I have my own hosted Kubernetes cluster where I store my secrets in vault. To give my microservices access to the secrets managed by vault, I want to authenticate my microservices via their service accounts. The problem I'm facing is that vault rejects the service accounts (JWTs) with the following error:
apis/authentication.k8s.io/v1/tokenreviews: x509: certificate signed by unknown authority
The service accounts are signed with Kubernetes own CA. I did not replace this with Vault's pki solution. Is it possible to configure Vault to trust my Kubernetes CA certificate and therefore the JWTs?
This kind of error can be caused by a recent change to Service Account Issuer Discovery in Kubernetes 1.21.
In order to mitigate this issue, there are a couple of options that you can choose from based on your expectations:
There are also a couple of external blog articles about this on banzaicloud.com and particule.io.