How to generate Kubernetes credentials from Vault hosted in another k8S cluster?

Question

I have an unique Hashicorp Vault service running in a Kubernetes cluster.

I would like to be able to use Vault to create K8S serviceAccount tokens for several Kubernetes clusters. The Kubernetes Secret Engine seems to be to good way to do it on one cluster. However, this secret engine is only providing serviceAccount for its own K8S cluster (where Vault is running).

Is there a way to secure a Vault connexion to several Kubernetes clusters so that it can provide credentials for them too ?

The only way I can think of is to have multiple Vault instances, one on each Kubenernetes cluster. So each Vault cluster will be able to deliver credentials for its own k8s cluster.

That's not an ideal solution, because each additional instances means additional work for my team (especially unsealing the nodes everytime we have some maintenance on the servers), so I'd love to have another trail.

Additional note : I already did configure with success multiple Kubernetes auth method with the central Vault service, and this is not what I am asking for here. Kubernetes auth method is about being able to authentify any K8S Pod to Vault, while Kubernetes secret engine is about generating K8S credentials for anything that is connected to the central Vault.

mfinni · Answer 1 · 2025-01-28T18:42:47.473

You set up multiple K8s secret engines, with the config of the K8s clusters in question. You can take the example config given and change the values.

Each K8s cluster needs its own auth, as well. But nothing you configure in Vault is dependent on matching the K8s cluster that it's hosted on (not all of us run Vault in K8s in the first place, so it can't be strictly dependent on that.)

See the API documentation for all the config options.

You can read another tutorial for using the K8s secret engine.

How to generate Kubernetes credentials from Vault hosted in another k8S cluster?

1 Answers1