Versions Compared

Old Version 1

changes.mady.by.user Daria Samkova

Saved on

compared with

New Version 2

changes.mady.by.user Daria Samkova

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Start an interactive shell session on the vault-0 pod.

    Code Block
    languagebash
    kubectl exec -it vault-0 -- /bin/sh

    image-20240802-170613.png

    Your system prompt is replaced with a new prompt / $. Commands issued at this prompt are executed on the vault-0 container.

  2. Enable the Kubernetes authentication method.

    Code Block
    languagebash
    vault auth enable kubernetes
    Code Block
    languagetext
    Success! Enabled kubernetes auth method at: kubernetes/

    Hashicorp Vault accepts a service token from any client in the Kubernetes cluster. During authentication, Hashicorp Vault verifies that the service account token is valid by querying a token review Kubernetes endpoint.

  3. Configure the Kubernetes authentication method to use the location of the Kubernetes API.

    Note: For the best compatibility with recent Kubernetes versions, ensure you are using Hashicorp Vault v1.13.3 or greater.

    Code Block
    languagebash
    vault write auth/kubernetes/config kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"

    Successful output from the command resembles this example:

    Code Block
    languagetext
    Success! Data written to: auth/kubernetes/config

    The environment variable KUBERNETES_PORT_443_TCP_ADDR is defined and references the internal network address of the Kubernetes host.

  4. For a client to read the secret data defined at hivemq/test/license, requires that the read capability be granted for the path hivemq/data/test/license. This is an example of a policy. A policy defines a set of capabilities.

  5. Write out the policy named hivemq that enables the read capability for secrets at path hivemq/data/test/license.

    Code Block
    languagebash
    vault policy write hivemq - <<EOF
path "hivemq/data/test/license" {
   capabilities = ["read"]
}
EOF

  6. Create a Kubernetes authentication role named hivemq.

    Code Block
    languagebash
    vault write auth/kubernetes/role/hivemq \
      bound_service_account_names=hivemq-platform-pod-broker \
      bound_service_account_namespaces=hivemq \
      policies=hivemq \
      ttl=24h

    Successful output from the command resembles this example:

    Code Block
    languagetext
    Success! Data written to: auth/kubernetes/role/hivemq

    The role connects the Kubernetes service account, hivemq-platform-pod-broker, and namespace, hivemq, with the Hashicorp Vault policy, hivemq. The tokens returned after authentication are valid for 24 hours.

  7. Lastly, exit the vault-0 pod.

    Code Block
    languagebash
    exit

...