vault-使用kubernetes做爲認證後端

vault使用kubernetes認證

配置

vault可使用kubernetes的serviceaccount進行認證

#在kubernetes爲vault建立serviceaccount帳號，用於調用api
kubectl create sa vault-auth
#找到vault-auth的token以及ca
kubectl get secret |grep vault-auth-token |awk '{print $1}'|xargs kubectl get -o yaml secret

把圖中的ca.crt以及token用base64解碼獲得證書

# 使用vault-cli配置kubernetes認證
vault auth enable kubernetes

#token_reviewer_jwt是上圖中token用base64解碼的值
# kubernetes_host是kubernetes-api-server的地址
# kubernetes_ca_cert是上圖中ca.crt用base64解碼的值存儲的文件路徑，
vault write auth/kubernetes/config \
    token_reviewer_jwt="reviewer_service_account_jwt" \
    kubernetes_host=https://192.168.99.100:8443 \
    kubernetes_ca_cert=@ca.crt

# 容許vault調用kubernetes的sa-api
# cat rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: role-tokenreview-binding
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
- kind: ServiceAccount
  name: vault-auth
  namespace: default
#kubectl apply -f rbac.yaml

使用kubernetes的serviceaccount認證

vault建立role

vault write auth/kubernetes/role/demo \
    bound_service_account_names=vault-auth \
    bound_service_account_namespaces=default \
    policies=default \
    ttl=1h

認證

#role對應vault裏面建立的role，jwt對應kubernetes裏面serviceaccount的token
curl https://vault:8200/auth/kubernetes/login -XPOST -d '{"role": "demo", "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."}'