From 77ecf3229e17a6bb435aa7401e412414556acbb3 Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Thu, 25 Dec 2025 03:43:17 -0300 Subject: [PATCH] vault: use dedicated service account for k8s auth --- services/vault/kustomization.yaml | 2 ++ services/vault/rbac.yaml | 13 +++++++++++++ services/vault/serviceaccount.yaml | 6 ++++++ services/vault/statefulset.yaml | 1 + 4 files changed, 22 insertions(+) create mode 100644 services/vault/rbac.yaml create mode 100644 services/vault/serviceaccount.yaml diff --git a/services/vault/kustomization.yaml b/services/vault/kustomization.yaml index 9fdb061..b39fc48 100644 --- a/services/vault/kustomization.yaml +++ b/services/vault/kustomization.yaml @@ -4,6 +4,8 @@ kind: Kustomization namespace: vault resources: - namespace.yaml + - serviceaccount.yaml + - rbac.yaml - configmap.yaml - statefulset.yaml - service.yaml diff --git a/services/vault/rbac.yaml b/services/vault/rbac.yaml new file mode 100644 index 0000000..d1caa18 --- /dev/null +++ b/services/vault/rbac.yaml @@ -0,0 +1,13 @@ +# services/vault/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: vault-auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - kind: ServiceAccount + name: vault + namespace: vault diff --git a/services/vault/serviceaccount.yaml b/services/vault/serviceaccount.yaml new file mode 100644 index 0000000..56c4181 --- /dev/null +++ b/services/vault/serviceaccount.yaml @@ -0,0 +1,6 @@ +# services/vault/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault + namespace: vault diff --git a/services/vault/statefulset.yaml b/services/vault/statefulset.yaml index d1b22c8..bd15607 100644 --- a/services/vault/statefulset.yaml +++ b/services/vault/statefulset.yaml @@ -17,6 +17,7 @@ spec: labels: app: vault spec: + serviceAccountName: vault nodeSelector: node-role.kubernetes.io/worker: "true" kubernetes.io/arch: arm64