Which auth method is preferred and is best practices in Kubernetes/Openshift

We have traditional TLS certificate (mtls) Auth Method and Kubernetes Auth Method to choose from in K8S/Openshift environment.

We are leaning towards “Kubernetes Auth Method” as it integrates seamless in K8s and we can use pod ingestion/init container techniques modern approach.

What is the community recommendation and best practices for selecting. Any documentation to make this choice ?

I’m not sure there is much of a choice. If you want long lived, auto auth and less hassle kubernetes auth method is the only choice. All of the rest require admin hours and a lot of setup and support.

The sad part is all of them, including the Kubernetes auth metho (per namespace) use up a user license, since it’s a unique auth entity.

Thank You for your response, do you see any security issues with “Kubernetes Auth Method” like man in the middle attacks etc

We have internal white teams that try this stuff out, we have not seen any issues – however we’re on internal network and none of our traffic goes anywhere outside without a tunnel and/or encryption.

Obviously keeping up with the security patches, helm versions as well as the agent versions is important if that’s a concern.

Thank you, do you work for vault or from other company (if you are ok to share) ?

I do not work for Hashicorp. I’m a Vault user/admin and have been using it for about 7 years.