Using Vault with multiple dynamic namespaces in Kubernetes

When you create the Vault role, you can configure bound_service_account_namespaces to be the special value *, and allow a fixed service account name from any namespace. To adapt the "create role" example from the documentation:

vault write auth/kubernetes/role/demo \    bound_service_account_names=vault-auth \    bound_service_account_namespaces='*' \    policies=default \    ttl=1h

You have to recreate the Kubernetes service account in every namespace, and it must have the exact name specified in the role. However, the Kubernetes service account is a single k8s object and it's not any harder than the Deployments, Services, ConfigMaps, and Secrets you already have; this pattern doesn't require any Vault reconfiguration.

(If you're using a templating tool like Helm, the service account can't follow a naming convention like {{ .Release.Name }}-{{ .Chart.Name }}: Vault doesn't appear to have any sort of pattern matching on this name.)

Service Accounts are namespaced therefore not shared , so you may copy the token from one account to another , but that is not the recommneded way.

C02W84XMHTD5:kubernetes-gitlab iahmad$ kubectl api-resources --namespaced | grep serviceserviceaccounts             sa                                       true         ServiceAccountservices                    svc                                      true         ServiceC02W84XMHTD5:kubernetes-gitlab iahmad$

If you want to share a secret or account the way you are trying to do , then there is no need to use vault at all.

You may just need to automate this process , instead of sharing accounts.