vault
vault copied to clipboard
hashicorp
Vault does not seem to be validating kubernetes service account tokens on login
Describe the bug I'm able to login to Vault using the kubernetes auth method with a service account token that should be invalid
To Reproduce
- Deploy vault using the helm chart:
helm install vault hashicorp/vault -f values.yaml
The values.yaml is:
global:
tlsDisable: true
server:
logLevel: trace
standalone:
enabled: true
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
}
storage "file" {
path = "/vault/data"
}
- Enable kubernetes auth and a secrets engine
# Enable transit engine
curl $VAULT_ADDR/v1/sys/mounts/transit -H "X-Vault-Token: $VAULT_TOKEN" -X POST --data-raw '{"type": "transit"}'
# Create a key
curl $VAULT_ADDR/v1/transit/keys/autounseal -H "X-Vault-Token: $VAULT_TOKEN" -X POST
# Enable kubernetes auth
curl $VAULT_ADDR/v1/sys/auth/kubernetes -H "X-Vault-Token: $VAULT_TOKEN" -X POST --data-raw '{"type": "kubernetes"}'
# Configure kubernetes auth
curl $VAULT_ADDR/v1/auth/kubernetes/config -H "X-Vault-Token: $VAULT_TOKEN" -X POST --data-raw '{"kubernetes_host": "https://kubernetes.default.svc"}'
# Create policy granting access to the transit key created above
curl $VAULT_ADDR/v1/sys/policy/autounseal -H "X-Vault-Token: $VAULT_TOKEN" -X POST --data-raw '{"policy": "path \"transit/encrypt/autounseal\" { capabilities = [ \"update\" ] } \n\n path \"transit/decrypt/autounseal\" { capabilities = [ \"update\" ] }"}'
# Create a kubernetes auth role
curl $VAULT_ADDR/v1/auth/kubernetes/role/autounseal -H "X-Vault-Token: $VAULT_TOKEN" -X POST --data-raw '{"bound_service_account_names": ["default"], "bound_service_account_namespaces": ["vault"], "token_period": "3600", "token_policies": ["autounseal"]}'
- The above role grants access to the service account named
defaultin the namespacevault. Create a pod in that namespace:
apiVersion: v1
kind: Pod
metadata:
name: curl
spec:
serviceAccount: default
restartPolicy: Never
containers:
- name: curl
image: alpine/curl
imagePullPolicy: Always
command: ["/bin/sh", "-c", "sleep 3600"]
Open a shell in the pod, and login to vault with an invalid token:
# This will print a valid token
cat /var/run/secrets/kubernetes.io/serviceaccount/token
# Take the above token and change the last letter of the token. Take the modified token, and login to vault
curl http://vault.default.svc:8200/v1/auth/kubernetes/login -X POST --data-raw "{\"role\": \"autounseal\", \"jwt\": \"$MODIFIED_TOKEN\"}"
# The above command succeeds, and returns a valid token. Verify that the token works by trying to access the secrets engine the role has access to
curl http://vault.default.svc:8200/v1/transit/encrypt/autounseal -H "X-Vault-Token: $RETURNED_TOKEN" -X POST --data-raw '{"plaintext": "abcd"}'
Expected behavior
The curl request to /v1/auth/kubernetes/login with the modified token should fail
Environment:
- Vault Server Version (retrieve with
vault status): 1.12.1 - Vault CLI Version (retrieve with
vault version): Not applicable, used the API - Server Operating System/Architecture: minikube on docker, kubernetes version 1.24.8
Vault server configuration file(s): Installed using helm, values file posted above
Perhaps this is a kubernetes issue? I tried using the TokenReview API with kubectl proxy to verify the modified token, and TokenReview also thinks that it's valid
Vault simply calls the TokenReview API. If Kubernetes says the token is good, that's the end of the story as far as Vault is concerned.
Closing as this appears to be the expected behavior on the vault side because the TokenReview API reports the token as valid.
