mirror of
https://github.com/hashicorp/vault.git
synced 2026-02-18 18:38:08 -05:00
Add kubectl / vault binding example (#30974)
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
This commit is contained in:
parent
be7b444cf3
commit
f14fd78316
1 changed files with 44 additions and 0 deletions
|
|
@ -257,6 +257,50 @@ $ curl -sk $(kubectl config view --minify -o 'jsonpath={.clusters[].cluster.serv
|
|||
}
|
||||
```
|
||||
|
||||
## Kubectl integration
|
||||
|
||||
You can also bake the kubernetes token generation via the [ExecConfig](https://kubernetes.io/docs/reference/config-api/kubeconfig.v1/#ExecConfig) mechanism directly into the kubeconfig file. Due to the output format of Vault needs to be adapted to match the Kubernetes schema, this mechanism will require `jq` or a similar transformation tool.
|
||||
|
||||
```yaml
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Config
|
||||
preferences: {}
|
||||
clusters:
|
||||
- cluster:
|
||||
certificate-authority-data: ***
|
||||
server: https://***
|
||||
name: cluster
|
||||
contexts:
|
||||
- name: context
|
||||
context:
|
||||
cluster: cluster
|
||||
user: user
|
||||
current-context: context
|
||||
users:
|
||||
- name: user
|
||||
user:
|
||||
exec:
|
||||
apiVersion: "client.authentication.k8s.io/v1beta1"
|
||||
command: bash
|
||||
args:
|
||||
- -c
|
||||
- >
|
||||
vault write -format=json kubernetes/creds/my-role | jq -r '{apiVersion: "client.authentication.k8s.io/v1beta1", status: {token: .data.service_account_token}}'
|
||||
```
|
||||
|
||||
As a result, you can call `kubectl` directly:
|
||||
|
||||
```shell-session
|
||||
$ export VAULT_ADDR=***
|
||||
$ export VAULT_TOKEN=$(vault login -token-only -method=ldap username=***)
|
||||
$ export KUBECONFIG=kubeconfig.yml
|
||||
|
||||
$ kubectl get namespaces
|
||||
```
|
||||
|
||||
~> **Note**: While this method will query Vault for a new token with every `kubectl` call, the recommendation is to use it only with a configuration where Vault is generating the Kubernetes token only, so the overhead on dynamic elements created inside your cluster stays minimal.
|
||||
|
||||
## TTL
|
||||
|
||||
Kubernetes service account tokens have a time-to-live (TTL). When a token expires it is
|
||||
|
|
|
|||
Loading…
Reference in a new issue