Kubernetes Service Account for Avi Vantage Authentication

Beginning with release 16.3.4, in addition to client certificates, Avi Vantage supports Kubernetes service accounts and corresponding token for authentication with a Kubernetes cluster. This article describes the configuration workflow.

Create a Service Account

Create a service account named avi in the default namespace using kubectl command.

kubectl create serviceaccount avi -n default

Create a Cluster Role

Use clusterrole.json as specified in step 1a while deploying Avi Service Engines as a Docker container via SSH. Deploying Avi Services Engines as a pod requires additional privileges. Use clusterrole.json as specified in step 1b in that case.

Step 1a. Create a clusterrole.json file with the below content while deploying Avi Service Engines as a Docker container via SSH.

{
    "apiVersion": "rbac.authorization.k8s.io/v1beta1",
    "kind": "ClusterRole",
    "metadata": {
        "name": "avirole"
    },
    "rules": [
        {
            "apiGroups": [
                ""
            ],
            "resources": [
                "*"
            ],
            "verbs": [
                "get",
                "list",
                "watch"
            ]
        }
    ]
}

Step 1b. Alternately, create a clusterrole.json file with the below content while deploying Avi Service Engines as a pod.

{
    "apiVersion": "rbac.authorization.k8s.io/v1beta1",
    "kind": "ClusterRole",
    "metadata": {
        "name": "avirole"
    },
    "rules": [
        {
            "apiGroups": [
                ""
            ],
            "resources": [
                "*"
            ],
            "verbs": [
                "get",
                "list",
                "watch"
            ]
        },
        {
            "apiGroups": [
                ""
            ],
            "resources": [
                "pods",
                "replicationcontrollers"
            ],
            "verbs": [
                "get",
                "list",
                "watch",
                "create",
                "delete",
                "update"
            ]
        },
        {
            "apiGroups": [
                ""
            ],
            "resources": [
                "secrets"
            ],
            "verbs": [
                "get",
                "list",
                "watch",
                "create",
                "delete",
                "update"
            ]
        },
        {
            "apiGroups": [
                "extensions"
            ],
            "resources": [
                "daemonsets"
            ],
            "verbs": [
                "create",
                "delete",
                "get",
                "list",
                "update",
                "watch"
            ]
        }
    ]
}

Step 2. Create the cluster role using the kubectl command.

kubectl create -f clusterrole.json

Create Cluster Role Binding

Step 1. Create a clusterbinding.json file with below content.

{
    "apiVersion": "rbac.authorization.k8s.io/v1beta1",
    "kind": "ClusterRoleBinding",
    "metadata": {
      "name": "avirolebinding",
      "namespace": "default"
  },
    "roleRef": {
        "apiGroup": "rbac.authorization.k8s.io",
        "kind": "ClusterRole",
        "name": "avirole"
    },
    "subjects": [
        {
            "kind": "ServiceAccount",
            "name": "avi",
            "namespace": "default"
        }
    ]
}

Step 2. Create the cluster role binding to add the previously created cluster role to Avi service account:

kubectl create -f clusterbinding.json

Extract the Token for Use in Avi Cloud Configuration

Step 1. Describe the service account

kubectl describe serviceaccount avi -n default
Name:           avi
Namespace:      default
Labels:
Mountable secrets:      avi-token-emof0
Tokens:                 avi-token-emof0
Image pull secrets:     avi-dockercfg-ea18k

Step 2. Extract the token

kubectl describe secret avi-token-emof0 -n default
Name:           avi-token-emof0
Namespace:      default
Labels:
Annotations:    kubernetes.io/service-account.name=avi
                kubernetes.io/service-account.uid=97501aae-d910-11e6-ba01-005056b0a825
Type:   kubernetes.io/service-account-token
Data
====
namespace:      7 bytes
service-ca.crt: 2186 bytes
token:          eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW… L7tPGrRJgmTbeFL9A
ca.crt:         1070 bytes

Step 3. Enter the token from the token field above while configuring the Kubernetes cloud on the Avi Controller.

Kubernetes token screen