f4z3r
commented
1 year ago Hi @aldelsa , no it does not seem to be possible to have Vault create the objects as you are describing in the description.
If I understand you correctly, you would want to have Vault generate all the objects you referenced above (3 ClusterRoles, 1 CRB, 2 RB)? I think the biggest issue here when considering how to implement this, is how to design the API so that it does not become too complex to use, while providing the flexibility you desire (and not break backward compatibility).
How would the API look like in an ideal world for you? I would be happy to open a PR implementing such a feature, as I think this might become relevant for me as well at some point further down the road, but I am struggling to see a clean way to design the API in all honesty.
Hello, We are trying to create a secret that involve multiple roles in our kubernetes cluster. The problem is that we cannot create multiple RBAC chains for single service account. The idea is to have:
clusterRole + ClusterRoleBinding linked to a serviceAccount "vault-test" in namespace "default" to have perms for listing namespace and nodes (Cluster Wide Objects)
clusterRole + RoleBinding existing in the namespace "monitoring" also link to the same ServiceAccount called "vault-test"
clusterRole + RoleBinding existing in the namespace "prod" also link to the same ServiceAccount called "vault-test"
Is it possible to generate with Vault those three RBAC chains with a single resulting JWT? As we read in documentation we only have the possibility to create using a single RBAC chain: Doc
Thanks in advance