AppsCode
  • KubeDB

    Run Production-Grade Databases on Kubernetes

    Stash

    Backup and Recovery Solution for Kubernetes

    KubeVault

    Run Production-Grade Vault on Kubernetes

    Voyager

    Secure Ingress Controller for Kubernetes

    ConfigSyncer

    Kubernetes Configuration Syncer

    Guard

    Kubernetes Authentication WebHook Server

    KubeDB

    KubeDB simplifies Provisioning, Upgrading, Scaling, Volume Expansion, Monitor, Backup, Restore for various Databases in Kubernetes on any Public & Private Cloud

    • check-boxLower administrative burden
    • check-boxNative Kubernetes Support
    • check-boxPerformance
    • check-boxAvailability and durability
    • check-boxManageability
    • check-boxCost-effectiveness
    • check-boxSecurity
    Stash

    A complete Kubernetes native disaster recovery solution for backup and restore your volumes and databases in Kubernetes on any public and private clouds.

    • check-boxDeclarative API
    • check-boxBackup Kubernetes Volumes
    • check-boxBackup Database
    • check-boxMultiple Storage Support
    • check-boxDeduplication
    • check-boxData Encryption
    • check-boxVolume Snapshot
    • check-boxPolicy Based Backup
    KubeVault

    KubeVault is a Git-Ops ready, production-grade solution for deploying and configuring Hashicorp's Vault on Kubernetes.

    • check-boxVault Kubernetes Deployment
    • check-boxAuto Initialization & Unsealing
    • check-boxVault Backup & Restore
    • check-boxConsume KubeVault Secrets with CSI
    • check-boxManage DB Users Privileges
    • check-boxStorage Backend
    • check-boxAuthentication Method
    • check-boxDatabase Secret Engine
    Voyager

    Secure Ingress Controller for Kubernetes

    • check-boxHTTP & TCP
    • check-boxSSL
    • check-boxPlatform support
    • check-boxHAProxy
    • check-boxPrometheus
    • check-boxLet's Encrypt
    configsyncer

    Kubernetes Configuration Syncer

    • check-boxConfiguration Syncer
    Guard

    Kubernetes Authentication WebHook Server

    • check-boxIdentity Providers
    • check-boxCLI
    • check-boxRBAC
  • RESOURCES
  • Webinar New
CONTACT SALES
KubeVault
github-icon twitterx-icon
TRY NOW FREE
  • Welcome
  • Concepts
  • Setup
  • Guides
  • Vault Operator
    KubeVault CLI
    Vault Unsealer
You are looking at the documentation of a prior release. To read the documentation of the latest release, please visit here.

New to KubeVault? Please start here.

VaultPolicy

What is VaultPolicy

A VaultPolicy is a Kubernetes CustomResourceDefinition (CRD) which represents Vault server policies in a Kubernetes native way.

When a VaultPolicy is created, the KubeVault operator will create a policy in the associated Vault server according to specification. If the VaultPolicy CRD is deleted, the respective policy will also be deleted from the Vault server.

Vault Policy CRD

VaultPolicy CRD Specification

Like any official Kubernetes resource, a VaultPolicy object has TypeMeta, ObjectMeta, Spec and Status sections.

A sample VaultPolicy object is shown below:

apiVersion: policy.kubevault.com/v1alpha1
kind: VaultPolicy
metadata:
  name: secret-admin
  namespace: default
spec:
  vaultRef:
    name: vault
  policyDocument: |
    path "secret/*" {
      capabilities = ["create", "read", "update", "delete", "list"]
    }    
status:
  observedGeneration: 1
  phase: Success

Here, we are going to describe the various sections of the VaultPolicy crd.

VaultPolicy Spec

VaultPolicy spec contains policy and vault information necessary to create a Vault policy. VaultPolicy CRD has the following fields in the .spec section.

spec.vaultRef

spec.vaultRef is a required field that specifies the name of an AppBinding reference which is used to connect with a Vault server. AppBinding must be on the same namespace with VaultPolicy object.

spec:
  vaultRef:
    name: vault-app

spec.vaultPolicyName

To resolve the naming conflict, KubeVault operator will generate policy names in Vault server in this format: k8s.{clusterName}.{metadata.namespace}.{metadata.name}. spec.vaultPolicyName is an optional field. If set, it will overwrite the generated policy name in Vault server.

spec:
  vaultPolicyName: my-custom-policy

spec.policyDocument

spec.policyDocument is an optional field that specifies the vault policy in hcl format. Both spec.policyDocument and spec.policy cannot be empty at once.

spec:
  policyDocument: |
      path "secret/*" {
        capabilities = ["create", "read", "update", "delete", "list"]
      }
      path "abc/*" {
        capabilities = ["read"]
      }

spec.policy

Vault uses HCL as its configuration language. HCL is also fully JSON compatible. That is, JSON can be used as a completely valid input to a system expecting HCL. This helps to make systems interoperable with other systems.

spec.policy is an optional field that accepts the vault policy in YAML format. This can be more convenient since Kubernetes uses YAML as its native configuration language.

spec:
  policy:
    path:
      secret/*:
        capabilities:
        - create
        - read
        - update
        - delete
        - list
      abc/*:
        capabilities:
        - read

VaultPolicy Status

VaultPolicy status shows the status of a Vault Policy. It is managed by the KubeVault operator. It contains the following fields:

  • observedGeneration: Specifies the most recent generation observed for this resource. It corresponds to the resource’s generation, which is updated on mutation by the API Server.

  • phase: Indicates whether the policy successfully applied to Vault or failed.

  • conditions : Represents the latest available observations of a VaultPolicy’s current state.

What's on this Page

Search
Improve This Page