From 48a4fd0dd1c9e821229dbf24b0bcaf6da4eb4353 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 8 Mar 2026 12:44:17 +1100 Subject: [PATCH] feat: add templated policies for kubernetes - add default kubernetes auth role - add templated access kv/kubernetes/* --- .../k8s/au/syd1/default.yaml | 6 ++++++ policies/kv/kubernetes/default.yaml | 16 ++++++++++++++++ 2 files changed, 22 insertions(+) create mode 100644 config/auth_kubernetes_role/k8s/au/syd1/default.yaml create mode 100644 policies/kv/kubernetes/default.yaml diff --git a/config/auth_kubernetes_role/k8s/au/syd1/default.yaml b/config/auth_kubernetes_role/k8s/au/syd1/default.yaml new file mode 100644 index 0000000..4f0b50c --- /dev/null +++ b/config/auth_kubernetes_role/k8s/au/syd1/default.yaml @@ -0,0 +1,6 @@ +bound_service_account_names: + - default +bound_service_account_namespaces: ['*'] +token_ttl: 600 +token_max_ttl: 600 +audience: vault diff --git a/policies/kv/kubernetes/default.yaml b/policies/kv/kubernetes/default.yaml new file mode 100644 index 0000000..ebb93d2 --- /dev/null +++ b/policies/kv/kubernetes/default.yaml @@ -0,0 +1,16 @@ +# Templated access to kv secrets for kubernetes +# +# kv/kubernetes/namespace// +# kv/kubernetes/cluster/// +--- +rules: + - path: "kv/data/kubernetes/namespace/{{identity.entity.aliases.auth_kubernetes_ac24966b.metadata.service_account_namespace}}/{{identity.entity.aliases.auth_kubernetes_ac24966b.metadata.service_account_name}}/*" + capabilities: + - read + - path: "kv/data/kubernetes/cluster/au/syd1/{{identity.entity.aliases.auth_kubernetes_ac24966b.metadata.service_account_namespace}}/{{identity.entity.aliases.auth_kubernetes_ac24966b.metadata.service_account_name}}/*" + capabilities: + - read + +auth: + k8s/au/syd1: + - default