This is a Kubernetes Admission Webhook that can modify pods to interact with Vault. The basic use case is to attach a sidecar container running vault agent and syncing the Vault token to be available to the other containers in the pod via a volumeMount.
Pods can customize their interaction with the webhook via annotations, see below.
A helm chart is available to deploy this project to your cluster, see below.
| Annotation | Description | Examples |
|---|---|---|
vaultproject.io/vault_k8s_auth_role |
Required. Vault Kubernetes auth method role name for the pod to authenticate as. If this is not set, the Pod will not be modified by the admission webhook. | myapp |
vaultproject.io/vault_agent_exit_after_auth |
Optional. Set this to "true" (String, not Boolean) to exit the vault agent container after a succesful token write. |
"true" |
Helm chart available in the helm/ directory. See the values.yaml there for available configuration options. The basic deployment will look something like:
# Install the admission webhook chart
helm upgrade vault-mutating-webhook ./helm/ --install --recreate-pods \
--set webhook.vault_addr=https://vault.example.com- Create an issue
- Create a fork and branch for your change
- Make your change, including tests
- Create a merge request, ensure the pipeline passes
Unit tests are written with rspec and rack-test (See the Sinatra docs). They are meant to verify the Sinatra app responds with appropriate JSON when it receives requests like kube-apiserver would send it. Execute the tests with bundle exec rspec.
If you run into an rspec failure that dumps out abbreviated Sinatra response HTML, you can save the HTML to a file and view in your browser. The rendered HTML will have info about the failure from Sinatra:
it 'returns vault agent sidecar patches' do
json = test_admission_review.to_json
post('/vault-agent-sidecar', json, 'CONTENT_TYPE' => 'application/json')
File.open('./resp_body.html', 'w') { |file| file.write(last_response.body) }
# ...Integration tests can be run with helm test. They are meant to verify that a deployed Pod has a valid Vault token mounted into it's container(s). The test manifests are located in helm/templates/tests/.
# initialize helm / tiller
kubectl create sa tiller -n kube-system
kubectl create clusterrolebinding tiller --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
helm init --service-account=tiller
# Create and use namespace for mutating admission webhook
kubectl create ns vault-mutating-webhook
kubectl config set-context $(kubectl config current-context) --namespace=vault-mutating-webhook
# Install / upgrade the helm chart for testing
helm upgrade vault-mutating-webhook ./helm/ --install --recreate-pods \
--set create_test_resources=true
# Test the helm chart installation
helm test vault-mutating-webhook --parallel --cleanup
# Cleanup the extra test resources
kubectl delete ns vault-mutating-webhook-test
kubectl delete clusterrolebinding vault-auth-delegatorIn the future, these integration tests should be executed in a pipeline using something like kind or microk8s.
Installs Phusion Passenger Standalone, RubyGems dependencies, and runs the Sinatra app in Passenger.
# Docker build, run, and push
docker build -t atheiman/vault-mutating-webhook .
docker run --rm -p 3000:3000 atheiman/vault-mutating-webhook
docker push atheiman/vault-mutating-webhook