Search…
KubeConfig Authenticaton
This page describes authenticating to the Trilio Management Console via a KubeConfig file
TVK UI supports authentication through kubeconfig files - token, certificate, auth-provider, etc. As a result, any user of the Kubernetes cluster can log into the UI, view information, and perform operations based on their permissions and authorization as per their RBAC.
TrilioVault for Kubernetes Login Screen

'Exec' or 'Auth Provider' flags in Kubeconfig

Some Kubernetes clusters may contain cloud-specific exec action or use auth-provider configuration to fetch the authentication token within the kubeconfig file. Since the binaries for the specific cloud service may not available on the setup where the user is providing the config file, TVK may not be able to fetch the token and populate it in the kubeconfig.
In order to support authentication for these cloud providers, follow the steps below to create a kubeconfig file with a custom kubeconfig consisting of a service account token and cluster data.

Create a Service Account

To create a service account on Kubernetes, leverage kubectl and a service account spec. Create a YML file name sa.yml that looks like the one below:
1
apiVersion: v1
2
kind: ServiceAccount
3
metadata:
4
name: svcs-acct-dply #any name you'd like
Copied!

Create the service account:

1
kubectl create -f sa.yaml
Copied!

Fetch the name of the secrets used by the service account

1
kubectl describe serviceAccounts svcs-acct-dply
Copied!
1
Name: svcs-acct-dply
2
Namespace: default
3
Labels: <none>
4
Annotations: <none>
5
6
Image pull secrets: <none>
7
Mountable secrets: svcs-acct-dply-token-h6pdj
8
Tokens: svcs-acct-dply-token-h6pdj
Copied!

Fetch the token from the secret

1
kubectl describe secrets svcs-acct-dply-token-h6pdj
Copied!
1
Name: svcs-acct-dply-token-h6pdj
2
Namespace: default
3
Labels: <none>
4
Annotations: kubernetes.io/service-account.name=svcs-acct-dply
5
kubernetes.io/service-account.uid=c2117d8e-3c2d-11e8-9ccd-42010a8a012f
6
7
Type: kubernetes.io/service-account-token
8
9
Data
10
====
11
ca.crt: 1115 bytes
12
namespace: 7 bytes
13
token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby
14
9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InNoaXBwYW
15
JsZS1kZXBsb3ktdG9rZW4tN3Nwc2oiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoic2hpcHBhYmxlLW
16
RlcGxveSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImMyMTE3ZDhlLTNjMmQtMTFlOC05Y2NkLTQyMD
17
EwYThhMDEyZiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OnNoaXBwYWJsZS1kZXBsb3kifQ.ZWKrKdpK7aukTRKnB5SJwwov6Pj
18
aADT-FqSO9ZgJEg6uUVXuPa03jmqyRB20HmsTvuDabVoK7Ky7Uug7V8J9yK4oOOK5d0aRRdgHXzxZd2yO8C4ggqsr1KQsfdlU4xRWglaZGI4S31ohCAp
19
J0MUHaVnP5WkbC4FiTZAQ5fO_LcCokapzCLQyIuD5Ksdnj5Ad2ymiLQQ71TUNccN7BMX5aM4RHmztpEHOVbElCWXwyhWr3NR1Z1ar9s5ec6iHBqfkp_s
20
8TvxPBLyUdy9OjCWy3iLQ4Lt4qpxsjwE4NE7KioDPX2Snb6NWFK7lvldjYX4tdkpWdQHBNmqaD8CuVCRdEQ
Copied!

