Configuring Vault Server for Kubernetes Auth

Refer to the Vault Authentication documentation for additional help.

There are a few steps required for configuring Vault in order for Kubernetes Authentication to work properly:

Create a policy that has the following permissions, which are needed by K10:

$ vault policy write <policy_name> - <<EOF
path "transit/keys" {
  capabilities = [ "read", "list" ]
}
path "transit/keys/<vault_transit_key_name>" {
  capabilities = [ "read" ]
}
path "transit/encrypt/<vault_transit_key_name>" {
  capabilities = [ "update" ]
}
path "transit/decrypt/<vault_transit_key_name>" {
  capabilities = [ "update" ]
}
EOF

Next, create a role that will bind the K10 service account and namespace to the vault policy:

$ vault write auth/kubernetes/role/<vault_role> \
    bound_service_account_names=k10-k10 \
    bound_service_account_namespaces=kasten-io \
    policies=<policy_name>