Problem:
The Vault server needs the ability to communicate with the K8S API when the Kubernetes authentication method is being utilized, more specifically, accessing the TokenReview API endpoint of the Kubernetes cluster for token verification.
This can be considered a "back channel" from the client's point of view.
In particular cases, the connectivity between Vault and K8S API would be disrupted; in such cases, Vault reports a "permission denied" error to the client.
In those cases, the K8S authentication method, even though configured correctly (out of scope for this article), returns "permission denied" to the client, but no error is logged in the Vault's operational logs. This usually happens when "HTTP_PROXY" and "HTTPS_PROXY" environment variables are configured for the Vault process itself (in most cases via SystemD Unit file).
Even though the "NO_PROXY" env variable is also configured, currently with Vault version up to 1.19.0 (as of now 31st of March 2025), Vault does NOT take it into account when calls are being made to the TokenReview endpoint of the K8S cluster.
This behaviour might lead to cases where even though "NO_PROXY" env variable is configured, Vault still attempts to contact the K8S API via the configured proxy ("HTTP_PROXY" and "HTTPS_PROXY" env variables), the proxy is usually configured to "DROP" packets without sending "RST" TCP packets back to the client (in this case Vault server), that is why errors such as "i/o timeout", "connection refused" are not being reported in the Vault's operational logs.
Solutions:
- Configure access to the K8S API without using proxies for outbound connection from the Vault server.
- Configure the proxy itself to handle connection destinated for the K8S API made from the Vault server.