Creating a Kubernetes Cluster-Admin Service Account for Commvault

Updated

On this page

You can have Commvault use the existing, default cluster-admin role that provides superuser access to your Kubernetes cluster. Using the cluster-admin role ensures that Commvault can discover, back up, and recover all API resources on your cluster.

To create a service account with ClusterRoleBinding to the cluster-admin ClusterRole, use the following procedure.

Procedure

  1. Create the service account by running the following command:

    kubectl create serviceaccount service_account_name [ -n namespace]

    where:

    • service_account_name is the name of the service account

    • namespace is the name of the namespace where you want to create the service account

      Example command:

      $ kubectl create serviceaccount commvault-admin

      Example output:

      serviceaccount/commvault-admin created
  2. Create a new ClusterRoleBinding that provides cluster-admin permissions to the newly created service account by running the following command:

    kubectl create clusterrolebinding cluster_role_binding_name --clusterrole=cluster-admin --serviceaccount=namespace:service_account_name

    Example command:

    $ kubectl create clusterrolebinding commvault-admin-sa-crb --clusterrole=cluster-admin --serviceaccount=default:commvault-admin

    Example output:

    clusterrolebinding.rbac.authorization.k8s.io/commvault-admin-sa-crb created
  3. If your cluster is Kubernetes 1.24 or a more recent release, create a secret for the service account by running the following command:

    $cat << EOF | kubectl create -f -

    apiVersion: v1

    kind: Secret

    metadata:

    name: secret_name

    annotations:

    kubernetes.io/service-account.name: service_account_name

    type: kubernetes.io/service-account-token

    EOF

    Kubernetes 1.24 and more recent releases do not create a secret when you create a service account.

  4. Get the service account token for the service account that you created:

    • For Vanilla Kubernetes, run the following command:

      kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='service_account_name')].data.token}"|base64 --decode

      Example command:

      $ kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='commvault')].data.token}"|base64 --decode

      Example output:

      eyJhbGciOiJSUzI1NiIsImtpZCI6ImZWeFBuS3pHZk1HNHk3S19Ja3dRV0xrT05iQ05jVEZrQURYSmtDWGU2c2MifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImNvbW12YXVsdC10b2tlbi1reDQ2YyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJjb21tdmF1bHQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI3YjU5NmE3Mi1lYmNjLTQwZDUtYjA4Ni1iZWJkYTNiN2M0YWIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpjb21tdmF1bHQifQ.l2o5YjXhhMNm5TJ0B8tMjIQQHU4EFq9aMOl4vWgmc69wEcdogzwWF4TUNVpC0wR7Q6BlasOxFSB6v3TIXx4VdQD5Jn33XEcSwa6XI-qa7BhogBaitOfpmsyr-eB5rplgoWz6rALZdrgVS8FY4EZDBwqKQK1_hJHzRFNtUWlBGJf3hADPP1AntTt8gDmNamvPWHSNmpFiXhzLuGCPTkOPJrlo6kmHSO31HUnYYPQQLSfy6PLYAxXWfAyBQhPAXKsnwWwoRIH06L-LRrOZxkVBzJGjfqO5KWS85RxiOjakMdyC41j8kNXfUDizWzEiSnrN3yUjC-ItGBX0Oa5d0MhnDA
    • Red Hat OpenShift clusters, run the following command:

      oc sa get-token service_account_name -n namespace