Kubernetes Service Account for Avi Vantage Authentication
Beginning with release 16.3.4, in addition to client certificates, Avi Vantage supports Kubernetes service accounts and corresponding token for authentication with a Kubernetes cluster. This article describes the configuration workflow.
Create a Service Account
Create a service account named avi in the default namespace using kubectl
command.
kubectl create serviceaccount avi -n default
Create a Cluster Role
Use clusterrole.json
as specified in step 1a while deploying Avi Service Engines as a Docker container via SSH. Deploying Avi Services Engines as a pod requires additional privileges. Use clusterrole.json
as specified in step 1b in that case.
Step 1a. Create a clusterrole.json
file with the below content while deploying Avi Service Engines as a Docker container via SSH.
{
"apiVersion": "rbac.authorization.k8s.io/v1beta1",
"kind": "ClusterRole",
"metadata": {
"name": "avirole"
},
"rules": [
{
"apiGroups": [
""
],
"resources": [
"*"
],
"verbs": [
"get",
"list",
"watch"
]
}
]
}
Step 1b. Alternately, create a clusterrole.json
file with the below content while deploying Avi Service Engines as a pod.
{
"apiVersion": "rbac.authorization.k8s.io/v1",
"kind": "ClusterRole",
"metadata": {
"name": "avirole"
},
"rules": [
{
"apiGroups": [
""
],
"resources": [
"*"
],
"verbs": [
"get",
"list",
"watch"
]
},
{
"apiGroups": [
""
],
"resources": [
"pods",
"replicationcontrollers"
],
"verbs": [
"get",
"list",
"watch",
"create",
"delete",
"update"
]
},
{
"apiGroups": [
""
],
"resources": [
"secrets"
],
"verbs": [
"get",
"list",
"watch",
"create",
"delete",
"update"
]
},
{
"apiGroups": [
"apps"
],
"resources": [
"daemonsets"
],
"verbs": [
"*"
]
},
{
"apiGroups": [
"extensions"
],
"resources": [
"ingresses",
"ingresses/status",
"services/status"
],
"verbs": [
"create",
"delete",
"get",
"list",
"update",
"watch"
]
}
]
}
Step 2. Create the cluster role using the kubectl
command.
kubectl create -f clusterrole.json
Create Cluster Role Binding
Step 1. Create a clusterbinding.json
file with below content.
{
"apiVersion": "rbac.authorization.k8s.io/v1beta1",
"kind": "ClusterRoleBinding",
"metadata": {
"name": "avirolebinding",
"namespace": "default"
},
"roleRef": {
"apiGroup": "rbac.authorization.k8s.io",
"kind": "ClusterRole",
"name": "avirole"
},
"subjects": [
{
"kind": "ServiceAccount",
"name": "avi",
"namespace": "default"
}
]
}
Step 2. Create the cluster role binding to add the previously created cluster role to Avi service account:
kubectl create -f clusterbinding.json
Extract the Token for Use in Avi Cloud Configuration
Step 1. Describe the service account
kubectl describe serviceaccount avi -n default
Name: avi
Namespace: default
Labels:
Mountable secrets: avi-token-emof0
Tokens: avi-token-emof0
Image pull secrets: avi-dockercfg-ea18k
Step 2. Extract the token
kubectl describe secret avi-token-emof0 -n default
Name: avi-token-emof0
Namespace: default
Labels:
Annotations: kubernetes.io/service-account.name=avi
kubernetes.io/service-account.uid=97501aae-d910-11e6-ba01-005056b0a825
Type: kubernetes.io/service-account-token
Data
====
namespace: 7 bytes
service-ca.crt: 2186 bytes
token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW… L7tPGrRJgmTbeFL9A
ca.crt: 1070 bytes
Step 3. Enter the token from the token
field above while configuring the Kubernetes cloud on the Avi Controller.