Kubernetes Pod Identity Management through Vault Auth

Question

Pulumi · Accepted Answer

When managing Kubernetes pod identities with Vault, we generally follow a three-step process:

Enable the Kubernetes authentication method in Vault.
Configure the Kubernetes authentication method with the necessary information to communicate with the Kubernetes API.
Create roles that associate Kubernetes service account names and namespaces with Vault policies.

In this program, we'll be setting up these components using Pulumi to manage the Vault configuration. For the Kubernetes interaction with Vault, you'll typically use Mutating Admission Webhooks and the Vault Agent Injector, but that setup is outside the scope of this Pulumi program.

Here's a Pulumi program that sets up a Kubernetes authentication backend in Vault, configures it, and creates a role that binds a Kubernetes service account to a Vault policy:

import pulumi
import pulumi_vault as vault

# Step 1: Enable the Kubernetes authentication method in Vault.
k8s_auth_backend = vault.AuthBackend("k8s-auth-backend",
    type="kubernetes",
    description="Kubernetes auth backend",
    # The 'path' is the mount path for the Kubernetes auth method. If this isn't specified, it defaults to the 'type'.
    # Here's the documentation for AuthBackend: https://www.pulumi.com/registry/packages/vault/api-docs/authbackend/
)

# Step 2: Configure the Kubernetes auth method with the information required to communicate with the Kubernetes API.
k8s_auth_config = vault.kubernetes.AuthBackendConfig("k8s-auth-config",
    backend=k8s_auth_backend.path,  # Referencing the backend path from the k8s_auth_backend auth method we just enabled.
    kubernetes_host="https://kubernetes.default.svc",  # The host must point to the Kubernetes API server.
    kubernetes_ca_cert="<ca_cert>",  # The PEM-encoded CA cert for Kubernetes; can be obtained from your cluster configuration.
    token_reviewer_jwt="<token>",  # A service account JWT used to access the TokenReview API to validate other JWTs during login
    # Here's the documentation link for AuthBackendConfig: https://www.pulumi.com/registry/packages/vault/api-docs/kubernetes/authbackendconfig/
)

# Step 3: Create a role that maps a Kubernetes service account to a Vault policy.
k8s_role = vault.kubernetes.AuthBackendRole("k8s-role",
    backend=k8s_auth_backend.path,  # Referencing the backend path from the k8s_auth_backend auth method.
    role_name="example-role",
    bound_service_account_names=["example-service-account"],  # List of service account names able to access this role.
    bound_service_account_namespaces=["default"],  # List of namespaces allowed to access this role.
    token_policies=["example-policy"],  # List of Vault policies to assign to tokens issued using this role.
    token_ttl=3600,  # The TTL period of tokens issued using this role, in seconds.
    # Here's the documentation link for AuthBackendRole: https://www.pulumi.com/registry/packages/vault/api-docs/kubernetes/authbackendrole/
)

pulumi.export("k8s_auth_backend_path", k8s_auth_backend.path)
pulumi.export("k8s_auth_backend_role_name", k8s_role.role_name)

In the program above:

We create a Vault authentication backend for Kubernetes using vault.AuthBackend. This enables us to authenticate Kubernetes service accounts with Vault.
We configure the backend with vault.kubernetes.AuthBackendConfig, specifying details about our Kubernetes cluster. The kubernetes_ca_cert and token_reviewer_jwt are sensitive information from your cluster configuration and JWT, respectively, and should be treated as secrets.
We create a role within that backend with vault.kubernetes.AuthBackendRole, specifying which Kubernetes service account in which namespace will be able to log in to Vault and obtain tokens that grant access according to the specified policies.

Note that <ca_cert> and <token> are placeholders. For a real setup, you would retrieve the CA certificate and service account JWT token from the Kubernetes cluster where your workloads are running. Also, the Vault policy "example-policy" is referenced in the token_policies parameter; this policy would need to be created separately based on your requirements.

After running this Pulumi program, you would have the Kubernetes authentication method set up in Vault, ready for Kubernetes pods to authenticate and fetch their secrets.

Remember, managing sensitive data like the Kubernetes CA certificate and service account JWTs should be done with care. In Pulumi, you can use the Config class to set and reference secret values securely.