We are pleased to announce the release of HashiCorp Vault 0.8.3. Vault provides security teams and infrastructure operators with secrets management solutions, encryption as a service, and privileged access enforcement. The highlight of the latest release is a Kubernetes authentication backend. For Vault Enterprise, we are also releasing an integration with Sentinel, HashiCorp's policy as code framework announced at HashiConf.
Features introduced in this release include:
The release also includes additional enhancements to MFA and PKI, as well as bug fixes.
Vault 0.8.3 introduces native Kubernetes auth backend that allows Kubernetes pods to directly receive and use Vault auth tokens without additional integration components.
Prior to 0.8.3, a user accessing Vault via a pod required significant preparation work using an init pod or other custom interface. With the release of the Kubernetes auth backend, Vault now provides a production-ready interface for Kubernetes that allows a pod to authenticate with Vault via a JWT token from a pod’s service account.
View the documentation for more information on the Kubernetes auth backend.
For more information on the collaboration between Google and HashiCorp Vault, check out “Secret and infrastructure management made easy with HashiCorp and Google Cloud” and “Authenticating to Hashicorp Vault using GCE Signed Metadata” published by Google.
We have expanded MFA capabilities within Vault, with identity metadata now available in the username format. Additionally, Okta MFA providers may now configure custom
base_url variables for API calls.
We have also expanded Vault PKI capabilities; Sign Intermediate will now allow specifying a TTL value longer than the signing CA certificate's
NotAfter value, allowing for flexible policy management for Vault-distributed certificates.
Note: This is a Vault Enterprise Premium feature.
We recently announced a new policy as code framework, Sentinel, to enable fine-grained, logic-based policy decisions that can be extended to source external information. This is an important part of creating and enforcing security constraints for infrastructure automation across a company. This release integrates Sentinel policies with Vault’s secret infrastructure in order to provide more control and depth to Vault's security model and policy system, while enforcing security and best practices requirements.
Sentinel policies are enforced in two key areas:
Role-Governing Policies: Role-governing policies enforce Sentinel directives on all tokens created by Vault.
Endpoint-Governing Policies (EGPs): Endpoint Governing Policies (or EGPs) enforce Sentinel policies on specific endpoints and secret paths. This is designed to allow Sentinel to enforce secret-specific or workflow-specific (as in the case of Secret backends) policies on a specific set or type of secrets within Vault. They have access to as much request information as possible and can take effect even on unauthenticated paths, such as login paths.
For more information on Sentinel, see the Sentinel documentation.
For a full list of changes, check out the Vault 0.8.3 changelog.
As always, please test in an isolated environment before upgrading and follow Vault's Upgrade Guide.
For more information on changes, see the full Vault 0.8.3 changelog.
Thank you again to the Vault community for their ideas, bug reports, and pull requests!
Read our recap of the recent updates to HCS on Azure and the latest integrations between Azure services and HashiCorp Consul, Terraform, and Vault.
We have developed a baseline SELinux policy for securing Vault on Red Hat-based Linux Distributions
Check out the latest updates and new additions to our collection of tutorials for deploying Vault on Kubernetes.