Creating a Kubernetes Service Account and ClusterRoleBinding

You can have Commvault use the existing, default cluster-admin role that provides superuser access to your Kubernetes cluster. Using the cluster-admin role ensures that Commvault can discover, back up, and recover all API resources on your cluster.

Creating a Service Account

To create a service account, run the following command:

kubectl create serviceaccount service_account_name [ -n namespace]


  • service_account_name is the name of the service account.

  • namespace is the name of the namespace where you want to create the service account.

Example command:

kubectl create serviceaccount commvault-sa

Example output:

serviceaccount/commvault-sa created

Creating a ClusterRoleBinding

To create a ClusterRoleBinding for the service account with the cluster-admin role, run the following command:

kubectl create clusterrolebinding clusterrolebinding-name --clusterrole=cluster_role_name --serviceaccount=namespace:service_account_name

Example command:

kubectl create clusterrolebinding commvault-crb --clusterrole=cluster-admin --serviceaccount=default:commvault-sa

If you want to use a custom ClusterRole to perform the Commvault backups and restores, see Creating a Kubernetes Custom ClusterRole and then run the following command:

kubectl create clusterrolebinding commvault-crb  --clusterrole=cv-role --serviceaccount=default:commvault -sa

Example output: created

Creating a Secret for the Service Account

If your cluster is Kubernetes 1.24 or a more recent release, create a secret for the service account by running the following command (because these releases do not create a secret when you create a service account):

cat << EOF | kubectl create -f - apiVersion: v1 kind: Secret metadata: name: secret_name namespace: service_account_namespace annotations: service_account_name type: EOF


  • secret_name = commvault-secret

  • service_account_namespace = default

  • service_account_name = commvault-sa

Get Token for the Service Account

For Vanilla Kubernetes, run the following command:

kubectl get secrets -n <namespace> -o jsonpath="{.items[?(@.metadata.annotations['']=='service_account_name')].data.token}"|base64 --decode

Example command:

$ kubectl get secrets -n default -o jsonpath="{.items[?(@.metadata.annotations['']=='commvault-sa')].data.token}"|base64 –decode

Save Service Account Name and Service Account Token

Record your service account name and service account token in a safe place. You will need these values to add your cluster to Commvault.