Using vault-k8s from a different cluster #54
Comments
|
If the Vault Agent doesn't provide the injector webhook, maybe just an empty instance of Vault would do? |
|
Is this a duplicate for #15 ...? |
|
@iiro thanks, it does look very similar. Looks like they're deploying Vault via helm onto the application cluster and setting an environment variable to point to the production Vault instance. Let me know if I've misunderstood? I'll try that out tomorrow. |
tvoran
added
question
|
Closing as this has been resolved on the other issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We're currently hosting Vault in a dedicated Kubernetes cluster. Ideally, we'd like to use
vault-k8sto authenticate service accounts from other clusters.Obviously this would not work out of the box, as the Vault admissions controller is currently only located in the Vault cluster, and not in the other clusters that are actually running the applications.
Is there a recommended way of making this work? I'm currently thinking along these lines:
In Vault:
vault auth enable --path kubernetes/$CLUSTER_NAME kubernetes). The config of each auth method would store credentials of avault-authservice account from the relevant application cluster. Eachvault-authservice account would have a ClusterRoleBinding to thesystem:auth-delegatorClusterRole in their cluster.In each application cluster:
vault.addressis set to the address of our Vault instance, with relevant certs and keys included.This way, IIUC, when I deploy a pod to the cluster that has the vault annotations, it will be caught by the admissions controller, which will then talk to our Vault instance, and attempt to authenticate the JWT from the application service account.
Is this valid? Or am I making things way to complex? What's the best way to authenticate an application running in a cluster that's separate to the cluster running Vault?
The text was updated successfully, but these errors were encountered: