The Kubernetes-Vault project allows pods to automatically receive a Vault token using Vault’s AppRole auth backend.


  • Secure by default. The Kubernetes-Vault controller does not allow using root tokens to authenticate against Vault.
  • Prometheus metrics endpoint over http or https, with optional TLS client authentication.
  • Supports using Vault as a CA or an external CA for all components with TLS support.
  • High availability mode using Raft, so that if the leader goes down, a follower can take over immediately.
  • Peer discovery using Kubernetes services and endpoints and gossip to propagate peer changes across the cluster.


  • Vault should be 0.6.3 and above.
  • You must use Kubernetes 1.6.0 and above as we rely on init containers (in beta) to accept the token.
  • For Kubernetes 1.5.x and below, please use an older version of Kubernetes-Vault by referencing the compatibility table.
  • You must generate a periodic token with the correct policy to generate secret_ids using the AppRole backend.
  • The Kubernetes-Vault controller uses the Kubernetes service account to watch for new pods. This service account must have the appropriate permissions.
  • Your app should use a Vault client to renew the token and any secrets you request from Vault.
  • You should configure Vault to use HTTPS so that the authentication token and any other secrets cannot be sniffed.
  • If using RBAC, the Kubernetes-Vault controller needs the following permissions
  1. get its endpoint (headless service)
  2. list and watch pods in all namespaces

Kubernetes-Vault uses Prometheus for metrics reporting. It exposes these metrics over the /metrics endpoint over http or https. This project is licensed under the Apache 2 License.

Tell us about a new Kubernetes application


Never miss a thing! Sign up for our newsletter to stay updated.


Discover and learn about everything Kubernetes