Kubernetes Vault

The Kubernetes-Vault project allows pods to automatically receive a Vault token using Vault's AppRole auth backend.

Highlights

• Secure by default. The Kubernetes-Vault controller does not allow using root tokens to authenticate against Vault.
• Prometheus metrics endpoint over http or https, with optional TLS client authentication.
• Supports using Vault as a CA or an external CA for all components with TLS support.
• High availability mode using Raft, so that if the leader goes down, a follower can take over immediately.
• Peer discovery using Kubernetes services and endpoints and gossip to propagate peer changes across the cluster.

Prerequisites:

• Vault should be 0.6.3 and above.
• You must use Kubernetes 1.6.0 and above as we rely on init containers (in beta) to accept the token.
• For Kubernetes 1.5.x and below, please use an older version of Kubernetes-Vault by referencing the compatibility table.
• You must generate a periodic token with the correct policy to generate secret_ids using the AppRole backend.
• The Kubernetes-Vault controller uses the Kubernetes service account to watch for new pods. This service account must have the appropriate permissions.
• Your app should use a Vault client to renew the token and any secrets you request from Vault.
• You should configure Vault to use HTTPS so that the authentication token and any other secrets cannot be sniffed.
• If using RBAC, the Kubernetes-Vault controller needs the following permissions

1. get its endpoint (headless service)
2. list and watch pods in all namespaces

Kubernetes-Vault uses Prometheus for metrics reporting. It exposes these metrics over the /metrics endpoint over http or https. This project is licensed under the Apache 2 License.