我正在 Charmed Kubernetes v1.19 上使用 Vault CSI 驱动程序,并尝试按照以下说明从 Vault 中检索在单独的命名空间 ( webapp
) 中运行的 Pod 的机密,该 Pod 具有自己的服务帐户 ( )webapp-sa
博客。
据我目前所了解,Pod 正在尝试对 Kubernetes API 进行身份验证,以便稍后它可以生成 Vault 令牌来从 Vault 访问机密。
$ kubectl get po webapp
NAME READY STATUS RESTARTS AGE
webapp 0/1 ContainerCreating 0 22m
在我看来,使用 Kubernetes API 进行身份验证存在一些问题。
Pod 仍然停留在“容器正在创建”状态,并显示以下消息 -failed to create a service account token for requesting pod
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 35m default-scheduler Successfully assigned webapp/webapp to host-03
Warning FailedMount 4m38s (x23 over 35m) kubelet MountVolume.SetUp failed for volume "secrets-store-inline" : rpc error: code = Unknown desc = failed to mount secrets store objects for pod webapp/webapp, err: rpc error: code = Unknown desc = error making mount request: **failed to create a service account token for requesting pod** {webapp xxxx webapp webapp-sa}: the server could not find the requested resource
我可以使用 pod 命名空间中的 cli 获取保险库令牌:
$ vault write auth/kubernetes/login role=database jwt=$SA_JWT_TOKEN
Key Value
--- -----
token <snipped>
我也确实使用 API 获取了保险库令牌:
$ curl --request POST --data @payload.json https://127.0.0.1:8200/v1/auth/kubernetes/login
{
"request_id":"1234",
<snipped>
"auth":{
"client_token":"XyZ",
"accessor":"abc",
"policies":[
"default",
"webapp-policy"
],
"token_policies":[
"default",
"webapp-policy"
],
"metadata":{
"role":"database",
"service_account_name":"webapp-sa",
"service_account_namespace":"webapp",
"service_account_secret_name":"webapp-sa-token-abcd",
"service_account_uid":"123456"
},
<snipped>
}
}
参考:https://www.vaultproject.io/docs/auth/kubernetes
根据保险库文档,我已经使用 Token Reviewer SA 配置了 Vault,如下所示:
$ cat vault-auth-service-account.yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: role-token-review-binding
namespace: vault
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault-auth
namespace: vault
Vault 使用来自 Token Reviewer SA 的 JWT 配置如下:
$ vault write auth/kubernetes/config \
token_reviewer_jwt="< TOKEN Reviewer service account JWT>" \
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"
[email protected]
我已经定义了一个 Vault Role 来允许webapp-sa
访问秘密:
$ vault write auth/kubernetes/role/database \
bound_service_account_names=webapp-sa \
bound_service_account_namespaces=webapp \
policies=webapp-policy \
ttl=72h
Success! Data written to: auth/kubernetes/role/database
webapp-sa
根据 Vault Policy 定义,允许访问机密,如下所示:
$ vault policy write webapp-policy - <<EOF
> path "secret/data/db-pass" {
> capabilities = ["read"]
> }
> EOF
Success! Uploaded policy: webapp-policy
Pod及其SA定义如下:
$ cat webapp-sa-and-pod.yaml
kind: ServiceAccount
apiVersion: v1
metadata:
name: webapp-sa
---
kind: Pod
apiVersion: v1
metadata:
name: webapp
spec:
serviceAccountName: webapp-sa
containers:
- image: registry/jweissig/app:0.0.1
name: webapp
volumeMounts:
- name: secrets-store-inline
mountPath: "/mnt/secrets-store"
readOnly: true
volumes:
- name: secrets-store-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
providerName: vault
secretProviderClass: "vault-database"
- 有谁知道为什么 Pod 无法通过 Kubernetes API 进行身份验证?
- 我是否必须在 kube-apiserver 上启用标志才能使 Token Review API 正常工作?
- 它在 Charmed Kubernetes v1.19 上默认启用吗?
如能帮助我将非常感激。
问候,萨娜