Kubernetes Service Account for Avi Vantage Authentication

Beginning with release 16.3.4, in addition to client certificates, Avi Vantage supports Kubernetes service accounts and corresponding token for authentication with a Kubernetes cluster. This article describes the configuration workflow.

Create a Service Account

Create a service account named avi in the default namespace using kubectl command.

kubectl create serviceaccount avi -n default

Create a Cluster Role

Use clusterrole.json as specified in step 1a while deploying Avi Service Engines as a Docker container via SSH. Deploying Avi Services Engines as a pod requires additional privileges. Use clusterrole.json as specified in step 1b in that case.

Step 1a. Create a clusterrole.json file with the below content while deploying Avi Service Engines as a Docker container via SSH.

{
    "apiVersion": "rbac.authorization.k8s.io/v1beta1",
    "kind": "ClusterRole",
    "metadata": {
        "name": "avirole"
    },
    "rules": [
        {
            "apiGroups": [
                ""
            ],
            "resources": [
                "*"
            ],
            "verbs": [
                "get",
                "list",
                "watch"
            ]
        }
    ]
}

Step 1b. Alternately, create a clusterrole.json file with the below content while deploying Avi Service Engines as a pod.


   {
       "apiVersion": "rbac.authorization.k8s.io/v1",
       "kind": "ClusterRole",
       "metadata": {
           "name": "avirole"
       },
       "rules": [
           {
               "apiGroups": [
                   ""
               ],
               "resources": [
                   "*"
               ],
               "verbs": [
                   "get",
                   "list",
                   "watch"
               ]
           },
           {
               "apiGroups": [
                   ""
               ],
               "resources": [
                   "pods",
                   "replicationcontrollers"
               ],
               "verbs": [
                   "get",
                   "list",
                   "watch",
                   "create",
                   "delete",
                   "update"
               ]
           },
           {
               "apiGroups": [
                   ""
               ],
               "resources": [
                   "secrets"
               ],
               "verbs": [
                   "get",
                   "list",
                   "watch",
                   "create",
                   "delete",
                   "update"
               ]
           },
           {
               "apiGroups": [
                   "apps"
               ],
               "resources": [
                   "daemonsets"
               ],
               "verbs": [
                   "*"
               ]
           },
           {
               "apiGroups": [
                   "extensions"
               ],
               "resources": [
                   "ingresses",
                   "ingresses/status",
                   "services/status"
               ],
               "verbs": [
                   "create",
                   "delete",
                   "get",
                   "list",
                   "update",
                   "watch"
               ]
           }
       ]
   }

Step 2. Create the cluster role using the kubectl command.

kubectl create -f clusterrole.json

Create Cluster Role Binding

Step 1. Create a clusterbinding.json file with below content.

{
    "apiVersion": "rbac.authorization.k8s.io/v1beta1",
    "kind": "ClusterRoleBinding",
    "metadata": {
      "name": "avirolebinding",
      "namespace": "default"
  },
    "roleRef": {
        "apiGroup": "rbac.authorization.k8s.io",
        "kind": "ClusterRole",
        "name": "avirole"
    },
    "subjects": [
        {
            "kind": "ServiceAccount",
            "name": "avi",
            "namespace": "default"
        }
    ]
}

Step 2. Create the cluster role binding to add the previously created cluster role to Avi service account:

kubectl create -f clusterbinding.json

Extract the Token for Use in Avi Cloud Configuration

Step 1. Describe the service account

kubectl describe serviceaccount avi -n default
Name:           avi
Namespace:      default
Labels:
Mountable secrets:      avi-token-emof0
Tokens:                 avi-token-emof0
Image pull secrets:     avi-dockercfg-ea18k

Step 2. Extract the token

kubectl describe secret avi-token-emof0 -n default
Name:           avi-token-emof0
Namespace:      default
Labels:
Annotations:    kubernetes.io/service-account.name=avi
                kubernetes.io/service-account.uid=97501aae-d910-11e6-ba01-005056b0a825
Type:   kubernetes.io/service-account-token
Data
====
namespace:      7 bytes
service-ca.crt: 2186 bytes
token:          eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW… L7tPGrRJgmTbeFL9A
ca.crt:         1070 bytes

Step 3. Enter the token from the token field above while configuring the Kubernetes cloud on the Avi Controller.

Kubernetes token screen