Create a Service Account for Kubernetes

You can have Commvault use the existing, default cluster-admin role that provides superuser access to your Kubernetes cluster. Using the cluster-admin role ensures that Commvault can discover, back up, and restore all API resources on your cluster.

To create a service account with ClusterRoleBinding to the cluster-admin ClusterRole, use the following procedure.

Procedure

Create the service account by running the following command:
```
 
kubectl create serviceaccount service_account_name [ -n namespace]
```
where:
- service_account_name is the name of the service account
- namespace is the name of the namespace where you want to create the service account
Example command:
```
$ kubectl create serviceaccount commvault-admin
```
Example output:
```
serviceaccount/commvault-admin created
```

Create a new ClusterRoleBinding that provides cluster-admin permissions to the newly created service account by running the following command:

kubectl create clusterrolebinding cluster_role_binding_name --clusterrole=cluster-admin --serviceaccount=namespace:service_account_name

Example command:

$ kubectl create clusterrolebinding commvault-admin-sa-crb --clusterrole=cluster-admin --serviceaccount=default:commvault-admin

Example output:

clusterrolebinding.rbac.authorization.k8s.io/commvault-admin-sa-crb created

If your cluster is Kubernetes 1.24 or a more recent release, create a secret for the service account by running the following command:
```
 
cat << EOF | kubectl create -f -
apiVersion: v1
kind: Secret
metadata:
  name: secret_name
  annotations:
    kubernetes.io/service-account.name: service_account_name
type: kubernetes.io/service-account-token
EOF
```
Kubernetes 1.24 and more recent releases do not create a secret when you create a service account.

Get the service account token for the service account that you created:

For Vanilla Kubernetes, run the following command:

 
kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='service_account_name')].data.token}"|base64 --decode

Example command:

$ kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='commvault')].data.token}"|base64 --decode

Example output:

eyJhbGciOiJSUzI1NiIsImtpZCI6ImZWeFBuS3pHZk1HNHk3S19Ja3dRV0xrT05iQ05jVEZrQURYSmtDWGU2c2MifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImNvbW12YXVsdC10b2tlbi1reDQ2YyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJjb21tdmF1bHQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI3YjU5NmE3Mi1lYmNjLTQwZDUtYjA4Ni1iZWJkYTNiN2M0YWIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpjb21tdmF1bHQifQ.l2o5YjXhhMNm5TJ0B8tMjIQQHU4EFq9aMOl4vWgmc69wEcdogzwWF4TUNVpC0wR7Q6BlasOxFSB6v3TIXx4VdQD5Jn33XEcSwa6XI-qa7BhogBaitOfpmsyr-eB5rplgoWz6rALZdrgVS8FY4EZDBwqKQK1_hJHzRFNtUWlBGJf3hADPP1AntTt8gDmNamvPWHSNmpFiXhzLuGCPTkOPJrlo6kmHSO31HUnYYPQQLSfy6PLYAxXWfAyBQhPAXKsnwWwoRIH06L-LRrOZxkVBzJGjfqO5KWS85RxiOjakMdyC41j8kNXfUDizWzEiSnrN3yUjC-ItGBX0Oa5d0MhnDA

Red Hat OpenShift clusters, run the following command:

 
oc sa get-token service_account_name -n namespace