Creating a Kubernetes Custom ClusterRole and Service Account for Commvault

Updated

For the Kubernetes service account that Commvault requires to perform application discovery, backup, and recovery, you can use an existing service account or create a new service account. The service account must have a ClusterRoleBinding to either a custom ClusterRole or leverage the default cluster-admin (superuser) role.

Before You Begin

You must have a service account that meets the following requirements:

  • Has, at a minimum, read-only (GET API verb permission) for all the API resources/objects that you want Commvault to protect

  • Can run the kubectl api-resources command against the target cluster

  • Can create new ClusterRole API resources to create the restricted role on your cluster

The permissions for resources and sub-resources are as follows:

Resources and sub-resources

Permissions

pods/exec

* [All]

All resources obtained by the kubectl api-resources command

* [All]

Procedure

  1. Download the following Linux bash script, provided by Commvault. The script is used to create the Kubernetes role that is required to perform Commvault backups and restores.

    create_commvault_k8s_role.sh

  2. On a host that has access to the Kubernetes cluster that you want Commvault to protect, do one of the following:

    • To create only the Commvault ClusterRole definition, run the following command:

      ./cvrolescript.sh -f output.yaml
    • To create the Commvault ClusterRole definition and use the supplied service account token to create on the cluster, run the following command:

      ./cvrolescript.sh -i-t token -f output.yaml

      where:

      • token is the service account token of an existing service account that has authorization to discover (list, get) all API resources on the cluster.

      • output.yaml is the path of the output YAML file for the cluster role. If you do not specify the path, the script redirects output to stdout.

        For example, to create the output YAML file at commvault-cluster-role.yaml, with the supplied service account token, to automatically create the role on the cluster, use the following command:

        $ ./cvrolescript.sh -t  "..." -f commvault-cluster-role.yaml
  3. To confirm that the ClusterRole is created as expected, run the following command:

    kubectl describe clusterrole cv-role [-n namespace]
  4. If your cluster is Kubernetes 1.24 or a more recent release, create a secret for the service account by running the following command:

    $cat << EOF | kubectl create -f -

    apiVersion: v1

    kind: Secret

    metadata:

    name: secret_name

    annotations:

    kubernetes.io/service-account.name: service_account_name

    type: kubernetes.io/service-account-token

    EOF

    Kubernetes 1.24 and more recent releases do not create a secret when you create a service account.

  5. Create the service account by running the following command:

    kubectl create serviceaccount service_account_name

    Example command:

    kubectl create serviceaccount commvault

    Example output:

    serviceaccount/commvault created
  6. Create a ClusterRoleBinding for the service account with the cluster role by running the following command:

    kubectl create clusterrolebinding service_account_name-binding --clusterrole=cluster_role_name --serviceaccount=namespace:service_account_name

    Example command:

    kubectl create clusterrolebinding commvault-sa-crb --clusterrole=cv-role --serviceaccount=default:commvault

    Example output:

    clusterrolebinding.rbac.authorization.k8s.io/commvault-sa-crb created
  7. To get additional details about the new ClusterRoleBinding, run the following command:

    kubectl describe clusterrolebinding ClusterRoleBinding_name

    Example command:

    kubectl describe clusterrolebinding commvault-sa-crb

    Example output:

    Name:         commvault-sa-crb

    Labels: <none>

    Annotations: <none>

    Role:

    Kind: ClusterRole

    Name: cv-role

    Subjects:

    Kind Name Namespace

    ---- ---- ---------

    ServiceAccount commvault default
  8. Get the service account token for the service account that you created:

    • For Vanilla Kubernetes, run the following command:

      kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='commvault')].data.token}"|base64 --decode

      Example command:

      kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account.name']=='commvault')].data.token}"|base64 --decode

      Example output:

      eyJhbGciOiJSUzI1NiIsImtpZCI6ImZWeFBuS3pHZk1HNHk3S19Ja3dRV0xrT05iQ05jVEZrQURYSmtDWGU2c2MifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImNvbW12YXVsdC10b2tlbi1reDQ2YyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJjb21tdmF1bHQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI3YjU5NmE3Mi1lYmNjLTQwZDUtYjA4Ni1iZWJkYTNiN2M0YWIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpjb21tdmF1bHQifQ.l2o5YjXhhMNm5TJ0B8tMjIQQHU4EFq9aMOl4vWgmc69wEcdogzwWF4TUNVpC0wR7Q6BlasOxFSB6v3TIXx4VdQD5Jn33XEcSwa6XI-qa7BhogBaitOfpmsyr-eB5rplgoWz6rALZdrgVS8FY4EZDBwqKQK1_hJHzRFNtUWlBGJf3hADPP1AntTt8gDmNamvPWHSNmpFiXhzLuGCPTkOPJrlo6kmHSO31HUnYYPQQLSfy6PLYAxXWfAyBQhPAXKsnwWwoRIH06L-LRrOZxkVBzJGjfqO5KWS85RxiOjakMdyC41j8kNXfUDizWzEiSnrN3yUjC-ItGBX0Oa5d0MhnDA
    • Red Hat OpenShift clusters, run the following command:

      oc sa get-token service_account_name -n namespace 
  9. Record your service account name and service account token in a safe place.

    You will need these values to add your cluster to Commvault.

Important: If new Kubernetes API resources are added to your cluster, you must regenerate the role definition and re-apply it to your cluster.