The Kubernetes-Vault project allows pods to automatically receive a Vault token using Vault’s AppRole auth backend.
Highlights
- Secure by default. The Kubernetes-Vault controller does not allow using root tokens to authenticate against Vault.
- Prometheus metrics endpoint over http or https, with optional TLS client authentication.
- Supports using Vault as a CA or an external CA for all components with TLS support.
- High availability mode using Raft, so that if the leader goes down, a follower can take over immediately.
- Peer discovery using Kubernetes services and endpoints and gossip to propagate peer changes across the cluster.
Prerequisites:
- Vault should be 0.6.3 and above.
- You must use Kubernetes 1.6.0 and above as we rely on init containers (in beta) to accept the token.
- For Kubernetes 1.5.x and below, please use an older version of Kubernetes-Vault by referencing the compatibility table.
- You must generate a periodic token with the correct policy to generate secret_ids using the AppRole backend.
- The Kubernetes-Vault controller uses the Kubernetes service account to watch for new pods. This service account must have the appropriate permissions.
- Your app should use a Vault client to renew the token and any secrets you request from Vault.
- You should configure Vault to use HTTPS so that the authentication token and any other secrets cannot be sniffed.
- If using RBAC, the Kubernetes-Vault controller needs the following permissions
- get its endpoint (headless service)
- list and watch pods in all namespaces
Kubernetes-Vault uses Prometheus for metrics reporting. It exposes these metrics over the /metrics endpoint over http or https. This project is licensed under the Apache 2 License.