New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kubernetes Auth Method documentation not compatible with Kubernetes v1.21+ #12855
Comments
Hi @tsaarni! We have a ticket we're tracking internally to update the documentation. Also, we're taking a look at the linked PR as well. Thanks for your report! :) |
@taoism4504 Another documentation update request. I'll have our engineers peek at the code PR. |
Thank you @hsimon-hashicorp. Waiting eagerly to fix the problem and getting Vault working again on current Kubernetes versions without inconvenient workarounds! |
As commented in the linked PR, issuer validation is now disabled by default in Vault 1.9: hashicorp/vault-plugin-auth-kubernetes#125 (comment) |
I would have liked to keep this open for the documentation changes that would accompany hashicorp/vault-plugin-auth-kubernetes#122, assuming the PR accepted. Deprecating the issuer validation is a good improvement, but we still lack proper Kubernetes 1.21+ support. |
Describe the bug
Kubernetes v1.21 introduced new bound service account tokens with following new properties:
The Kubernetes Auth Method documentation does not cover the use of the new tokens. This results in failed authentication.
To Reproduce
Pre-condition:
Deploy Vault inside Kubernetes. Configure Kubernetes Auth Method according to examples at https://www.vaultproject.io/docs/auth/kubernetes. Set JWT value to
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
.(1) Authentication fails because of invalidated token
403 Forbidden
with{ "errors": [ "permission denied" ] }
in response body.Vault prints following error:
Kubernetes API server prints following error
(2) Authentication fails because of expired token
service-account-max-token-expiration
to1h
. Wait for 1 hour for the token to expire .403 Forbidden
with{ "errors": [ "permission denied" ] }
in response body.Vault prints following error:
Kubernetes API server prints following error
Proposed fix
Include following PR
Update documentation, taking following points into account:
I also think following point would be beneficial
disable_iss_validation=True
. The benefit is that user does not need to find the correctiss
from their specific cluster (or change it if it changes later). Kubernetes Token Review API will validate the token, so I do not see negative side in recommending that.The text was updated successfully, but these errors were encountered: