diff --git a/website/source/api/auth/kubernetes/index.html.md b/website/source/api/auth/kubernetes/index.html.md index 3963361cee..2ae2f46387 100644 --- a/website/source/api/auth/kubernetes/index.html.md +++ b/website/source/api/auth/kubernetes/index.html.md @@ -29,20 +29,21 @@ access the Kubernetes API. | `POST` | `/auth/kubernetes/config` | `204 (empty body)` | ### Parameters - - `pem_keys` `(array: )` - List of PEM-formated public keys or certificates + - `kubernetes_host` `(string: )` - Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server. + - `kubernetes_ca_cert` `(string: "")` - PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. + - `pem_keys` `(array: [])` - Optional list of PEM-formated public keys or certificates used to verify the signatures of kubernetes service account JWTs. If a certificate is given, its public key will be - extracted. - - `kubernetes_host` `(string: )` - Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server. - - `kubernetes_ca_cert` `(string: "")` - PEM encoded CA cert for use by the TLS client used to talk with the API. + extracted. Not every installation of Kuberentes exposes these + keys. ### Sample Payload ```json { - "pem_keys": "-----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----", "kubernetes_host": "https://192.168.99.100:8443", - "kubernetes_ca_cert": "-----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----" + "kubernetes_ca_cert": "-----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----", + "pem_keys": "-----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----" } ``` @@ -77,9 +78,9 @@ $ curl \ ```json { "data":{ - "pem_keys": "-----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----", "kubernetes_host": "https://192.168.99.100:8443", - "kubernetes_ca_cert": "-----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----" + "kubernetes_ca_cert": "-----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----", + "pem_keys": "-----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----" }, ... } diff --git a/website/source/docs/auth/kubernetes.html.md b/website/source/docs/auth/kubernetes.html.md index 1f7c1ba16b..88456e0bb9 100644 --- a/website/source/docs/auth/kubernetes.html.md +++ b/website/source/docs/auth/kubernetes.html.md @@ -99,7 +99,6 @@ configure it, use the `/config` endpoint. ``` $ vault write auth/kubernetes/config \ - pem_keys=@signingkey.crt \ kubernetes_host=https://192.168.99.100:8443 \ kubernetes_ca_cert=@ca.crt ``` @@ -122,6 +121,7 @@ it gives it the default policy. ## Configuring Kubernetes +### Token Review Lookup This backend accesses the [Kubernetes TokenReview API](https://kubernetes.io/docs/api-reference/v1.7/#tokenreview-v1-authentication) to validate the provided JWT is still valid. Kubernetes should be running with @@ -130,10 +130,12 @@ versions prior should ensure the Kubernetes API server is started with with this setting. Otherwise deleted tokens in Kubernetes will not be properly revoked and will be able to authenticate to this backend. +### RBAC Configuration + Service Accounts used in this backend will need to have access to the -TokenReview API. If Kubernetes is configured to use RBAC roles the Service -Account should be granted permissions to access this API. The following -example ClusterRoleBinding could be used to grant these permissions: +TokenReview API. If Kubernetes is configured to use Role Based Access Control +the Service Account should be granted permissions to access this API. The +following example ClusterRoleBinding could be used to grant these permissions: ``` apiVersion: rbac.authorization.k8s.io/v1beta1 @@ -151,6 +153,12 @@ subjects: namespace: default ``` +### GKE + +Currently the Token Review API endpoint is only available in alpha clusters on +Google Container Engine. This means on GKE this backend can only be used with an +alpha cluster. + ## API The Kubernetes Auth Plugin has a full HTTP API. Please see the