We are pleased to announce the release of HashiCorp Vault 0.8.3. Vault provides security teams and infrastructure operators with secrets management solutions, encryption as a service, and privileged access enforcement. The highlight of the latest release is a Kubernetes authentication backend. For Vault Enterprise, we are also releasing an integration with Sentinel, HashiCorp's policy as code framework announced at HashiConf.
Features introduced in this release include:
- Kubernetes Auth Backend
- Sentinel policy as code integration
The release also includes additional enhancements to MFA and PKI, as well as bug fixes.
» Kubernetes Auth Backend
Vault 0.8.3 introduces native Kubernetes auth backend that allows Kubernetes pods to directly receive and use Vault auth tokens without additional integration components.
Prior to 0.8.3, a user accessing Vault via a pod required significant preparation work using an init pod or other custom interface. With the release of the Kubernetes auth backend, Vault now provides a production-ready interface for Kubernetes that allows a pod to authenticate with Vault via a JWT token from a pod’s service account.
View the documentation for more information on the Kubernetes auth backend.
For more information on the collaboration between Google and HashiCorp Vault, check out “Secret and infrastructure management made easy with HashiCorp and Google Cloud” and “Authenticating to Hashicorp Vault using GCE Signed Metadata” published by Google.
» Multi-factor Authentication Improvements
We have expanded MFA capabilities within Vault, with identity metadata now available in the username format. Additionally, Okta MFA providers may now configure custom
base_url variables for API calls.
» PKI Improvements
We have also expanded Vault PKI capabilities; Sign Intermediate will now allow specifying a TTL value longer than the signing CA certificate's
NotAfter value, allowing for flexible policy management for Vault-distributed certificates.
» Sentinel Policy Integration (Beta Functionality)
Note: This is a Vault Enterprise Premium feature.
We recently announced a new policy as code framework, Sentinel, to enable fine-grained, logic-based policy decisions that can be extended to source external information. This is an important part of creating and enforcing security constraints for infrastructure automation across a company. This release integrates Sentinel policies with Vault’s secret infrastructure in order to provide more control and depth to Vault's security model and policy system, while enforcing security and best practices requirements.
Sentinel policies are enforced in two key areas:
Role-Governing Policies: Role-governing policies enforce Sentinel directives on all tokens created by Vault.
Endpoint-Governing Policies (EGPs): Endpoint Governing Policies (or EGPs) enforce Sentinel policies on specific endpoints and secret paths. This is designed to allow Sentinel to enforce secret-specific or workflow-specific (as in the case of Secret backends) policies on a specific set or type of secrets within Vault. They have access to as much request information as possible and can take effect even on unauthenticated paths, such as login paths.
For more information on Sentinel, see the Sentinel documentation.
For a full list of changes, check out the Vault 0.8.3 changelog.
» Upgrade Notes
As always, please test in an isolated environment before upgrading and follow Vault's Upgrade Guide.
For more information on changes, see the full Vault 0.8.3 changelog.
Thank you again to the Vault community for their ideas, bug reports, and pull requests!