Vault Role Policy for K8s pods

AdrianXIA · September 29, 2023, 9:15am

Hello All!

I have a setup with Vault and Kubernetes. K8s pods have access to Vault via Vault Role (Kubernetes auth) with vault agent/sidecars setup.

I observed that:

adding a new policy to a Vault role when the pod is in running state, the new permissions are not reflected until the pod is restarted.
instead of adding a new policy and editing a policy that was attached to Vault role before pod is created, it works when pods is in running state.

Exactly, it happens when I give permission to db role under Vault database engine:

2023-09-29T09:10:05.323Z [WARN] (view) vault.read(database/creds/<db_role>): Error making API request. Code: 403. Error: permission denied

Is there any limitation? Is there any solution for first scenario?

Thank you!

Topic		Replies	Views
[INFO] agent.auth.handler: authenticating [URL: PUT http://x.x.svc:8200/v1/auth/kubernetes/login\|Code: 403\|permission denied] Vault k8s	1	799	February 1, 2024
Got 403 Permission Denied issue while deploying Vault in Kubernetes Vault vault	6	968	April 7, 2023
Permission denied when trying to read data from vault Vault k8s , connect , vault	8	39256	June 27, 2024
Vault and kubernetes 1.21 Vault k8s , vault	1	1046	March 11, 2022
403 permission denied errors while connecting to vault from k8s cluster Vault k8s , vault	0	299	February 16, 2023