Creating a Kubernetes Service Account and ClusterRoleBinding

You can have Commvault use the existing, default cluster-admin role that provides superuser access to your Kubernetes cluster. Using the cluster-admin role ensures that Commvault can discover, back up, and recover all API resources on your cluster.

Creating a Service Account

To create a service account, run the following command:

kubectl create serviceaccount service_account_name [ -n namespace]

where:

  • service_account_name is the name of the service account.

  • namespace is the name of the namespace where you want to create the service account.

Example command:

kubectl create serviceaccount commvault-sa

Example output:

serviceaccount/commvault-sa created

Creating a ClusterRoleBinding

To create a ClusterRoleBinding for the service account with the cluster-admin role, run the following command:

kubectl create clusterrolebinding clusterrolebinding-name --clusterrole=cluster_role_name --serviceaccount=namespace:service_account_name

Example command:

kubectl create clusterrolebinding commvault-crb --clusterrole=cluster-admin --serviceaccount=default:commvault-sa

If you want to use a custom ClusterRole to perform the Commvault backups and restores, see Creating a Kubernetes Custom ClusterRole and then run the following command:

kubectl create clusterrolebinding commvault-crb  --clusterrole=cv-role --serviceaccount=default:commvault -sa

Example output:

clusterrolebinding.rbac.authorization.k8s.io/commvault-crb created

Creating a Secret for the Service Account

If your cluster is Kubernetes 1.24 or a more recent release, create a secret for the service account by running the following command (because these releases do not create a secret when you create a service account):

cat << EOF | kubectl create -f - apiVersion: v1 kind: Secret metadata: name: secret_name namespace: service_account_namespace annotations: kubernetes.io/service-account.name: service_account_name type: kubernetes.io/service-account-token EOF

where:

  • secret_name = commvault-secret

  • service_account_namespace = default

  • service_account_name = commvault-sa

Get Token for the Service Account

  • For Vanilla Kubernetes, run the following command:

    kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes.io/service-account.name']=='service_account_name')].data.token}"|base64 --decode

    Example command:

    $ kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes.io/service-account.name']=='commvault-sa')].data.token}"|base64 –decode
  • For the Red Hat OpenShift clusters, run the following command:

    oc sa get-token service_account_name -n namespace

    Example output:

    7YDaH7vN2Syrp09cjBm+h0o9n3xQiTAuM1jvnaKHPPmHAWTfiQStPZxQ5JKjq906YlhcSrX792ESagk=sfl;2iogm3=gj392'qm(CljWuSsvQ3kE3hkfGECVSlFWD7B2AjwUElJCOQW7dWlljPzFGyLn5684XftRp6fZ2WObyxqNXySJgNieO6pZN0Tdr4zwSj&jox8463Y831_APxYKvaxvvKN8JQfVvMRlILejj4a5ZyCIQApaIBrq9gi9bj6Es3hLI4ZiBeyAERvoOAVkzZhBlrohr4&AxiHsFZxk6W3GHQ4bRpieVLzgdYD2ORC9a7aPxTyQfBEDtGk0GTQTBuKz0oZCrFworVDfKqzTiZBveOmIfYpog23Lo4y#ul756SBowmhF3uG4GYgNhqfBG6s5DutlxOet$4nNRanxShYJ7YDaH7vN2Syrp09cjBm+h0o9n3xQiTAuM1jvnaKHPPmHAWTfiQStPZxQ5JKjq906YlhcSrX792ESagk=sfl;2iogm3=gj392'qm(CljWuSsvQ3kE3hkfGECVSlFWD7B2AjwUElJCOQW7dWlljPzFGyLn5684XftRp6fZ2WObyxqNXySJgNieO6pZN0Tdr4zwSj&jox8463Y831_APxYKvaxvvKN8JQfVvMRlILejj4a5ZyCIQApaIBrq9gi9bj6Es3hLI4ZiBeyAERvoOAVkzZhBlrohr4

Save Service Account Name and Service Account Token

Record your service account name and service account token in a safe place. You will need these values to add your cluster to Commvault.

Loading...