OpenShift Service Account for Avi Vantage Authentication
Beginning with release 16.3.4, Avi Vantage supports OpenShift service accounts and corresponding token for authentication with an OpenShift cluster in addition to client certificates. This article describes the configuration workflow.
Create a Service Account for Avi
Step 1. Service Account Definition of Avi Service Account (sa.json
)
{
"apiVersion": "v1",
"kind": "ServiceAccount",
"metadata": {
"name": "avi"
}
}
Step 2. Create a Service Account
Use the OpenShift client using the above definition sa.json
file.
>oc create -f sa.json
Create a Cluster Role
Use the OpenShift client using the below clusterrole.json
file. Use this role when deploying Avi Service Engines as a Docker container via ssh.
>oc create -f clusterrole.json
{
"apiVersion": "v1",
"kind": "ClusterRole",
"metadata": {
"name": "avirole"
},
"rules": [
{
"verbs": ["get","list","watch"],
"resources": ["*"]
},
{
"verbs": ["patch","update"],
"resources": ["routes/status"]
}
]
}
To provide additional privileges required for deploying Avi Service Engines as a Pod, create a cluster role with the OpenShift client using the below clusterrolesepod.json
file.
>oc create -f clusterrolesepod.json
{
"apiVersion": "v1",
"kind": "ClusterRole",
"metadata": {
"name": "avirole"
},
"rules": [
{
"apiGroups": [
""
],
"resources": [
"*"
],
"verbs": [
"get",
"list",
"watch"
]
},
{
"apiGroups": [
""
],
"resources": [
"routes/status"
],
"verbs": [
"patch",
"update"
]
},
{
"apiGroups": [
""
],
"resources": [
"pods",
"secrets",
"securitycontextconstraints",
"serviceaccounts"
],
"verbs": [
"create",
"delete",
"get",
"list",
"update",
"watch"
]
},
{
"apiGroups": [
"extensions"
],
"resources": [
"daemonsets"
],
"verbs": [
"create",
"delete",
"get",
"list",
"update",
"watch"
]
}
]
}
Add Created Cluster Role to Service Account
This is typically executed on the OpenShift master.
>oc adm policy add-cluster-role-to-user avirole system:serviceaccount:default:avi
Extract Token for Use in Avi Cloud Configuration
Step 1. Describe the Service Account
>oc describe serviceaccount avi
>Name: avi
>Namespace: default
>Labels:
>Mountable secrets: avi-token-emof0
> avi-dockercfg-ea18k
>Tokens: avi-token-emof0
> avi-token-xk6sl
>Image pull secrets: avi-dockercfg-ea18k
Step 2. Extract the Token
>oc describe secret avi-token-emof0
>Name: avi-token-emof0
>Namespace: default
>Labels:
>Annotations: kubernetes.io/service-account.name=avi
> kubernetes.io/service-account.uid=97501aae-d910-11e6-ba01-005056b0a825
>Type: kubernetes.io/service-account-token
>Data
>====
>namespace: 7 bytes
>service-ca.crt: 2186 bytes
>token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW… L7tPGrRJgmTbeFL9A
>ca.crt: 1070 bytes
Step 3. Enter the token from the “token” field above while configuring an OpenShift cloud on the Avi Controller.