You can have Commvault use the existing, default cluster-admin role that provides superuser access to your Kubernetes cluster. Using the cluster-admin role ensures that Commvault can discover, back up, and recover all API resources on your cluster.
Creating a Service Account
To create a service account, run the following command:
kubectl create serviceaccount service_account_name [ -n namespace]
where:
-
service_account_name is the name of the service account.
-
namespace is the name of the namespace where you want to create the service account.
Example command:
kubectl create serviceaccount commvault-sa
Example output:
serviceaccount/commvault-sa created
Creating a ClusterRoleBinding
To create a ClusterRoleBinding for the service account with the cluster-admin role, run the following command:
kubectl create clusterrolebinding clusterrolebinding-name --clusterrole=cluster_role_name --serviceaccount=namespace:service_account_name
Example command:
kubectl create clusterrolebinding commvault-crb --clusterrole=cluster-admin --serviceaccount=default:commvault-sa
If you want to use a custom ClusterRole to perform the Commvault backups and restores, see Creating a Kubernetes Custom ClusterRole and then run the following command:
kubectl create clusterrolebinding commvault-crb --clusterrole=cv-role --serviceaccount=default:commvault -sa
Example output:
clusterrolebinding.rbac.authorization.k8s.io/commvault-crb created
Creating a Secret for the Service Account
If your cluster is Kubernetes 1.24 or a more recent release, create a secret for the service account by running the following command (because these releases do not create a secret when you create a service account):
cat << EOF | kubectl create -f -
apiVersion: v1
kind: Secret
metadata:
name: secret_name
namespace: service_account_namespace
annotations:
kubernetes.io/service-account.name: service_account_name
type: kubernetes.io/service-account-token
EOF
where:
-
secret_name = commvault-secret
-
service_account_namespace = default
-
service_account_name = commvault-sa
Get Token for the Service Account
For Vanilla Kubernetes, run the following command:
kubectl get secret <SECRETNAME> -n <NAMESPACE> -o jsonpath="{.data.token}" | base64 -d
Example command:
kubectl get secret commvault-secret -n default -o jsonpath="{.data.token}" | base64 -d
Save Service Account Name and Service Account Token
Record your service account name and service account token in a safe place. You will need these values to add your cluster to Commvault.