Using Vault with multiple dynamic namespaces in Kubernetes

10/29/2018

Is it possible to share a ServiceAccount between namespaces or somehow start a pod with a ServiceAccount from a different namespace?

We are looking to use vault to store common secret data between dynamic development environments. Following the very good walk though HERE we were able to authenticate and pull secrets for a single namespace. However in our use case we will be creating a new namespace for each development environment during it's lifetime.

If possible we would like to avoid having to also configure vault with a new auth backend for each namespace.

-- Andy Snowden
hashicorp-vault
kubernetes

2 Answers

10/29/2018

Service Accounts are namespaced therefore not shared , so you may copy the token from one account to another , but that is not the recommneded way.

C02W84XMHTD5:kubernetes-gitlab iahmad$ kubectl api-resources --namespaced | grep service
serviceaccounts             sa                                       true         ServiceAccount
services                    svc                                      true         Service
C02W84XMHTD5:kubernetes-gitlab iahmad$

If you want to share a secret or account the way you are trying to do , then there is no need to use vault at all.

You may just need to automate this process , instead of sharing accounts.

-- Ijaz Ahmad Khan
Source: StackOverflow

10/30/2018

When you create the Vault role, you can configure bound_service_account_namespaces to be the special value *, and allow a fixed service account name from any namespace. To adapt the "create role" example from the documentation:

vault write auth/kubernetes/role/demo \
    bound_service_account_names=vault-auth \
    bound_service_account_namespaces='*' \
    policies=default \
    ttl=1h

You have to recreate the Kubernetes service account in every namespace, and it must have the exact name specified in the role. However, the Kubernetes service account is a single k8s object and it's not any harder than the Deployments, Services, ConfigMaps, and Secrets you already have; this pattern doesn't require any Vault reconfiguration.

(If you're using a templating tool like Helm, the service account can't follow a naming convention like {{ .Release.Name }}-{{ .Chart.Name }}: Vault doesn't appear to have any sort of pattern matching on this name.)

-- David Maze
Source: StackOverflow