Chapter 7. Enabling ManagedServiceAccount add-ons (Technology Preview)
When you install the multicluster engine for Kubernetes operator, the ManagedServiceAccount
add-on is disabled by default. This component when enabled allows you to create or delete a service account on a managed cluster.
Required access: Editor
When a ManagedServiceAccount
custom resource is created in the <managed_cluster>
namespace on the hub cluster, a ServiceAccount
is created on the managed cluster.
A TokenRequest
is made with the ServiceAccount
on the managed cluster to the Kubernetes API server on the managed cluster. The token is then stored in a Secret
in the <target_managed_cluster>
namespace on the hub cluster.
Note: The token can expire and be rotated. See TokenRequest for more information about token requests.
7.1. Prerequisites
- Red Hat OpenShift Container Platform version 4.9 or later must be deployed in your environment, and you must be logged in with the command line interface (CLI).
- You need the multicluster engine for Kubernetes operator installed.
7.2. Enabling ManagedServiceAccount
To enable a Managed-ServiceAccount
add-on for a hub cluster and a managed cluster, complete the following steps:
-
Enable the
ManagedServiceAccount
add-on on hub cluster. See Advanced configuration to learn more. Deploy the
ManagedServiceAccount
add-on and apply it to your target managed cluster. Create the following YAML file and replacetarget_managed_cluster
with the name of the managed cluster where you are applying theManaged-ServiceAccount
add-on:apiVersion: addon.open-cluster-management.io/v1alpha1 kind: ManagedClusterAddOn metadata: name: managed-serviceaccount namespace: <target_managed_cluster> spec: installNamespace: open-cluster-management-agent-addon
Run the following command to apply the file:
oc apply -f -
You have now enabled the
Managed-ServiceAccount
plugin for your managed cluster. See the following steps to configure aManagedServiceAccount
.Create a
ManagedServiceAccount
custom resource with the following YAML source:apiVersion: authentication.open-cluster-management.io/v1alpha1 kind: ManagedServiceAccount metadata: name: <managed_serviceaccount_name> namespace: <target_managed_cluster> spec: rotation: {}
-
Replace
managed_serviceaccount_name
with the name of yourManagedServiceAccount
. -
Replace
target_managed_cluster
with the name of the managed cluster to which you are applying theManagedServiceAccount
.
-
Replace
To verify, view the
tokenSecretRef
attribute in theManagedServiceAccount
object status to find the secret name and namespace. Run the following command with your account and cluster name:oc get managedserviceaccount <managed_serviceaccount_name> -n <target_managed_cluster> -o yaml
View the
Secret
containing the retrieved token that is connected to the createdServiceAccount
on the managed cluster. Run the following command:oc get secret <managed_serviceaccount_name> -n <target_managed_cluster> -o yaml