OpenShift Service Account for Avi Vantage Authentication

Overview

Avi Vantage supports OpenShift service accounts and corresponding token for authentication with an OpenShift cluster in addition to client certificates. This article describes the configuration workflow.

Creating a Cluster Role

Use the OpenShift client using the clusterrole.json file shown below. It can be used with OpenShift versions 3.x and 4.x.


oc create -f clusterrole.json

{
    "apiVersion": "v1",
    "kind": "ClusterRole",
    "metadata": {
        "name": "avirole"
    },
    "rules": [
        {
            "apiGroups": [
                ""
            ],
            "resources": [
                "*"
            ],
            "verbs": [
                "get",
                "list",
                "watch"
            ]
        },
        {
            "apiGroups": [
                ""
            ],
            "resources": [
                "routes/status"
                            ],
            "verbs": [
                "patch",
                "update"
            ]
        },
        {
            "apiGroups": [
                ""
            ],
            "resources": [
                "pods",
                "secrets",
                "securitycontextconstraints",
                "serviceaccounts"
            ],
            "verbs": [
                "create",
                "delete",
                "get",
                "list",
                "update",
                "watch"
            ]
        },
        {
            "apiGroups": [
                "extensions"
            ],
            "resources": [
                "daemonsets",
                "ingresses"
            ],
            "verbs": [
                "create",
                "delete",
                "get",
                "list",
                "update",
                "watch"
            ]
        },
        {
            "apiGroups": [
                "apps"
            ],
            "resources": [
                "*"
            ],
            "verbs": [
                "create",
                "delete",
                "get",
                "list",
                "update",
                "watch"
             ]
        },
        {
            "apiGroups": [
      			"route.openshift.io"
            ],
            "resources": [
      			"routes",
      			"routes/status"
            ],
            "verbs": [
               "get",
               "list",
               "update",
               "watch",
               "patch"
            ]
      },
      {
            "apiGroups": [
                ""
            ],
            "resources": [
                "services/status",
            ],
            "verbs": [
                "create",
                "delete",
                "get",
                "list",
                "update",
                "watch”
            ]
      }
}

To use this with OpenShift 3.x only, remove the route.openshift.io and security.openshift.io API groups from the clusterrole shown above.

Note: Starting with Avi Vantage release 18.2.x, this role will enable deployment of SEs as pod in OpenShift and will enable the Egress IP to be populated on the OpenShift side.

The SSH mode of SE deployment has been deprecated and we recommend deployment of Avi Service Engine as pod. However, if you are using the SSH mode, deploy the Avi Service Engine using this clusterrole instead:


{
  "apiVersion": "v1",
  "kind": "ClusterRole",
  "metadata": {
    "name": "avirole"
  },
  "rules": [
  {
      "verbs": ["get","list","watch"],
      "resources": ["*"]
  },
  {
      "verbs": ["patch","update"],
      "resources": ["routes/status"]
  }
  ]
}

Adding Created Cluster Role to Service Account

This is typically executed on the OpenShift master.

oc adm policy add-cluster-role-to-user avirole system:serviceaccount:default:avi

Extracting Token to use in Avi Cloud Configuration

  1. Use the following command to extract the token.

    
     oc serviceaccounts get-token avi
     

    The extracted token appears as shown below.

    
     oc serviceaccounts get-token avi
     eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImF2aXZhbnRhZ2UtZmRhMDdjOWItMGUzOS00ZjdkLTk5NDEtZGJiYTEzNDIzZmE0LXRva2VuLWJ3dGdjIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImF2aXZhbnRhZ2UtZmRhMDdjOWItMGUzOS00ZjdkLTk5NDEtZGJiYTEzNDIzZmE0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZDA3MDM2ZTctNjFmOC0xMWU5LWFmZWYtMDA1MDU2OGM0NDMzIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6YXZpdmFudGFnZS1mZGEwN2M5Yi0wZTM5LTRmN2QtOTk0MS1kYmJhMTM0MjNmYTQifQ.C9eGg2biAzXdbrO9KmVo2UvczWdGPRqNxzFaOH7_1NPAYBSyiiXrkDcUp_aucV0IHxHJro7-i3gQIhZ1RwXuT94ejUTMVqXjHKuIuAKhx3tZj0JH_VtZNfXOsTVBLin4n17jAdSiK4jd75rFo2Nb9dYXV4Y9ob4iStAQhrWXIj5NGehGFyi7xIN5-iY8bePE325oc6YA62BhW2q_J6OKniSCHpP30t_xz_VZY3IX_z3ehAsuPQJg20gct9PLoMVCpMujWn77QYxqWrARRU1gAsm90QODw0sKMXIQYdqTYN6XkQFv74ciXdfrR1tWiKH4u8-fkHuzD-2ADn8s53dOAg
     
  2. Specify the token extracted in the field Service Account Token while configuring an OpenShift cloud on the Avi Controller.

    Screen Shot 2017-01-22 at 8.25.14 PM