Add a user for TKG v1.24 or above monitoring using vROPS get a token authentication expiration issue.
search cancel

Add a user for TKG v1.24 or above monitoring using vROPS get a token authentication expiration issue.

book

Article ID: 388321

calendar_today

Updated On:

Products

VMware vSphere Kubernetes Service

Issue/Introduction

Creating a user for TKG monitoring using vROPS, you see a token authentication expiration issue.

Prior to Kubernetes version 1.24, Secrets were automatically created with the Service Account. From Kubernetes version 1.24 and above, you must manually create Secrets.

Cause

Bearer tokens allow you to control access to resources in a cluster that requires the creation of the following:

  • Service Account
  • Secret: This is associated with the Service Account and that has the Bearer token
  • ClusterRole: This defines the access to the Kubernetes cluster
  • ClusterRoleBinding: This binds the created Service Account with the defined ClusterRole

Prior to Kubernetes version 1.24, Secrets were automatically created with the Service Account. From Kubernetes version 1.24 and above, you must manually create Secrets.

 

Resolution

Prior to Kubernetes version 1.24, Secrets were automatically created with the Service Account. From Kubernetes version 1.24 and above, you must manually create Secrets.

Sample YAML file for kubernetes version 1.24 and above:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: '*'
  name: vrops-read-only
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["get", "list", "watch"]
  - nonResourceURLs:
      - /
    verbs:
      - get
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: vrops-mp-read-only-user
  namespace: default
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: vrops-mp-read-only-user-token
  namespace: default
  annotations:
    kubernetes.io/service-account.name: "vrops-mp-read-only-user"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: vrops-mp-read-only-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: vrops-read-only
subjects:
  - kind: ServiceAccount
    name: vrops-mp-read-only-user
    namespace: default

 

After applying the yaml file with kubectl apply -f <file>.yaml, the following token provides the bearer token:

 

$(kubectl get secret vrops-mp-read-only-user-token -o jsonpath='{.data.token}' | base64 --decode )

Additional Information

For detailed information see: https://techdocs.broadcom.com/us/en/vmware-cis/aria/aria-operations-for-integrations/2-2/vrealize--operations-management-pack--for-pack-for-kubernetes-2-2/configuring-vrealize-operations-management-pack-for-kubernetes.html

Powered by Wolken Software