- Make sure that you have your kubectl configured to connect to the correct target remote cluster
- An Akeyless Admin to your account may be required to grant access to create kubernetes auth configs
- The gateway with network access to the kubernetes cluster MUST have TLS configured
- Installation of External Secrets Operator is out of scope for this example
To configure Access Permissions in your Gateway Configuration Manager, follow these steps:
-
Navigate to the Access Permissions tab.
-
Click New to create a new access permission item.
-
Provide a meaningful Name for the item, such as "Kubernetes Auth Managers" or "Dynamic Secrets Admin".
-
From the Auth Method drop-down menu, select the relevant Authentication Method and set the exact Sub-Claims identifying your users. Click Next to proceed.
-
In the Permission Settings section, choose either Admin or Custom.
-
If you select Custom, you can specify the relevant permissions to grant to the selected Auth Method. For example, you can grant permissions for managing Kubernetes Auth Managers or other specific operations. Select the desired permissions and click Finish.
Based on the selected operations, the relevant Auth Method will have access to initiate only those specific operations.
Remember, only Gateway Admin users have the ability to access and manage the Access Permissions settings.
By configuring Access Permissions, you can control and limit the operations that different Auth Methods can perform within the Gateway, ensuring a secure and granular access control system.
The
k8s_auth.yamlcan be found below
kubectl create -f k8s_auth.yamlExtract the bearer token from the kubernetes service account secret we just created.
kubectl get secret gateway-token-reviewer-token -n akeyless-auth -o jsonpath='{.data.token}' | base64 --decodeDisplay the kubernetes cluster host endpoint and CA certificate (mac/linux)
kubectl config view --flatten --minify --output=jsonpath='{.clusters[0].cluster.server}{"\n"}{.clusters[0].cluster.certificate-authority-data}' | awk 'NR==1{print "Host: "$0} NR==2{print "CA Certificate: "; system("echo "$0" | base64 --decode")}'Display the kubernetes cluster host endpoint and CA certificate (Windows Powershell)
kubectl config view --flatten --minify --output=jsonpath="{.clusters[0].cluster.server}{"`n"}{.clusters[0].cluster.certificate-authority-data}" | ForEach-Object {
if ($_.Trim() -match '^[A-Za-z0-9+/=]+$') {
"CA Certificate: "
[System.Convert]::FromBase64String($_) | ForEach-Object {[System.Text.Encoding]::UTF8.GetString($_)}
} else {
"Host: $_"
}
}Navigate to console.akeyless.io/auth-methods and create a new Kubernetes Auth Method associated to the gateway with network access to the target kubernetes cluster's host endpoint.
The auth method and the k8s auth config will have been created automatically.
Navigate to the k8s auth config screen of gateway we just added the k8s auth config to and note the FULL name of the k8s auth config (for example like https://gw-config.example.com/kubernetes)
This will create the "k8s" namespace and the service account "cg-akl-azure-k8s-sa"
kubectl apply -f k8s-secrets.yamlkubectl apply -f eso-secret-store.yamlkubectl apply -f eso-external-secret.yamlWe note there is now an error stating the access ID for the kubernetes auth method is not authorized to access the secret.
We need to create an Access Role and associate the kubernetes auth method to it and then we need to add an item rule allowing Read and List access to the target secret.
helm repo add akeyless https://akeylesslabs.github.io/helm-charts
helm repo update
helm install aks akeyless/akeyless-secrets-injection --namespace akeyless -f k8s-secrets-injector-values.yamlWhite listing the k8s namespace to enable the akeyless-secrets-injection helm chart by adding a name label to the namespace
kubectl label namespace k8s name=akeyless-enable