OpenShift Service Account for Avi Vantage Authentication

Beginning with release 16.3.4, Avi Vantage supports OpenShift service accounts and corresponding token for authentication with an OpenShift cluster in addition to client certificates. This article describes the configuration workflow.

Create a Service Account for Avi

Step 1. Service Account Definition of Avi Service Account (sa.json)

{
  "apiVersion": "v1",
  "kind": "ServiceAccount",
  "metadata": {
    "name": "avi"
  }
}

Step 2. Create a Service Account

Use the OpenShift client using the above definition sa.json file.

>oc create -f sa.json

Create a Cluster Role

Use the OpenShift client using the below clusterrole.json file. Use this role when deploying Avi Service Engines as a Docker container via ssh.

>oc create -f clusterrole.json

{
  "apiVersion": "v1",
  "kind": "ClusterRole",
  "metadata": {
    "name": "avirole"
  },
  "rules": [
  {
      "verbs": ["get","list","watch"],
      "resources": ["*"]
  },
  {
      "verbs": ["patch","update"],
      "resources": ["routes/status"]
  }
  ]
}

To provide additional privileges required for deploying Avi Service Engines as a Pod, create a cluster role with the OpenShift client using the below clusterrolesepod.json file.

>oc create -f clusterrolesepod.json

{
    "apiVersion": "v1",
    "kind": "ClusterRole",
    "metadata": {
        "name": "avirole"
    },
    "rules": [
        {
            "apiGroups": [
                ""
            ],
            "resources": [
                "*"
            ],
            "verbs": [
                "get",
                "list",
                "watch"
            ]
        },
        {
            "apiGroups": [
                ""
            ],
            "resources": [
                "routes/status"
                            ],
            "verbs": [
                "patch",
                "update"
            ]
        },
        {
            "apiGroups": [
                ""
            ],
            "resources": [
                "pods",
                "secrets",
                "securitycontextconstraints",
                "serviceaccounts"
            ],
            "verbs": [
                "create",
                "delete",
                "get",
                "list",
                "update",
                "watch"
            ]
        },
                {
            "apiGroups": [
                "extensions"
            ],
            "resources": [
                "daemonsets"
            ],
            "verbs": [
                "create",
                "delete",
                "get",
                "list",
                "update",
                "watch"
            ]
        }
    ]
}

Add Created Cluster Role to Service Account

This is typically executed on the OpenShift master.

>oadm policy add-cluster-role-to-user avirole system:serviceaccount:default:avi

Extract Token for Use in Avi Cloud Configuration

Step 1. Describe the Service Account

>oc describe serviceaccount avi

>Name:           avi
>Namespace:      default
>Labels:
>Mountable secrets:      avi-token-emof0
>                        avi-dockercfg-ea18k
>Tokens:                 avi-token-emof0
>                        avi-token-xk6sl
>Image pull secrets:     avi-dockercfg-ea18k

Step 2. Extract the Token

>oc describe secret avi-token-emof0

>Name:           avi-token-emof0
>Namespace:      default
>Labels:
>Annotations:    kubernetes.io/service-account.name=avi
>                kubernetes.io/service-account.uid=97501aae-d910-11e6-ba01-005056b0a825
>Type:   kubernetes.io/service-account-token
>Data
>====
>namespace:      7 bytes
>service-ca.crt: 2186 bytes
>token:          eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW… L7tPGrRJgmTbeFL9A
>ca.crt:         1070 bytes

Step 3. Enter the token from the “token” field above while configuring an OpenShift cloud on the Avi Controller.

Screen Shot 2017-01-22 at 8.25.14 PM

Updated: 2018-01-23 10:29:55 +0000