managed-serviceaccount

module
v0.7.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 21, 2024 License: Apache-2.0

README

Managed Service Account

What is Managed Service Account?

"Managed Service Account" is an OCM addon developed over addon-framework for synchronizing ServiceAccount to the managed clusters and collecting the tokens from these local service accounts as secret resources back to the hub cluster. This addon will be helpful when you're:

  • Ensuring service account resources to the managed clusters w/o a kubeconfig to the managed cluster.
  • Accessing the kube api of the managed clusters from the hub cluster which will require legit authentication tokens.
  • Homogenizing the client identity to the same service account when requesting the managed clusters' api.

The addon basically consists of two components following the typical architecture of an OCM addon:

  • "Addon-Manager": Automatically installs the addon agent into the managed cluster and related required resources.

  • "Addon-Agent": Watching the "ManagedServiceAccount" API and projecting the service account token periodically as secret resources to the hub cluster. And refreshes the tokens as well according to the rotation policy.

Install

Prerequisite
  • OCM registration (>= 0.5.0)
Steps

Installing the addons via the helm charts:

$ helm repo add ocm https://open-cluster-management.io/helm-charts/
$ helm repo update
$ helm search repo ocm/managed-serviceaccount
NAME                       	CHART VERSION	APP VERSION	DESCRIPTION                   
ocm/managed-serviceaccount  <...>       	1.0.0      	A Helm chart for Managed ServiceAccount Addon 
$ helm install \
    -n open-cluster-management-addon --create-namespace \
    managed-serviceaccount ocm/managed-serviceaccount

To confirm the installation status:

$ kubectl get managedclusteraddon -A | grep managed-serviceaccount
NAMESPACE        NAME                     AVAILABLE   DEGRADED   PROGRESSING
<your cluster>   managed-serviceaccount   True 

Usage

Apply a sample "ManagedServiceAccount" resource to try the functionality:

$ kubectl create -f - <<EOF
apiVersion: authentication.open-cluster-management.io/v1beta1
kind: ManagedServiceAccount
metadata:
  name: my-sample
  namespace: <your cluster>
spec:
  rotation: {}
EOF

Then the addon agent is supposed to process the "ManagedServiceAccount" and report the status:

...
  status:
    conditions:
    - lastTransitionTime: "2021-12-09T09:08:15Z"
      message: ""
      reason: TokenReported
      status: "True"
      type: TokenReported
    - lastTransitionTime: "2021-12-09T09:08:15Z"
      message: ""
      reason: SecretCreated
      status: "True"
      type: SecretCreated
    expirationTimestamp: "2022-12-04T09:08:15Z"
    tokenSecretRef:
      lastRefreshTimestamp: "2021-12-09T09:08:15Z"
      name: my-sample

Corresponding secret containing the service account token should be persisted under the same namespace where the "ManagedServiceAccount" resource at:

$ kubectl -n <your cluster> get secret my-sample  
NAME        TYPE     DATA   AGE
my-sample   Opaque   2      2m23s

References

Directories

Path Synopsis
apis
authentication/v1alpha1
+k8s:openapi-gen=true +k8s:deepcopy-gen=package,register +k8s:defaulter-gen=TypeMeta +groupName=authentication.open-cluster-management.io
+k8s:openapi-gen=true +k8s:deepcopy-gen=package,register +k8s:defaulter-gen=TypeMeta +groupName=authentication.open-cluster-management.io
authentication/v1beta1
Package v1beta1 contains API Schema definitions for the authentication v1beta1 API group +kubebuilder:object:generate=true +groupName=authentication.open-cluster-management.io
Package v1beta1 contains API Schema definitions for the authentication v1beta1 API group +kubebuilder:object:generate=true +groupName=authentication.open-cluster-management.io
cmd
e2e
pkg
generated/clientset/versioned/fake
This package has the automatically generated fake clientset.
This package has the automatically generated fake clientset.
generated/clientset/versioned/scheme
This package contains the scheme of the automatically generated clientset.
This package contains the scheme of the automatically generated clientset.
generated/clientset/versioned/typed/authentication/v1alpha1
This package has the automatically generated typed clients.
This package has the automatically generated typed clients.
generated/clientset/versioned/typed/authentication/v1alpha1/fake
Package fake has the automatically generated clients.
Package fake has the automatically generated clients.
generated/clientset/versioned/typed/authentication/v1beta1
This package has the automatically generated typed clients.
This package has the automatically generated typed clients.
generated/clientset/versioned/typed/authentication/v1beta1/fake
Package fake has the automatically generated clients.
Package fake has the automatically generated clients.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL