bug: authentication to external k8s cluster fails about vault-plugin-auth-kubernetes HOT 4 CLOSED

Hi folks, the new disable_local_ca_jwt option that went out in vault 1.5.4 should allow you to disable use of the local token: https://www.vaultproject.io/api-docs/auth/kubernetes#disable_local_ca_jwt

from vault-plugin-auth-kubernetes.

isn't this expected behaviour? this feature could work only with cluster where it runs otherwise you have to set tokenReviewer explicitly.

from vault-plugin-auth-kubernetes.

@riuvshyn No that isn't true. If you don't specify the tokenReviewer it uses the JWT itself.

As the documentation states

A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.

And as long as that JWT has the necessary permissions (system:auth-delegator).

I have verified this works as expected.

from vault-plugin-auth-kubernetes.

I'm happy to open another PR to expose an extra config to specify whether to default to using the Vault deployment's SA JWT or the JWT to be verified as the auth delegator, but we'd need to decide which one we want as default behaviour.

I do find it a bit odd having to grant extra auth delegator privileges to service accounts which need to be authenticated, rather than the Vault SA being granted those privileges, but happy to take input?

Edited: I just looked at your PR, and it seems like a reasonable workaround to use the local pod credentials all together when none of the CA cert and token reviewer JWT have been set,

from vault-plugin-auth-kubernetes.