The mutating webhook adds the following PodSpec, Secret, ConfigMap, and CRD annotations.
| Annotation | default | Explanation |
|---|---|---|
vault.security.banzaicloud.io/vault-addr |
"https://vault:8200" |
Same as VAULT_ADDR |
vault.security.banzaicloud.io/vault-image |
"vault:latest" |
Vault agent image |
vault.security.banzaicloud.io/vault-image-pull-policy |
IfNotPresent |
the Pull policy for the vault agent container |
vault.security.banzaicloud.io/vault-role |
"" |
The Vault role for Vault agent to use, for Pods it is the name of the ServiceAccount if not specified |
vault.security.banzaicloud.io/vault-path |
"kubernetes" |
The mount path of the auth method |
vault.security.banzaicloud.io/vault-skip-verify |
"false" |
Same as VAULT_SKIP_VERIFY |
vault.security.banzaicloud.io/vault-tls-secret |
"" |
Name of the Kubernetes Secret holding the CA certificate for Vault |
vault.security.banzaicloud.io/vault-ignore-missing-secrets |
"false" |
When enabled will only log warnings when Vault secrets are missing |
vault.security.banzaicloud.io/vault-env-passthrough |
"" |
Comma separated list of VAULT_* related environment variables to pass through to vault-env to the main process. E.g. VAULT_ADDR,VAULT_ROLE. |
vault.security.banzaicloud.io/vault-env-daemon |
"false" |
Run vault-env as a daemon instead of replacing itself with the main process. For details, see /docs/bank-vaults/mutating-webhook/deploy/#daemon-mode. |
vault.security.banzaicloud.io/vault-env-image |
"banzaicloud/vault-env:latest" |
vault-env image |
vault.security.banzaicloud.io/vault-env-image-pull-policy |
IfNotPresent |
the Pull policy for the vault-env container |
vault.security.banzaicloud.io/mutate-configmap |
"false" |
Mutate the annotated ConfigMap as well (only Secrets and Pods are mutated by default) |
vault.security.banzaicloud.io/enable-json-log |
"false" |
Log in JSON format in vault-env |
vault.security.banzaicloud.io/mutate |
"" |
Defines the mutation of the given resource, possible values: "skip" which prevents it. |
vault.security.banzaicloud.io/vault-env-from-path |
"" |
Comma-delimited list of vault paths to pull in all secrets as environment variables |
vault.security.banzaicloud.io/token-auth-mount |
"" |
{volume:file} to be injected as .vault-token. |
vault.security.banzaicloud.io/vault-auth-method |
"kubernetes" |
The Vault authentication method to be used, one of ["kubernetes", "aws-ec2", "gcp-gce", "jwt"] |
vault.security.banzaicloud.io/vault-serviceaccount |
"" |
The ServiceAccount in the objects namespace to use, useful for non-pod resources |
vault.security.banzaicloud.io/vault-namespace |
"" |
The Vault Namespace secrets will be pulled from. This annotation sets the VAULT_NAMESPACE environment variable. More information on namespaces within Vault can be found here |
vault.security.banzaicloud.io/run-as-non-root |
"false" |
When enabled will add runAsNonRoot: true to the securityContext of all injected containers |
vault.security.banzaicloud.io/run-as-user |
"0" |
Set the UID (runAsUser) for all injected containers. The default value of "0" means that no modifications will be made to the securityContext of injected containers. |
vault.security.banzaicloud.io/run-as-group |
"0" |
Set the GID (runAsGroup) for all injected containers. The default value of "0" means that no modifications will be made to the securityContext of injected containers. |
vault.security.banzaicloud.io/readonly-root-fs |
"false" |
When enabled will add readOnlyRootFilesystem: true to the securityContext of all injected containers |
