Kubernetes Service Account for Avi Vantage Authentication

Overview

In addition to client certificates, Avi Vantage supports Kubernetes service accounts and corresponding token for authentication with a Kubernetes cluster. This article describes the configuration workflow.

Creating a Service Account

Create a service account named avi in the default namespace using the kubectl command.


kubectl create serviceaccount avi -n default

Creating a Cluster Role

Use clusterrole.json while deploying Avi Service Engines as pods.


{
    "apiVersion": "rbac.authorization.k8s.io/v1",
    "kind": "ClusterRole",
    "metadata": {
        "name": "avirole"
    },
    "rules": [
        {
            "apiGroups": [
                ""
            ],
            "resources": [
                "*"
            ],
            "verbs": [
                "get",
                "list",
                "watch"
            ]
        },
        {
            "apiGroups": [
                ""
            ],
            "resources": [
                "pods",
                "replicationcontrollers"
            ],
            "verbs": [
                "get",
                "list",
                "watch",
                "create",
                "delete",
                "update"
            ]
        },
        {
            "apiGroups": [
                ""
            ],
            "resources": [
                "secrets"
            ],
            "verbs": [
                "get",
                "list",
                "watch",
                "create",
                "delete",
                "update"
            ]
        },
        {
            "apiGroups": [
                "apps"
            ],
            "resources": [
                "daemonsets"
            ],
            "verbs": [
                "*"
            ]
        },
        {
            "apiGroups": [
                "extensions"
            ],
            "resources": [
                "ingresses",
                "ingresses/status",
                 "daemonsets"
            ],
            "verbs": [
                "create",
                "delete",
                "get",
                "list",
                "update",
                "watch"
            ]
        },
        {
            "apiGroups": [
                "networking.k8s.io"
            ],
            "resources": [
                "ingresses",
                "ingresses/status"
            ],
            "verbs": [
                "create",
                "delete",
                "get",
                "list",
                "update",
                "watch"
            ]
        },
         {
            "apiGroups": [
                ""
            ],
            "resources": [
                "services/status"
            ],
            "verbs": [
                "create",
                "delete",
                "get",
                "list",
                "update",
                "watch"
            ]
        },
  {
            "apiGroups": [
                "apps"
            ],
            "resources": [
                "*"
            ],
            "verbs": [
                "get",
                "list",
               "watch"
            ]
        }
    ]
}

Starting with Avi Vantage release 18.2.x, this role will enable deployment of SEs as pod in Kubernetes and will enable the ingress IP to be populated on the Kubernetes side.

Note: Deploying Avi Service Engines in the SSH mode has been deprecated. However, in case if the SSH mode has to be used, then remove the
apiGroups apps from `clusterrole.json shown above.

Create the cluster role using the kubectl command.


 kubectl create -f clusterrole.json
 

Creating Cluster Role Binding

  1. Create the clusterbinding.json file using the following code:
    
    {
        "apiVersion": "rbac.authorization.k8s.io/v1beta1",
        "kind": "ClusterRoleBinding",
        "metadata": {
          "name": "avirolebinding",
          "namespace": "default"
      },
        "roleRef": {
            "apiGroup": "rbac.authorization.k8s.io",
            "kind": "ClusterRole",
            "name": "avirole"
        },
        "subjects": [
            {
                "kind": "ServiceAccount",
                "name": "avi",
                "namespace": "default"
            }
        ]
    }
    
  2. Create the cluster role binding to add the previously created cluster role to the Avi service account.
    
    kubectl create -f clusterbinding.json
    

Using Token in Cloud Configuration

To configure the cloud with the token, it has to be extracted.
Follow the instructions below to extract and use token in the cloud configuration.

  1. Describe the service account.
    
    kubectl describe serviceaccount avi -n default
    Name:           avi
    Namespace:      default
    Labels:
    Mountable secrets:      avi-token-emof0
    Tokens:                 avi-token-emof0
    Image pull secrets:     avi-dockercfg-ea18k
    
  2. Extract the token.
    
    kubectl describe secret avi-token-emof0 -n default
    Name:           avi-token-emof0
    Namespace:      default
    Labels:
    Annotations:    kubernetes.io/service-account.name=avi
                    kubernetes.io/service-account.uid=97501aae-d910-11e6-ba01-005056b0a825
    Type:   kubernetes.io/service-account-token
    Data
    ====
    namespace:      7 bytes
    service-ca.crt: 2186 bytes
    token:          eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW… L7tPGrRJgmTbeFL9A
    ca.crt:         1070 bytes
    
  3. When configuring the Kubernetes cloud on the Avi Controller, navigate to the Edit Cloud screen in Avi Vantage, click on Infrastructure.
  4. Click on the option Token and enter the token in the field Service Account Token as shown below: token