After the cluster protection failure from Object Storage Extension, the cluster owner can create a service account secret and add it to the service account by
kubectl command-line tool.
Tip
- kubectl command-line tool supports to run in Windows, MacOS and Linux. To use kubectl to connect to your Kubernetes cluster, you need to download kubeconfig file to your local OS where kubectl is installed. If it's a Cloud Director Container Service Extension managed Kubernetes cluster the kubeconfig file can be downloaded as per the documentation, Kubernetes Container Clusters UI Plug-in for VMware Cloud Directo .
- Organizing Cluster Access Using kubeconfig Files tells how to use kubeconfig with kubectl. The simplest way is to add parameter --kubeconfig <kubeconfig file path> in each kubectl command.
- Make sure the OS you run kubectl has network access to the Kuberentes cluster's control plane node IP. For Cloud Director Container Service Extension managed Kubernetes cluster, you can find the field Control Plane IP from cluster detail page.
1. Get the namespace for Velero which is in the format of
velero-<uuid>, for instance
velero-5d440c9f-3fa7-4634-a1a3-2e0aa35110e7.
> kubectl get ns | grep velero
velero-5d440c9f-3fa7-4634-a1a3-2e0aa35110e7 Active 42m
2. Print the service account to console in yaml format.
> kubectl -n <your-velero-ns> get sa ose-k8s-br -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: "2023-09-13T07:58:17Z"
name: ose-k8s-br
namespace: <your-velero-ns>
resourceVersion: "656654"
uid: 5dbaba2b-eb31-4bf2-b10d-ed71d7bc365b
3. Create a file
secret.yaml with below content. The
ServiceAccount part should be got from step 2.
apiVersion: v1
kind: Secret
metadata:
name: ose-k8s-br-secret
namespace: <your-velero-ns>
annotations:
kubernetes.io/service-account.name: "ose-k8s-br"
type: kubernetes.io/service-account-token
---
<<insert-ServiceAccount-part-here>>
secrets:
- name: ose-k8s-br-secret
A full sample is like this:
apiVersion: v1
kind: Secret
metadata:
name: ose-k8s-br-secret
namespace: <your-velero-ns>
annotations:
kubernetes.io/service-account.name: "ose-k8s-br"
type: kubernetes.io/service-account-token
---
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: "2023-09-13T07:58:17Z"
name: ose-k8s-br
namespace: <your-velero-ns>
resourceVersion: "656654"
uid: 5dbaba2b-eb31-4bf2-b10d-ed71d7bc365b
secrets:
- name: ose-k8s-br-secret
4. Apply the service account secret
# > kubectl apply -f secret.yaml
5. Try to protect the Kubernetes cluster from Object Storage Extension UI again.