OpenShift Service Account for Avi Vantage Authentication
Beginning with release 16.3.4, Avi Vantage supports OpenShift service accounts and corresponding token for authentication with an OpenShift cluster in addition to client certificates. This article describes the configuration workflow.
Create a Service Account for Avi
Step 1. Service Account Definition of Avi Service Account (sa.json)
{
"apiVersion": "v1",
"kind": "ServiceAccount",
"metadata": {
"name": "avi"
}
}Step 2. Create a Service Account
Use the OpenShift client using the above definition sa.json file.
>oc create -f sa.json
Create a Cluster Role
Use the OpenShift client using the below clusterrole.json file. Use this role when deploying Avi Service Engines as a Docker container via ssh.
>oc create -f clusterrole.json
{
"apiVersion": "v1",
"kind": "ClusterRole",
"metadata": {
"name": "avirole"
},
"rules": [
{
"verbs": ["get","list","watch"],
"resources": ["*"]
},
{
"verbs": ["patch","update"],
"resources": ["routes/status"]
}
]
}To provide additional privileges required for deploying Avi Service Engines as a Pod, create a cluster role with the OpenShift client using the below clusterrolesepod.json file.
>oc create -f clusterrolesepod.json
{
"apiVersion": "v1",
"kind": "ClusterRole",
"metadata": {
"name": "avirole"
},
"rules": [
{
"apiGroups": [
""
],
"resources": [
"*"
],
"verbs": [
"get",
"list",
"watch"
]
},
{
"apiGroups": [
""
],
"resources": [
"routes/status"
],
"verbs": [
"patch",
"update"
]
},
{
"apiGroups": [
""
],
"resources": [
"pods",
"secrets",
"securitycontextconstraints",
"serviceaccounts"
],
"verbs": [
"create",
"delete",
"get",
"list",
"update",
"watch"
]
},
{
"apiGroups": [
"extensions"
],
"resources": [
"daemonsets"
],
"verbs": [
"create",
"delete",
"get",
"list",
"update",
"watch"
]
}
]
}Add Created Cluster Role to Service Account
This is typically executed on the OpenShift master.
>oadm policy add-cluster-role-to-user avirole system:serviceaccount:default:avi
Extract Token for Use in Avi Cloud Configuration
Step 1. Describe the Service Account
>oc describe serviceaccount avi
>Name: avi
>Namespace: default
>Labels:
>Mountable secrets: avi-token-emof0
> avi-dockercfg-ea18k
>Tokens: avi-token-emof0
> avi-token-xk6sl
>Image pull secrets: avi-dockercfg-ea18kStep 2. Extract the Token
>oc describe secret avi-token-emof0
>Name: avi-token-emof0
>Namespace: default
>Labels:
>Annotations: kubernetes.io/service-account.name=avi
> kubernetes.io/service-account.uid=97501aae-d910-11e6-ba01-005056b0a825
>Type: kubernetes.io/service-account-token
>Data
>====
>namespace: 7 bytes
>service-ca.crt: 2186 bytes
>token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW… L7tPGrRJgmTbeFL9A
>ca.crt: 1070 bytesStep 3. Enter the token from the “token” field above while configuring an OpenShift cloud on the Avi Controller.
