Создание служебной учетной записи для агента Kubernetes
Перед добавлением кластера Kubernetes в Кибер Бэкап создайте в нем служебную учетную запись для агента Kubernetes.
Процедура создания служебной учетной записи далее описана для двух случаев:
-
создание резервной копии и восстановление пользовательских пространств имен Kubernetes;
-
создание резервной копии и восстановление системных пространств имен Deckhouse.
Создание учетной записи в случае защиты пользовательских пространств имен Kubernetes
-
Создайте файл
prepare-cluster.yamlс содержимым, приведенным ниже.
prepare-cluster.yaml
apiVersion: v1 kind: Namespace metadata: name: cyberprotect --- apiVersion: v1 kind: ServiceAccount metadata: name: cyberprotect namespace: cyberprotect --- apiVersion: v1 kind: Secret metadata: name: cyberprotect namespace: cyberprotect annotations: kubernetes.io/service-account.name: cyberprotect type: kubernetes.io/service-account-token --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cyberprotect-discovery-generic rules: # Get cluster id - apiGroups: [""] resources: ["namespaces"] resourceNames: ["kube-system"] verbs: ["get"] # List nodes - apiGroups: [""] resources: ["nodes"] verbs: ["list"] # List namespaces - apiGroups: [""] resources: ["namespaces"] verbs: ["list"] # List storage classes - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["list"] # List cluster resources - apiGroups: ["*"] resources: ["*"] verbs: ["list"] # Create cyberprotect namespace - apiGroups: [""] resources: ["namespaces"] verbs: ["create"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cyberprotect-discovery-generic subjects: - kind: ServiceAccount name: cyberprotect namespace: cyberprotect roleRef: kind: ClusterRole name: cyberprotect-discovery-generic apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: cyberprotect-discovery-volume-backup namespace: cyberprotect rules: # Manage pods - apiGroups: [""] resources: ["pods"] verbs: ["*"] # Manage jobs - apiGroups: ["batch"] resources: ["jobs"] verbs: ["*"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: cyberprotect-discovery-volume-backup namespace: cyberprotect subjects: - kind: ServiceAccount name: cyberprotect namespace: cyberprotect roleRef: kind: Role name: cyberprotect-discovery-volume-backup apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cyberprotect-backup-generic rules: # List cluster resources - apiGroups: ["*"] resources: ["*"] verbs: ["list"] # Get persistent volume claims - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cyberprotect-backup-generic subjects: - kind: ServiceAccount name: cyberprotect namespace: cyberprotect roleRef: kind: ClusterRole name: cyberprotect-backup-generic apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cyberprotect-backup-snapshotter rules: # Manage volume snapshots - apiGroups: ["snapshot.storage.k8s.io"] resources: ["*"] verbs: ["*"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cyberprotect-backup-snapshotter subjects: - kind: ServiceAccount name: cyberprotect namespace: cyberprotect roleRef: kind: ClusterRole name: cyberprotect-backup-snapshotter apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cyberprotect-backup-data-mover rules: # Create/delete pods, services and persistent volume claims. Execute commands in pods. - apiGroups: [""] resources: ["pods", "pods/exec", "services", "persistentvolumeclaims"] verbs: ["create", "get", "delete"] # Watch events - apiGroups: [""] resources: ["events"] verbs: ["watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cyberprotect-backup-data-mover subjects: - kind: ServiceAccount name: cyberprotect namespace: cyberprotect roleRef: kind: ClusterRole name: cyberprotect-backup-data-mover apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cyberprotect-restore rules: # Manage namespaces - apiGroups: [""] resources: ["namespaces"] verbs: ["create", "get", "update", "delete"] # Manage core resources - apiGroups: [""] resources: ["*"] verbs: ["*"] # Manage workloads - apiGroups: ["apps"] resources: ["*"] verbs: ["*"] # Manage other cluster resources - apiGroups: ["*"] resources: ["*"] verbs: ["create", "get", "update", "delete", "deletecollection"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cyberprotect-restore subjects: - kind: ServiceAccount name: cyberprotect namespace: cyberprotect roleRef: kind: ClusterRole name: cyberprotect-restore apiGroup: rbac.authorization.k8s.io
-
Создайте в кластере ресурсы, перечисленные в файле
prepare-cluster.yaml:kubectl create -f prepare-cluster.yaml
-
Получите и сохраните токен служебной учетной записи
cyberprotect:kubectl -n cyberprotect describe secret cyberprotect
Создание учетной записи в случае защиты системных пространств имен Deckhouse
-
Создайте ресурс
Secretс токеном для служебной учетной записиdeckhouse:apiVersion: v1 kind: Secret metadata: name: deckhouse-secret namespace: d8-system annotations: kubernetes.io/service-account.name: deckhouse type: kubernetes.io/service-account-token
-
Выполните следующую команду:
kubectl -n d8-system describe secret deckhouse-secret
-
Получите и сохраните токен служебной ученой записи
deckhouse:root@k8s-d-node1:/home/myuser# kubectl -n d8-system describe secret deckhouse-secret Name: deckhouse-secret Namespace: d8-system Labels: <none> Annotations: kubernetes.io/service-account.name: deckhouse kubernetes.io/service-account.uid: 1db29c03-13d5-4a9d-a084-00348b739b05 Type: kubernetes.io/service-account-token Data ==== ca.crt: 1107 bytes namespace: 9 bytes token: <...>