Configuring Vault Server for Kubernetes Auth
Refer to the Vault Authentication documentation for additional help.
There are a few steps required for configuring Vault in order for Kubernetes Authentication to work properly:
Create a policy that has the following permissions, which are needed by K10:
$ vault policy write <policy_name> - <<EOF
path "transit/keys" {
capabilities = [ "read", "list" ]
}
path "transit/keys/<vault_transit_key_name>" {
capabilities = [ "read" ]
}
path "transit/encrypt/<vault_transit_key_name>" {
capabilities = [ "update" ]
}
path "transit/decrypt/<vault_transit_key_name>" {
capabilities = [ "update" ]
}
EOF
Next, create a role that will bind the K10 service account and namespace to the vault policy:
$ vault write auth/kubernetes/role/<vault_role> \
bound_service_account_names=k10-k10 \
bound_service_account_namespaces=kasten-io \
policies=<policy_name>