Kubernetes to Vault Authentication Failure

Question

Good evening! Hope you all doing well. I am trying to setup integration of K8s to Vault and am stuck with this error message: x509: certificate signed by unknown authority

Kubernetes is running on AWS EKS and Vault is HA setup behind classic Load Balancer and Route 53 entry.

I am following this link: https://learn.hashicorp.com/vault/identity-access-management/vault-agent-k8s Instead of Minikube, I am specifying my Kubernetes cluster, I tried every possible way I can think but every time same error.

https://:8443/apis/authentication.k8s.io/v1/tokenreviews: x509: certificate signed by unknown authority

vault-config:

{
"listener": [{
"tcp": {
"address" : "0.0.0.0:8200",
"tls_disable" : 1 (Am doing SSL termination at LoadBalacer level)
}
}],
"api_addr": "http://<Instance_IP>:8200",
"storage": {
"dynamodb": {
"ha_enabled" : "true",
"region" : "<region_name>",
"table" :  "<table_name>"
}
},
"max_lease_ttl": "10h",
"default_lease_ttl": "10h",
"ui":true
}

Tried to enable auth with: 'vault auth enable -tls-skip-verify kubernetes' and 'vault auth enable kubernetes' both but no luck.

Please help. Let me know if you need any information from me.

Answer 1

You cannot disable CA validation with the kubernetes auth method. When you enable the auth method, you need to specify the kuberetes_host and kubernetes_ca_cert. The host is the FQDN to your Kubernetes host (API server). The ca_cert is the public certificate authority to validate the request to the API server.

Each cloud provider has its own way of exposing the CA, since it might belong to a load balancer instead of directly on the cluster. It looks like you're using AWS, so here's those docs. You need to pull the certificate-authority-data field, since that's the CA, and give it to Vault.