Vault: login unauthorized due to: Post apis/authentication.k8s.io/v1/tokenreviews”

Vault
1

Hi all,
I am trying to have a pod authenticate to Vault using Kubernetes auth. I was able to successfully inject my secrets into the pod in the test environment before, but now I am getting an authentication error while doing this in the production environment.
When I try and authenticate, I get the following error:

Vault Logs:
[ERROR] auth.kubernetes.auth_kubernetes_c5b8ece7: login unauthorized due to: Post “https://K8S:6443/apis/authentication.k8s.io/v1/tokenreviews”: dial tcp 10.x.x.x:6443: i/o timeout\n"

Kubernetes Logs:
Error making API request.
URL: PUT https://vault_addr:8200/v1/auth/kubernetes/login
Code: 403. Errors:

  • permission denied

Kubernetes: 1.21
Vault:: 1.10.0

application.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
name: vault-test-app
namespace: vault-test
labels:
app.kubernetes.io/app: vault-test-app
app.kubernetes.io/version: “0.0.1”
apiVersion: apps/v1
kind: Deployment
metadata:
name: vault-test-app
namespace: vault-test
labels:
app.kubernetes.io/app: vault-test-app
app.kubernetes.io/version: “0.0.1”
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/app: vault-test-app
template:
metadata:
annotations:
vault.hashicorp.com/agent-init-first: “true”
vault.hashicorp.com/agent-inject: “true”
vault.hashicorp.com/agent-pre-populate-only: “true”
vault.hashicorp.com/role: “vault-test-app”
vault.hashicorp.com/agent-inject-secret-static.properties: “secret/data/vault-test-app”
vault.hashicorp.com/agent-inject-template-static.properties: |
{{- with secret “secret/data/vault-test-app” -}}
{{- range $k, $v := .Data.data }}
{{ $k }}={{ $v }}
{{- end }}
{{- end }}
labels:
app.kubernetes.io/app: vault-test-app
spec:
serviceAccountName: vault-test-app
containers:
name: vault-test-app
image: “busybox:1.33.0”
imagePullPolicy: “IfNotPresent”
command:
sleep
“3600”

In agent yaml we changed here

name: AGENT_INJECT_VAULT_ADDR
value: https://vault_addr:8200

Config Kubernetes Auth:

vault auth enable kubernetes

vault write auth/kubernetes/config
token_reviewer_jwt=“JWT_TOKEN”
kubernetes_host=https://KUBERNETES_ADDR:6443
kubernetes_ca_cert=@ca.crt

vault write auth/kubernetes/role/vault-test-app
bound_service_account_names=vault-test-app
bound_service_account_namespaces=vault-test
policies=vault-test-app

vault-test-app policy:
path “database/creds/vault-test-app_postgresql_vaulttestapp” {
capabilities = [“read”]
}
path “secret/data/vault-test-app” {
capabilities = [“read”]
}

Can you help with this or suggest things I should check?