We are pleased to announce the release of HashiCorp Vault 0.8.3. Vault provides security teams and infrastructure operators with secrets management solutions, encryption as a service, and privileged access enforcement. The highlight of the latest release is a Kubernetes authentication backend. For Vault Enterprise, we are also releasing an integration with Sentinel, HashiCorp's policy as code framework announced at HashiConf.
Features introduced in this release include:
Kubernetes Auth Backend
Sentinel policy as code integration
The release also includes additional enhancements to MFA and PKI, as well as bug fixes.
Kubernetes Auth Backend
Vault 0.8.3 introduces native Kubernetes auth backend that allows Kubernetes pods to directly receive and use Vault auth tokens without additional integration components.
Prior to 0.8.3, a user accessing Vault via a pod required significant preparation work using an init pod or other custom interface. With the release of the Kubernetes auth backend, Vault now provides a production-ready interface for Kubernetes that allows a pod to authenticate with Vault via a JWT token from a pod’s service account.
View the documentation for more information on the Kubernetes auth backend.
For more information on the collaboration between Google and HashiCorp Vault, check out “Secret and infrastructure management made easy with HashiCorp and Google Cloud” and “Authenticating to Hashicorp Vault using GCE Signed Metadata” published by Google.
Multi-factor Authentication Improvements
We have expanded MFA capabilities within Vault, with identity metadata now available in the username format. Additionally, Okta MFA providers may now configure custom
base_url variables for API calls.
We have also expanded Vault PKI capabilities; Sign Intermediate will now allow specifying a TTL value longer than the signing CA certificate's
NotAfter value, allowing for flexible policy management for Vault-distributed certificates.
Sentinel Policy Integration (Beta Functionality)
Note: This is a Vault Enterprise Premium feature.
We recently announced a new policy as code framework, Sentinel, to enable fine-grained, logic-based policy decisions that can be extended to source external information. This is an important part of creating and enforcing security constraints for infrastructure automation across a company. This release integrates Sentinel policies with Vault’s secret infrastructure in order to provide more control and depth to Vault's security model and policy system, while enforcing security and best practices requirements.