For the Kubernetes service account that Commvault requires to perform application discovery, backup, and recovery, you can use an existing service account or create a new service account. The service account must have a ClusterRoleBinding to either a custom ClusterRole or leverage the default cluster-admin (superuser) role.
Before You Begin
You must have a service account that meets the following requirements:
Has, at a minimum, read-only (GET API verb permission) for all the API resources/objects that you want Commvault to protect
Can run the
kubectl api-resourcescommand against the cluster that you want to protectCan create new ClusterRole API resources to create the restricted role on the cluster
The permissions for resources and sub-resources are as follows:
Resources and sub-resources | Permissions |
|---|---|
|
|
All resources obtained by the |
|
Procedure
Download the following Linux bash script, provided by Commvault. The script is used to create the Kubernetes role that is required to perform Commvault backups and restores.
On a host that has access to the Kubernetes cluster that you want Commvault to protect, do one of the following:
To create only the Commvault ClusterRole definition, run the following command:
./cvrolescript.sh -f output.yamlTo create the Commvault ClusterRole definition and use the supplied service account token to create on the cluster, run the following command:
./cvrolescript.sh -i-t token -f output.yamlwhere:
token is the service account token of an existing service account that has authorization to discover (list, get) all API resources on the cluster.
output.yaml is the path of the output YAML file for the cluster role. If you do not specify the path, the script redirects output to
stdout.For example, to create the output YAML file at commvault-cluster-role.yaml, with the supplied service account token, to automatically create the role on the cluster, use the following command:
$ ./cvrolescript.sh -t "..." -f commvault-cluster-role.yaml
To confirm that the ClusterRole is created as expected, run the following command:
kubectl describe clusterrole cv-role [-n namespace]Create the service account by running the following command:
kubectl create serviceaccount service_account_nameExample command:
kubectl create serviceaccount commvaultExample output:
serviceaccount/commvault createdCreate a ClusterRoleBinding for the service account with the cluster role by running the following command:
kubectl create clusterrolebinding service_account_name-binding --clusterrole=cluster_role_name --serviceaccount=namespace:service_account_nameExample command:
kubectl create clusterrolebinding commvault-sa-crb --clusterrole=cv-role --serviceaccount=default:commvaultExample output:
clusterrolebinding.rbac.authorization.k8s.io/commvault-sa-crb createdTo get additional details about the new ClusterRoleBinding, run the following command:
kubectl describe clusterrolebinding ClusterRoleBinding_nameExample command:
kubectl describe clusterrolebinding commvault-sa-crbExample output:
Name: commvault-sa-crb
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: cv-role
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount commvault defaultIf your cluster is Kubernetes 1.24 or a more recent release, create a secret for the service account by running the following command:
$cat << EOF | kubectl create -f -
apiVersion: v1
kind: Secret
metadata:
name: secret_name
namespace: service_account_namespace
annotations:
kubernetes.io/service-account.name: service_account_name
type: kubernetes.io/service-account-token
EOFKubernetes 1.24 and more recent releases do not create a secret when you create a service account.
Get the token from the Secret that was created.
For Vanilla Kubernetes, run the following command:
kubectl describe secret secret_name -n service_account_namespaceExample command:
kubectl describe secret cvadmin-token -n defaultExample output:
Name: cvadmin-token
Namespace: default
Labels: <none>
Annotations: field.cattle.io/projectID: c-m-kmdpfdlm:p-2tx5x
Type: kubernetes.io/service-account-token
Data
====
namespace: 7 bytes
token: 7YDaH7vN2Syrp09cjBm+h0o9n3xQiTAuM1jvnaKHPPmHAWTfiQStPZxQ5JKjq906YlhcSrX792ESagk=*sfl;2iogm3=gj392'qm(CljWuSsvQ3kE3hkfGECVSlFWD7B2AjwUElJCOQW7dWlljPzFGyLn5684XftRp6fZ2WObyxqNXySJgNieO6pZN0Tdr4zwSj&jox8463Y831_APxYKvaxvvKN8JQfVvMRlILejj4a5ZyCIQApaIBrq9gi9bj6Es3hLI4ZiBeyAERvoOAVkzZhBlrohr4&AxiHsFZxk6W3GHQ4bRpieVLzgdYD2ORC9a7aPxTyQfBEDtGk0GTQTBuKz0oZCrFworVDfKqzTiZBveOmIfYpog23Lo4y#ul756SBowmhF3uG4GYgNhqfBG6s5DutlxOet$4nNRanxShYJ7YDaH7vN2Syrp09cjBm+h0o9n3xQiTAuM1jvnaKHPPmHAWTfiQStPZxQ5JKjq906YlhcSrX792ESagk=*sfl;2iogm3=gj392'qm(CljWuSsvQ3kE3hkfGECVSlFWD7B2AjwUElJCOQW7dWlljPzFGyLn5684XftRp6fZ2WObyxqNXySJgNieO6pZN0Tdr4zwSj&jox8463Y831_APxYKvaxvvKN8JQfVvMRlILejj4a5ZyCIQApaIBrq9gi9bj6Es3hLI4ZiBeyAERvoOAVkzZhBlrohr4
ca.crt: 1099 bytesFor Vanilla Kubernetes, run the following command:
oc describe secret secret_name - n namespace_name
Record your service account name and service account token in a safe place.
You will need these values to add your cluster to Commvault.
Important: If new Kubernetes API resources are added to your cluster, you must regenerate the role definition and re-apply it to your cluster.