Creating a Kubernetes Custom ClusterRole and Service Account for Commvault Cloud

For the Kubernetes service account that Commvault requires to perform application discovery, backup, and recovery, you can use an existing service account or create a new service account. The service account must have a ClusterRoleBinding to either a custom ClusterRole or leverage the default cluster-admin (superuser) role.

Before You Begin

You must have a service account that meets the following requirements:

  • Has, at a minimum, read-only (GET API verb permission) for all the API resources/objects that you want Commvault to protect

  • Can run the kubectl api-resources command against the cluster that you want to protect

  • Can create new ClusterRole API resources to create the restricted role on the cluster

The permissions for resources and sub-resources are as follows:

Resources and sub-resources



* [All]

All resources obtained by the kubectl api-resources command

* [All]


  1. Download the following Linux bash script, provided by Commvault. The script is used to create the Kubernetes role that is required to perform Commvault backups and restores.

  2. On a host that has access to the Kubernetes cluster that you want Commvault to protect, do one of the following:

    • To create only the Commvault ClusterRole definition, run the following command:

      ./ -f output.yaml

    • To create the Commvault ClusterRole definition and use the supplied service account token to create on the cluster, run the following command:

      ./ -i-t token -f output.yaml


    • token is the service account token of an existing service account that has authorization to discover (list, get) all API resources on the cluster.

    • output.yaml is the path of the output YAML file for the cluster role. If you do not specify the path, the script redirects output to stdout.

    For example, to create the output YAML file at commvault-cluster-role.yaml, with the supplied service account token, to automatically create the role on the cluster, use the following command:

    $ ./ -t "..." -f commvault-cluster-role.yaml

  3. To confirm that the ClusterRole is created as expected, run the following command:

    kubectl describe clusterrole cv-role [-n namespace]
  4. Create the service account by running the following command:

    kubectl create serviceaccount service_account_name

    Example command:

    kubectl create serviceaccount commvault

    Example output:

    serviceaccount/commvault created
  5. Create a ClusterRoleBinding for the service account with the cluster role by running the following command:

    kubectl create clusterrolebinding service_account_name-binding --clusterrole=cluster_role_name --serviceaccount=namespace:service_account_name

    Example command:

    kubectl create clusterrolebinding commvault-sa-crb --clusterrole=cv-role --serviceaccount=default:commvault

    Example output: created
  6. To get additional details about the new ClusterRoleBinding, run the following command:

    kubectl describe clusterrolebinding ClusterRoleBinding_name

    Example command:

    kubectl describe clusterrolebinding commvault-sa-crb

    Example output:

    Name:         commvault-sa-crb
    Labels:       <none>
    Annotations:  <none>
      Kind:  ClusterRole
      Name:  cv-role
      Kind            Name       Namespace
      ----            ----       ---------
      ServiceAccount  commvault  default
  7. If your cluster is Kubernetes 1.24 or a more recent release, create a secret for the service account by running the following command (because these releases do not create a secret when you create a service account):

    cat << EOF | kubectl create -f - apiVersion: v1 kind: Secret metadata: name: secret_name namespace: service_account_namespace annotations: service_account_name type: EOF


    • secret_name = cvbackup

    • service_account_namespace = default

    • service_account_name = cvbackup

  8. Get the token from the Secret that was created.

    • For Vanilla Kubernetes, run the following command:

      kubectl describe secret secret_name -n service_account_namespace

      Example command:

      kubectl describe secret cvadmin-token -n default

      Example output:

      Name:         cvadmin-token    
      Namespace:    default    
      Labels:       <none>    
      Annotations: c-m-kmdpfdlm:p-2tx5x    
      namespace: 7 bytes    
      token:     7YDaH7vN2Syrp09cjBm+h0o9n3xQiTAuM1jvnaKHPPmHAWTfiQStPZxQ5JKjq906YlhcSrX792ESagk=*sfl;2iogm3=gj392'qm(CljWuSsvQ3kE3hkfGECVSlFWD7B2AjwUElJCOQW7dWlljPzFGyLn5684XftRp6fZ2WObyxqNXySJgNieO6pZN0Tdr4zwSj&jox8463Y831_APxYKvaxvvKN8JQfVvMRlILejj4a5ZyCIQApaIBrq9gi9bj6Es3hLI4ZiBeyAERvoOAVkzZhBlrohr4&AxiHsFZxk6W3GHQ4bRpieVLzgdYD2ORC9a7aPxTyQfBEDtGk0GTQTBuKz0oZCrFworVDfKqzTiZBveOmIfYpog23Lo4y#ul756SBowmhF3uG4GYgNhqfBG6s5DutlxOet$4nNRanxShYJ7YDaH7vN2Syrp09cjBm+h0o9n3xQiTAuM1jvnaKHPPmHAWTfiQStPZxQ5JKjq906YlhcSrX792ESagk=*sfl;2iogm3=gj392'qm(CljWuSsvQ3kE3hkfGECVSlFWD7B2AjwUElJCOQW7dWlljPzFGyLn5684XftRp6fZ2WObyxqNXySJgNieO6pZN0Tdr4zwSj&jox8463Y831_APxYKvaxvvKN8JQfVvMRlILejj4a5ZyCIQApaIBrq9gi9bj6Es3hLI4ZiBeyAERvoOAVkzZhBlrohr4    
      ca.crt:   1099 bytes
    • For Vanilla Kubernetes, run the following command:

      oc describe secret secret_name - n namespace_name

  9. Record your service account name and service account token in a safe place.

    You will need these values to add your cluster to Commvault.


If new Kubernetes API resources are added to your cluster, you must regenerate the role definition and re-apply it to your cluster.