vault-使用kubernetes作为认证后端

vault使用kubernetes认证

配置

vault可以使用kubernetes的serviceaccount进行认证

#在kubernetes为vault创建serviceaccount账号，用于调用api
kubectl create sa vault-auth
#找到vault-auth的token以及ca
kubectl get secret |grep vault-auth-token |awk '{print $1}'|xargs kubectl get -o yaml secret

把图中的ca.crt以及token用base64解码得到证书

# 使用vault-cli配置kubernetes认证
vault auth enable kubernetes

#token_reviewer_jwt是上图中token用base64解码的值
# kubernetes_host是kubernetes-api-server的地址
# kubernetes_ca_cert是上图中ca.crt用base64解码的值存储的文件路径，
vault write auth/kubernetes/config \
    token_reviewer_jwt="reviewer_service_account_jwt" \
    kubernetes_host=https://192.168.99.100:8443 \
    kubernetes_ca_cert=@ca.crt
    

# 允许vault调用kubernetes的sa-api
# cat rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: role-tokenreview-binding
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
- kind: ServiceAccount
  name: vault-auth
  namespace: default
#kubectl apply -f rbac.yaml

使用kubernetes的serviceaccount认证

vault创建role

vault write auth/kubernetes/role/demo \
    bound_service_account_names=vault-auth \
    bound_service_account_namespaces=default \
    policies=default \
    ttl=1h

认证

#role对应vault里面创建的role，jwt对应kubernetes里面serviceaccount的token
curl https://vault:8200/auth/kubernetes/login -XPOST -d '{"role": "demo", "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."}'