Scenario:

I have two Kubernetes 1.17 clusters, and one cluster have HashiCorp vault configured. I am trying to connect to it from other cluster using kubernetes auth method and I am getting 403 error as below:

2020-08-11T14:22:46.971Z [ERROR] auth.kubernetes.auth_kubernetes_f530e086: login unauthorized due to: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:default:vault-auth" cannot create resource "tokenreviews" in API group "authentication.k8s.io" at the cluster scope: RBAC: clusterrole.rbac.authorization.k8s.io "system:auth-delegator" not found","reason":"Forbidden","details":{"group":"authentication.k8s.io","kind":"tokenreviews"},"code":403}

Clusterrolebinding:

kind: ClusterRoleBinding
metadata:
  name: role-tokenreview-binding
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
- kind: ServiceAccount
  name: vault-auth
  namespace: default

Someone please help me here? What am I missing?

The clusterrole system:auth-delegator does not exist which is giving this error.

To check if it exists use below command

kubectl get clusterrole | grep system:auth-delegator

If it does not exist create one using below yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: system:auth-delegator
rules:
- apiGroups:
  - authentication.k8s.io
  resources:
  - tokenreviews
  verbs:
  - create
- apiGroups:
  - authorization.k8s.io
  resources:
  - subjectaccessreviews
  verbs:
  - create