1

I have my own hosted Kubernetes cluster where I store my secrets in vault. To give my microservices access to the secrets managed by vault, I want to authenticate my microservices via their service accounts. The problem I'm facing is that vault rejects the service accounts (JWTs) with the following error:

apis/authentication.k8s.io/v1/tokenreviews: x509: certificate signed by unknown authority

The service accounts are signed with Kubernetes own CA. I did not replace this with Vault's pki solution. Is it possible to configure Vault to trust my Kubernetes CA certificate and therefore the JWTs?

Wytrzymały Wiktor
  • 11,492
  • 5
  • 29
  • 37
Sebastian Ullrich
  • 1,007
  • 11
  • 21

1 Answers1

2

This kind of error can be caused by a recent change to Service Account Issuer Discovery in Kubernetes 1.21.

In order to mitigate this issue, there are a couple of options that you can choose from based on your expectations:

  1. Manually create a service account, secret and mount it in the pod as mentioned on this github post.
  2. Disable issuer validation as mentioned on another github post.
  3. Downgrade the cluster to version 1.20.

There are also a couple of external blog articles about this on banzaicloud.com and particule.io.

Harsh Manvar
  • 27,020
  • 6
  • 48
  • 102
Piotr Malec
  • 3,429
  • 11
  • 16