k8s 中vault升级到1.9.0问题

1  报错errors:permission denied

解决方式:参考https://www.vaultproject.io/docs/auth/kubernetes#how-to-work-with-short-lived-kubernetes-tokens

采用Use client JWT as reviewer JWT

查看 kubectl get clusterrolebinding vault-server-binding -o yaml

在subjects中加入对应的sa和namespace

- kind: ServiceAccount
name: testsa  //对应的sa账号
namespace: testnamespace   //sa对应namespace

修改vault中的认证配置,将原来token去除,并且加入disable_local_ca_jwt=true

vault write auth/kubernetes/config \
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
disable_local_ca_jwt=true \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt

 

posted @ 2022-02-18 17:01  meadowhuhu  阅读(90)  评论(0编辑  收藏  举报