vault-operator
vault-operator copied to clipboard
coreos
Unable to Log in to the Kubernetes auth backend using the service account token
I've gone through the example of setting up k8s vault auth backend, up until the Authentication step works fine. When I get to this point https://github.com/coreos/vault-operator/blob/master/doc/user/kubernetes-auth-backend.md#authenticate-requests-using-the-service-account-token and try to "Log in to the Kubernetes auth backend using the service account token:" I'm getting the error below
Error writing data to auth/kubernetes/login: Error making API request.
URL: PUT https://localhost:8200/v1/auth/kubernetes/login
Code: 500. Errors:
* {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"tokenreviews.authentication.k8s.io is forbidden: User \"system:serviceaccount:default:vault-tokenreview\" cannot create tokenreviews.authentication.k8s.io at the cluster scope","reason":"Forbidden","details":{"group":"authentication.k8s.io","kind":"tokenreviews"},"code":403}
All the previous steps have been completed successfully.
you need to give access to the token review api
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ .Values.vault.name }}-auth-delegator
labels:
app: {{ .Values.vault.name }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: {{ .Values.vault.name }}
namespace: {{ .Release.Namespace }}
As I type I realized that it is as well documented here https://github.com/coreos/vault-operator/blob/master/example/k8s_auth/vault-tokenreview-binding.yaml
Is it possible to do this with a plain RoleBinding, instead of a ClusterRoleBinding? I prefer to use namespaced resources.
there is no point in using coreos vault-operator anymore as it is not maintained. This is promising https://github.com/banzaicloud/bank-vaults