Kubernetes Service Account for Avi Vantage Authentication

Overview

In addition to client certificates, Avi Vantage supports Kubernetes service accounts and corresponding token for authentication with a Kubernetes cluster. This article describes the configuration workflow.

Creating a Service Account

Create a service account named avi in the default namespace using the kubectl command.


kubectl create serviceaccount avi -n default

Creating a Cluster Role

Use clusterrole.json while deploying Avi Service Engines as a Docker container via SSH.

  1. To create a clusterrole.json file, use the following content while deploying Avi Service Engines as a Docker container via SSH.
    
    {
        "apiVersion": "rbac.authorization.k8s.io/v1beta1",
        "kind": "ClusterRole",
        "metadata": {
            "name": "avirole"
        },
        "rules": [
            {
                "apiGroups": [
                    ""
                ],
                "resources": [
                    "*"
                ],
                "verbs": [
                    "get",
                    "list",
                    "watch"
                ]
            },
            {
                "apiGroups": [
                    ""
                ],
                "resources": [
                    "replicationcontrollers"
                ],
                "verbs": [
                    "get",
                    "list",
                    "watch",
                    "create",
                    "delete",
                    "update"
                ]
            },
            {
                "apiGroups": [
                    ""
                ],
                "resources": [
                    "ingresses/status",
                    "services/status"
                ],
                "verbs": [
                    "patch",
                    "update"
                ]
            }
        ]
    }
    

    Adding statefulsets to the allowed cluster role privileges in Kubernetes environments is mandatory. To do so, augment the script using the following code:

    
    {
                "apiGroups": [
                    "apps"
                ],
                "resources": [
                    "*"
                ],
                "verbs": [
                    "get",
                    "list",
                    "watch"
                ]
            }
        ]
    }
    

    To Deploy Avi Services Engines as a pod, additional privileges are required. To do so, use clusterrole.json as shown below:

    
    {
        "apiVersion": "rbac.authorization.k8s.io/v1",
        "kind": "ClusterRole",
        "metadata": {
            "name": "avirole"
        },
        "rules": [
            {
                "apiGroups": [
                    ""
                ],
                "resources": [
                    "*"
                ],
                "verbs": [
                    "get",
                    "list",
                    "watch"
                ]
            },
            {
                "apiGroups": [
                    ""
                ],
                "resources": [
                    "pods",
                    "replicationcontrollers"
                ],
                "verbs": [
                    "get",
                    "list",
                    "watch",
                    "create",
                    "delete",
                    "update"
                ]
            },
            {
                "apiGroups": [
                    ""
                ],
                "resources": [
                    "secrets"
                ],
                "verbs": [
                    "get",
                    "list",
                    "watch",
                    "create",
                    "delete",
                    "update"
                ]
            },
            {
                "apiGroups": [
                    "apps"
                ],
                "resources": [
                    "daemonsets"
                ],
                "verbs": [
                    "*"
                ]
            },
            {
                "apiGroups": [
                    "extensions"
                ],
                "resources": [
                    "ingresses",
                    "ingresses/status",
                    "services/status"
                ],
                "verbs": [
                    "create",
                    "delete",
                    "get",
                    "list",
                    "update",
                    "watch"
                ]
            }
        ]
    }
    

Note: Starting with Avi Vantage release 18.2.x, this role will enable deployment of SEs as pod in Kubernetes and will enable the ingress IP to be populated on the Kubernetes side.

  1. Create the cluster role using the kubectl command.
    
    kubectl create -f clusterrole.json
    

Creating Cluster Role Binding

  1. Create the clusterbinding.json file using the following code:
    
    {
        "apiVersion": "rbac.authorization.k8s.io/v1beta1",
        "kind": "ClusterRoleBinding",
        "metadata": {
          "name": "avirolebinding",
          "namespace": "default"
      },
        "roleRef": {
            "apiGroup": "rbac.authorization.k8s.io",
            "kind": "ClusterRole",
            "name": "avirole"
        },
        "subjects": [
            {
                "kind": "ServiceAccount",
                "name": "avi",
                "namespace": "default"
            }
        ]
    }
    
  2. Create the cluster role binding to add the previously created cluster role to the Avi service account.
    
    kubectl create -f clusterbinding.json
    

Using Token in Cloud Configuration

To configure the cloud with the token, it has to be extracted. Follow the instructions below to extract and use token in the cloud configuration.

  1. Describe the service account.
    
    kubectl describe serviceaccount avi -n default
    Name:           avi
    Namespace:      default
    Labels:
    Mountable secrets:      avi-token-emof0
    Tokens:                 avi-token-emof0
    Image pull secrets:     avi-dockercfg-ea18k
    
  2. Extract the token.
    
    kubectl describe secret avi-token-emof0 -n default
    Name:           avi-token-emof0
    Namespace:      default
    Labels:
    Annotations:    kubernetes.io/service-account.name=avi
                    kubernetes.io/service-account.uid=97501aae-d910-11e6-ba01-005056b0a825
    Type:   kubernetes.io/service-account-token
    Data
    ====
    namespace:      7 bytes
    service-ca.crt: 2186 bytes
    token:          eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW… L7tPGrRJgmTbeFL9A
    ca.crt:         1070 bytes
    
  3. When configuring the Kubernetes cloud on the Avi Controller, navigate to the Edit Cloud screen in Avi Vantage, click on Infrastructure.
  4. Click on the option Token and enter the token in the field Service Account Token as shown below: token