Automate the creation of unique Vault tokens for Kubernetes Pods using init containers.
The Vault Controller automates the creation of Vault tokens for Kubernetes Pods. This repo includes a set of hands-on tutorials and example programs you can use to try out the Vault Controller.
This is a prototype. Do not use this in production.
The following diagram demonstrates the flow Pods use to obtain a dedicated token when running in a Kubernetes cluster.
vaultproject.io/policiesannotation a unique wrapped token is generated for the Pod.
More details can be found in the How it Works document.
The following tutorials will guide you through the deployment of the
vault-controllerand an example application to see how it all works.
Clone this repository:
git clone https://github.com/kelseyhightower/vault-controller.git
cd vault-controller
Before you can complete the tutorials you'll need access to a Kubernetes clusters. Google Container Engine (GKE) or minikube should work.
Once you are done with the tutorials run the following command to clean up:
kubectl delete namespace vault-controller