Creating a Kubernetes Custom ClusterRole and Service Account for Commvault Cloud

For the Kubernetes service account that Commvault requires to perform application discovery, backup, and recovery, you can use an existing service account or create a new service account. The service account must have a ClusterRoleBinding to either a custom ClusterRole or leverage the default cluster-admin (superuser) role.

Before You Begin

You must have a service account that meets the following requirements:

Has, at a minimum, read-only (GET API verb permission) for all the API resources/objects that you want Commvault to protect
Can run the kubectl api-resources command against the cluster that you want to protect
Can create new ClusterRole API resources to create the restricted role on the cluster

The permissions for resources and sub-resources are as follows:

Resources and sub-resources	Permissions
`pods/exec`	`*` [All]
All resources obtained by the `kubectl api-resources` command	`*` [All]

Procedure

Download the following Linux bash script, provided by Commvault. The script is used to create the Kubernetes role that is required to perform Commvault backups and restores.

create_commvault_k8s_role.sh
On a host that has access to the Kubernetes cluster that you want Commvault to protect, do one of the following:
- To create only the Commvault ClusterRole definition, run the following command:
```
 
./cvrolescript.sh -f output.yaml
```
- To create the Commvault ClusterRole definition and use the supplied service account token to create on the cluster, run the following command:
```
 
./cvrolescript.sh -i-t token -f output.yaml
```
where:
- token is the service account token of an existing service account that has authorization to discover (list, get) all API resources on the cluster.
- output.yaml is the path of the output YAML file for the cluster role. If you do not specify the path, the script redirects output to stdout.
For example, to create the output YAML file at commvault-cluster-role.yaml, with the supplied service account token, to automatically create the role on the cluster, use the following command:
```
 
$ ./cvrolescript.sh -t  "..." -f commvault-cluster-role.yaml
```
To confirm that the ClusterRole is created as expected, run the following command:
```
kubectl describe clusterrole cv-role [-n namespace]
```

Create the service account by running the following command:

kubectl create serviceaccount service_account_name

Example command:

kubectl create serviceaccount commvault

Example output:

serviceaccount/commvault created

Create a ClusterRoleBinding for the service account with the cluster role by running the following command:

kubectl create clusterrolebinding service_account_name-binding --clusterrole=cluster_role_name --serviceaccount=namespace:service_account_name

Example command:

kubectl create clusterrolebinding commvault-sa-crb --clusterrole=cv-role --serviceaccount=default:commvault

Example output:

clusterrolebinding.rbac.authorization.k8s.io/commvault-sa-crb created

To get additional details about the new ClusterRoleBinding, run the following command:

kubectl describe clusterrolebinding ClusterRoleBinding_name

Example command:

kubectl describe clusterrolebinding commvault-sa-crb

Example output:

Name:         commvault-sa-crb
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  cv-role
Subjects:
  Kind            Name       Namespace
  ----            ----       ---------
  ServiceAccount  commvault  default

If your cluster is Kubernetes 1.24 or a more recent release, create a secret for the service account by running the following command (because these releases do not create a secret when you create a service account):
```
 
cat << EOF | kubectl create -f -
apiVersion: v1
kind: Secret
metadata:
  name: secret_name
  namespace: service_account_namespace
  annotations:
    kubernetes.io/service-account.name: service_account_name
type: kubernetes.io/service-account-token
EOF
```
where
- secret_name = cvbackup
- service_account_namespace = default
- service_account_name = cvbackup

Get the token from the Secret that was created.

For Vanilla Kubernetes, run the following command:

kubectl describe secret secret_name -n service_account_namespace

Example command:

kubectl describe secret cvadmin-token -n default

Example output:

Name:         cvadmin-token    
Namespace:    default    
Labels:       <none>    
Annotations:  field.cattle.io/projectID: c-m-kmdpfdlm:p-2tx5x    
Type:   kubernetes.io/service-account-token    
Data    
====    
namespace: 7 bytes    
token:     7YDaH7vN2Syrp09cjBm+h0o9n3xQiTAuM1jvnaKHPPmHAWTfiQStPZxQ5JKjq906YlhcSrX792ESagk=*sfl;2iogm3=gj392'qm(CljWuSsvQ3kE3hkfGECVSlFWD7B2AjwUElJCOQW7dWlljPzFGyLn5684XftRp6fZ2WObyxqNXySJgNieO6pZN0Tdr4zwSj&jox8463Y831_APxYKvaxvvKN8JQfVvMRlILejj4a5ZyCIQApaIBrq9gi9bj6Es3hLI4ZiBeyAERvoOAVkzZhBlrohr4&AxiHsFZxk6W3GHQ4bRpieVLzgdYD2ORC9a7aPxTyQfBEDtGk0GTQTBuKz0oZCrFworVDfKqzTiZBveOmIfYpog23Lo4y#ul756SBowmhF3uG4GYgNhqfBG6s5DutlxOet$4nNRanxShYJ7YDaH7vN2Syrp09cjBm+h0o9n3xQiTAuM1jvnaKHPPmHAWTfiQStPZxQ5JKjq906YlhcSrX792ESagk=*sfl;2iogm3=gj392'qm(CljWuSsvQ3kE3hkfGECVSlFWD7B2AjwUElJCOQW7dWlljPzFGyLn5684XftRp6fZ2WObyxqNXySJgNieO6pZN0Tdr4zwSj&jox8463Y831_APxYKvaxvvKN8JQfVvMRlILejj4a5ZyCIQApaIBrq9gi9bj6Es3hLI4ZiBeyAERvoOAVkzZhBlrohr4    
ca.crt:   1099 bytes

For Vanilla Kubernetes, run the following command:

oc describe secret secret_name - n namespace_name

Record your service account name and service account token in a safe place.

You will need these values to add your cluster to Commvault.

Important

If new Kubernetes API resources are added to your cluster, you must regenerate the role definition and re-apply it to your cluster.