From 5bc84c9b3ed3bd4990b7314e6a65a1662e8e2f90 Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Thu, 25 Dec 2025 03:43:17 -0300 Subject: [PATCH] vault: use dedicated service account for k8s auth --- services/vault/kustomization.yaml | 2 ++ services/vault/rbac.yaml | 13 +++++++++++++ services/vault/serviceaccount.yaml | 6 ++++++ services/vault/statefulset.yaml | 1 + 4 files changed, 22 insertions(+) create mode 100644 services/vault/rbac.yaml create mode 100644 services/vault/serviceaccount.yaml diff --git a/services/vault/kustomization.yaml b/services/vault/kustomization.yaml index 9fdb0612..b39fc480 100644 --- a/services/vault/kustomization.yaml +++ b/services/vault/kustomization.yaml @@ -4,6 +4,8 @@ kind: Kustomization namespace: vault resources: - namespace.yaml + - serviceaccount.yaml + - rbac.yaml - configmap.yaml - statefulset.yaml - service.yaml diff --git a/services/vault/rbac.yaml b/services/vault/rbac.yaml new file mode 100644 index 00000000..d1caa187 --- /dev/null +++ b/services/vault/rbac.yaml @@ -0,0 +1,13 @@ +# services/vault/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: vault-auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - kind: ServiceAccount + name: vault + namespace: vault diff --git a/services/vault/serviceaccount.yaml b/services/vault/serviceaccount.yaml new file mode 100644 index 00000000..56c4181d --- /dev/null +++ b/services/vault/serviceaccount.yaml @@ -0,0 +1,6 @@ +# services/vault/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault + namespace: vault diff --git a/services/vault/statefulset.yaml b/services/vault/statefulset.yaml index d1b22c89..bd15607f 100644 --- a/services/vault/statefulset.yaml +++ b/services/vault/statefulset.yaml @@ -17,6 +17,7 @@ spec: labels: app: vault spec: + serviceAccountName: vault nodeSelector: node-role.kubernetes.io/worker: "true" kubernetes.io/arch: arm64