Questions on Vault auth with k8s

[goplusgo]

According to https://learn.hashicorp.com/vault/identity-access-management/vault-agent-k8s , in order to config k8s auth, we need to have configs as:

# Tell Vault how to communicate with the Kubernetes (Minikube) cluster
$ vault write auth/kubernetes/config \
        token_reviewer_jwt="$SA_JWT_TOKEN" \
        kubernetes_host="https://$K8S_HOST:8443" \
        kubernetes_ca_cert="$SA_CA_CRT"

Is the token_reviewer_jwt mandatory? I tried with only the kubernetes_ca_cert and it still works. Did I miss anything?

Second, for the vault-auth account, we need to use ClusterRoleBinding. I tried with RoleBinding and it didn't work. Can I know why we have to use ClusterRoleBinding?

Thanks.

[michelvocks]

Hi @JoeyLuffa,

token_reviewer_jwt is not mandatory. See the API specification: https://www.vaultproject.io/api/auth/kubernetes/index.html#token_reviewer_jwt

Second, for the vault-auth account, we need to use ClusterRoleBinding. I tried with RoleBinding and it didn't work. Can I know why we have to use ClusterRoleBinding?

What is the returned error output? I assume that bound_service_account_namespaces is incorrectly configured and the related namespace is missing?

Cheers,
Michel

[goplusgo]

Hi @michelvocks ,

The returned error is:

"errors":[  
      "{"      kind":"Status",
      "apiVersion":"v1",
      "metadata":{  
      },
      "status":"Failure",
      "message":"tokenreviews.authentication.k8s.io is forbidden: User "      system:      serviceaccount:      <Namespace>:<SA>" cannot create tokenreviews.authentication.k8s.io at the cluster scope",
      "reason":"Forbidden",
      "details":{  
         "group":"authentication.k8s.io",
         "kind":"tokenreviews"
      },
      "code":403
   }   "
]
}

[michelvocks]

Hi @JoeyLuffa,

I'm a bit confused. I expected to see an error produced by Vault.
Could you explain when and where this error occurs?

Cheers,
Michel

[goplusgo]

Hi @michelvocks

Sorry, the error should be User "XXXX" cannot create tokenreviews.authentication.k8s.io at the cluster scope. This happens when user XXXX was granted with the RoleBinding instead of ClusterRoleBinding for the system:auth-delegator role.

[olahouze]

According to https://learn.hashicorp.com/vault/identity-access-management/vault-agent-k8s , in order to config k8s auth, we need to have configs as:

# Tell Vault how to communicate with the Kubernetes (Minikube) cluster
$ vault write auth/kubernetes/config \
        token_reviewer_jwt="$SA_JWT_TOKEN" \
        kubernetes_host="https://$K8S_HOST:8443" \
        kubernetes_ca_cert="$SA_CA_CRT"

Is the token_reviewer_jwt mandatory? I tried with only the kubernetes_ca_cert and it still works. Did I miss anything?

Hello
As the documentation says, the 'token_reviewer_jwt' is not mandatory

• If you fill it in, it means that Vault will use this token to make the call to the K8S API to perform the "tokenreviews" in order to retrieve the information of the account that presented the token to access the secrets
• If you don't fill it in and Vault is on a K8S cluster, the local token of the service account used to run the Vault POD will be used
• Finally, if you leave it blank and Vault is not on a K8S cluster, the "client" token will be used to verify the API

In your case, either the service account token used in the POD Vault has enough rights to do the verification, or the service account of the requester has enough rights to do it (that's why it works)

Second, for the vault-auth account, we need to use ClusterRoleBinding. I tried with RoleBinding and it didn't work. Can I know why we have to use ClusterRoleBinding?

Thanks.

It is necessary to have a ClusterRoleBinding and not just a RoleBinding because the account service used to present itself to Vault (through vault-injector I guess) must be able to be used by all namespaces of the cluster and not just one namespace

Sorry, the error should be User "XXXX" cannot create tokenreviews.authentication.k8s.io at the cluster scope. This happens when user XXXX was granted with the RoleBinding instead of ClusterRoleBinding for the system:auth-delegator role.

This means that your clusterrole associated to the account service needed for the verification does not have enough rights
You have to set the following rights: (https://stackoverflow.com/questions/63361182/login-unauthorized-error-whle-connecting-to-external-hashicorp-vault-with-kubern)

rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create

If it's OK for you could you close this case ?

Best regards

[aphorise]

@goplusgo - is this relevant for you still? or are you now able to close this request?

[heatherezell]

Due to the issue age and quiescence, I'm going to go ahead and close it now. Please feel free to re-open as needed, or visit our Discuss forums for community support.