Using Vault with multiple dynamic namespaces in Kubernetes
When you create the Vault role, you can configure bound_service_account_namespaces
to be the special value *
, and allow a fixed service account name from any namespace. To adapt the "create role" example from the documentation:
vault write auth/kubernetes/role/demo \ bound_service_account_names=vault-auth \ bound_service_account_namespaces='*' \ policies=default \ ttl=1h
You have to recreate the Kubernetes service account in every namespace, and it must have the exact name specified in the role. However, the Kubernetes service account is a single k8s object and it's not any harder than the Deployments, Services, ConfigMaps, and Secrets you already have; this pattern doesn't require any Vault reconfiguration.
(If you're using a templating tool like Helm, the service account can't follow a naming convention like {{ .Release.Name }}-{{ .Chart.Name }}
: Vault doesn't appear to have any sort of pattern matching on this name.)
Service Accounts are namespaced therefore not shared , so you may copy the token from one account to another , but that is not the recommneded way.
C02W84XMHTD5:kubernetes-gitlab iahmad$ kubectl api-resources --namespaced | grep serviceserviceaccounts sa true ServiceAccountservices svc true ServiceC02W84XMHTD5:kubernetes-gitlab iahmad$
If you want to share a secret or account the way you are trying to do , then there is no need to use vault at all.
You may just need to automate this process , instead of sharing accounts.