Get the certificate info for the cluster

Every cluster has a certificate that clients can use to encrypt traffic. Fetch the certificate and write to a file by running the following command.
1
kubectl config view --flatten --minify > cluster-cert.txt
2
cat cluster-cert.txt
Copied!
1
apiVersion: v1
2
clusters:
3
- cluster:
4
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURDekNDQWZPZ0F3SUJBZ0lRZmo4VVMxNXpuaGRVbG
5
15a3AvSVFqekFOQmdrcWhraUc5dzBCQVFzRkFEQXYKTVMwd0t3WURWUVFERXlSaVl6RTBOelV5WXkwMk9UTTFMVFExWldFdE9HTmlPUzFrWmpSak5tU
6
XlZemd4TVRndwpIaGNOTVRnd05EQTVNVGd6TVRReVdoY05Nak13TkRBNE1Ua3pNVFF5V2pBdk1TMHdLd1lEVlFRREV5UmlZekUwCk56VXlZeTAyT1RN
7
MUxUUTFaV0V0T0dOaU9TMWtaalJqTm1ReVl6Z3hNVGd3Z2dFaU1BMEdDU3FHU0liM0RRRUIKQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURIVHFPV0ZXL09
8
odDFTbDBjeUZXOGl5WUZPZHFON1lrRVFHa3E3enkzMApPUEQydUZyNjRpRXRPOTdVR0Z0SVFyMkpxcGQ2UWdtQVNPMHlNUklkb3c4eUowTE5YcmljT2
9
tvOUtMVy96UTdUClI0ZWp1VDl1cUNwUGR4b0Z1TnRtWGVuQ3g5dFdHNXdBV0JvU05reForTC9RN2ZpSUtWU01SSnhsQVJsWll4TFQKZ1hMamlHMnp3W
10
GVFem5lL0tsdEl4NU5neGs3U1NUQkRvRzhYR1NVRzhpUWZDNGYzTk4zUEt3Wk92SEtRc0MyZAo0ajVyc3IwazNuT1lwWDFwWnBYUmp0cTBRZTF0RzNM
11
VE9nVVlmZjJHQ1BNZ1htVndtejJzd2xPb24wcldlRERKCmpQNGVqdjNrbDRRMXA2WXJBYnQ1RXYzeFVMK1BTT2ROSlhadTFGWWREZHZyQWdNQkFBR2p
12
JekFoTUE0R0ExVWQKRHdFQi93UUVBd0lDQkRBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCQwpHWWd0R043SH
13
JpV2JLOUZtZFFGWFIxdjNLb0ZMd2o0NmxlTmtMVEphQ0ZUT3dzaVdJcXlIejUrZ2xIa0gwZ1B2ClBDMlF2RmtDMXhieThBUWtlQy9PM2xXOC9IRmpMQ
14
VZQS3BtNnFoQytwK0J5R0pFSlBVTzVPbDB0UkRDNjR2K0cKUXdMcTNNYnVPMDdmYVVLbzNMUWxFcXlWUFBiMWYzRUM3QytUamFlM0FZd2VDUDNOdHJM
15
dVBZV2NtU2VSK3F4TQpoaVRTalNpVXdleEY4cVV2SmM3dS9UWTFVVDNUd0hRR1dIQ0J2YktDWHZvaU9VTjBKa0dHZXJ3VmJGd2tKOHdxCkdsZW40Q2R
16
jOXJVU1J1dmlhVGVCaklIYUZZdmIxejMyVWJDVjRTWUowa3dpbHE5RGJxNmNDUEI3NjlwY0o1KzkKb2cxbHVYYXZzQnYySWdNa1EwL24KLS0tLS1FTk
17
QgQ0VSVElGSUNBVEUtLS0tLQo=
18
server: https://35.203.181.169
19
name: gke_jfrog-200320_us-west1-a_cluster
20
contexts:
21
- context:
22
cluster: gke_jfrog-200320_us-west1-a_cluster
23
user: gke_jfrog-200320_us-west1-a_cluster
24
name: gke_jfrog-200320_us-west1-a_cluster
25
current-context: gke_jfrog-200320_us-west1-a_cluster
26
kind: Config
27
preferences: {}
28
users:
29
- name: gke_jfrog-200320_us-west1-a_cluster
30
user:
31
auth-provider:
32
config:
33
access-token: ya29.Gl2YBba5duRR8Zb6DekAdjPtPGepx9Em3gX1LAhJuYzq1G4XpYwXTS_wF4cieZ8qztMhB35lFJC-DJR6xcB02oXX
34
kiZvWk5hH4YAw1FPrfsZWG57x43xCrl6cvHAp40
35
cmd-args: config config-helper --format=json
36
cmd-path: /Users/ambarish/google-cloud-sdk/bin/gcloud
37
expiry: 2018-04-09T20:35:02Z
38
expiry-key: '{.credential.token_expiry}'
39
token-key: '{.credential.access_token}'
40
name: gcp
Copied!
Copy two pieces of information from above certificate-authority-data and server

Create a kubeconfig file

From the steps above, you should have the following pieces of information
  • token
  • certificate-authority-data
  • server
Create a file called sa-config and paste the following content to it
1
apiVersion: v1
2
kind: Config
3
users:
4
- name: svcs-acct-dply
5
user:
6
token: <replace this with token info>
7
clusters:
8
- cluster:
9
certificate-authority-data: <replace this with certificate-authority-data info>
10
server: <replace this with server info>
11
name: self-hosted-cluster
12
contexts:
13
- context:
14
cluster: self-hosted-cluster
15
user: svcs-acct-dply
16
name: svcs-acct-context
17
current-context: svcs-acct-context
Copied!
Replace the placeholder above with the information gathered so far
  • replace the token
  • replace the certificate-authority-data
  • replace the server
You can either choose to export the created kubeconfig file after that or move/copy it to $HOME/.kube/ location

Create ClusterRole and ClusterRoleBinding

After you have your kubeconfig file ready and exported/moved to .kube/config, Create a RoleBinding to bind the service account created from the above steps with ClusterRole: Minimal ClusterRole for UI Access The role should have minimum permission required to access the TVK.
1
apiVersion: rbac.authorization.k8s.io/v1
2
kind: ClusterRole
3
metadata:
4
name: svcs-role
5
rules:
6
- apiGroups: ["triliovault.trilio.io"]
7
resources: ["*"]
8
verbs: ["get", "list"]
9
- apiGroups: ["triliovault.trilio.io"]
10
resources: ["policies"]
11
verbs: ["create"]
Copied!
1
apiVersion: rbac.authorization.k8s.io/v1beta1
2
kind: ClusterRoleBinding
3
metadata:
4
name: sample-clusterrrolebinding
5
roleRef:
6
apiGroup: rbac.authorization.k8s.io
7
kind: ClusterRole
8
name: svcs-role
9
subjects:
10
- kind: ServiceAccount
11
name: svcs-acct-dply
12
namespace: default
Copied!
You can login using this kubeconfig.
Last modified 7d ago