I would probably lean toward building some more redundancy and locality considerations into the design.
Yes, exactly that.
You would need to pick a naming scheme for all these kubernetes auth methods in Vault - e.g.
auth/kubernetes/<name-of-cluster> - and furthermore pods running in each cluster would need a way to discover the name of their cluster, so they can talk to the correct auth method within Vault.