Authentication for OpenShift/Kubernetes

In this document, we will create an authKey that will give Pliant cluster-admin access on an OpenShift Kubernetes cluster for use with the Kubernetes Pliant blocks.

Prerequisites:

• The cluster API must be reachable from the Pliant instance over the network

• You must have access to the cluster via the oc utility as a cluster-admin

Note: Instructions updated for Kubernetes version 1.24 and later. Earlier K8s versions have a different behavior

OpenShift Cluster with Internet Access

1. Find your Kubernetes API host

   CONTEXT=$(oc config current-context)
   CLUSTER=$(oc config view -o json | jq -r --arg context "${CONTEXT}" '.contexts[] | select(.name == $context) | .context.cluster')
   oc config view -o json | jq -r --arg cluster "${CLUSTER}" '.clusters[] | select(.name == $cluster) | .cluster.server'| cut -d'/' -f3

2. Run this command to create a new ServiceAccount, ClusterRoleBinding, and Secret on your Kubernetes cluster

   oc apply -f https://distributor.pliant.io/pliant-control.yaml

3. Get the token for the new cluster-admin user. This token will give full cluster admin privileges to the bearer.

   echo $(oc -n kube-system get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='pliant-control')].data.token}"|cut -d ' ' -f2|base64 --decode)

4. Copy out the decoded token

   

5. Create a new authKey for the Kubernetes service. Be sure to include the TCP port for the API if it is not using the default (443) Use the token value as the API Key.

   

OpenShift Cluster without Internet Access

1. On your host with oc access, create a new file called “pliant-control.yaml” with a text editor

2. Paste in the following content and save the file:

   apiVersion: v1
   kind: ServiceAccount
   metadata:
     name: pliant-control
     namespace: kube-system
   ---
   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRoleBinding
   metadata:
     name: pliant-control
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: ClusterRole
     name: cluster-admin
   subjects:
   - kind: ServiceAccount
     name: pliant-control
     namespace: kube-system
   ---
   apiVersion: v1
   kind: Secret
   metadata:
     name: pliant-control
     annotations:
       kubernetes.io/service-account.name: "pliant-control"
     namespace: kube-system
   type: kubernetes.io/service-account-token

3. Use this command to apply the yaml and create the user:

oc apply -f pliant-control.yaml

4. Find your Kubernetes API host

CONTEXT=$(oc config current-context)
CLUSTER=$(oc config view -o json | jq -r --arg context "${CONTEXT}" '.contexts[] | select(.name == $context) | .context.cluster')
oc config view -o json | jq -r --arg cluster "${CLUSTER}" '.clusters[] | select(.name == $cluster) | .cluster.server'| cut -d'/' -f3

5. Now we can get the token for the new cluster-admin user. This token will give full cluster admin privileges to the bearer.

echo $(oc -n kube-system get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='pliant-control')].data.token}"|cut -d ' ' -f2|base64 --decode)

6. Copy out the decoded token

7. Create a new authKey for the Kubernetes service. Be sure to include the TCP port for the API if it is not using the default (443) Use the token value as the API Key.