Issue with ROL, ROLBINDING and SERVICEACCOUNT templates in VIP Authentication Hub
search cancel

Issue with ROL, ROLBINDING and SERVICEACCOUNT templates in VIP Authentication Hub

book

Article ID: 379567

calendar_today

Updated On:

Products

VIP Authentication Hub

Issue/Introduction


Installing VIP Authentication Hub, how to avoid deploying templates from the resource Role, RoleBinding and ServiceAccount?

 

Resolution


Existing service accounts can be used to be passed in instead of setting Role, RoleBinding and ServiceAccount.

SSP (dataseed and scheduler pods) MUST run as a service account that is allowed to create secrets in the SSP namespace.

SSP chart is capable of automatically creating the required service account, Role, and RoleBinding. This requires that the operator that executes the deployment of the SSP chart has enough permissions to create the ServiceAccount, Role, RoleBinding, and Secret described below.

To get the chart to SKIP the creation of Role, RoleBinding and ServiceAccount, create the objects below before running the SSP helm deployment command.

Kubernetes (K8S) commands to create the required SA Token:

Create a Service Account

# cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ${RELEASENAME}-ssp-secrets-writer-sa
  namespace: ${NAMESPACE}
automountServiceAccountToken: false
EOF

Create a Kubernetes Role (in the SSP namespace)

# cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: ${RELEASENAME}-ssp-secrets-writer
  namespace: ${NAMESPACE}
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list", "create", "update", "delete"]
EOF

Grant the Role to the Service account using a RoleBinding object:

# cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ${RELEASENAME}-ssp-secrets-sa
  namespace: ${NAMESPACE}
subjects:
- kind: ServiceAccount
  name: ${RELEASENAME}-ssp-secrets-writer-sa
  namespace: ${NAMESPACE}
roleRef:
  kind: Role
  name: ${RELEASENAME}-ssp-secrets-writer
  apiGroup: rbac.authorization.k8s.io
EOF

Create a ServiceAccount Token Secret (name: ${RELEASENAME}-ssp-sa-secret):

# cat <<EOF | kubectl apply -f -
# Secret for ServiceAccount for token
apiVersion: v1
kind: Secret
metadata:
  name: ${RELEASENAME}-ssp-sa-secret
  namespace: ${NAMESPACE}
  annotations:
    kubernetes.io/service-account.name: ${RELEASENAME}-ssp-secrets-writer-sa
type: kubernetes.io/service-account-token
EOF

During SSP's chart deployment, add the following parameter to SSP's helm deployment command:

--set ssp.global.existingDataseedSATokenSecret=<serviceAccountToken's secret name>

e.g.

  --set ssp.global.existingDataseedSATokenSecret=${RELEASENAME}-ssp-sa-secret

 

Powered by Wolken Software