Skip to content

Commit

Permalink
backport of commit b3d333b (hashicorp#19885)
Browse files Browse the repository at this point in the history
Co-authored-by: Mark Lewis <56076038+ml4@users.noreply.github.com>
  • Loading branch information
hc-github-team-secure-vault-core and ml4 authored Mar 31, 2023
1 parent e842f39 commit 8295328
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions website/content/docs/secrets/kubernetes.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ management tool.

It's necessary to ensure that the service account Vault uses will have permissions to manage
service account tokens, and optionally manage service accounts, roles, and role bindings. These
permissions can be managed using a Kuberentes role or cluster role. The role is attached to the
permissions can be managed using a Kubernetes role or cluster role. The role is attached to the
Vault service account with a role binding or cluster role binding.

For example, a minimal cluster role to create service account tokens is:
Expand Down Expand Up @@ -321,7 +321,7 @@ $ vault write kubernetes/roles/auto-managed-sa-role \

~> **Note**: Vault's service account will also need access to the resources it is granting
access to. This can be done for the examples above with `kubectl -n test create rolebinding --role test-role-list-pods --serviceaccount=vault:vault vault-test-role-abilities`.
This is how Kuberentes prevents privilege escalation.
This is how Kubernetes prevents privilege escalation.
You can read more in the
[Kubernetes RBAC documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping).

Expand Down

0 comments on commit 8295328

Please sign in to comment.