Service Accounts in Kubernetes

As part of the installation of the Mission Control Agent, the Helm chart automatically creates the following service accounts:

Service Account for the Mission Control Agent

The Mission Control Agent is assigned a service account called cloud-agent; this account is created automatically by the Helm chart.

This service account is bound to a role called cloud-agent-role, which is scoped to the target namespace. Solace does not support the integration of event broker services with service meshes, such as Itsio, Cillium, and Linkerd. If your cluster has a service mesh, this namespace must be excluded from it. The service account is also bound to the Docker Registry secret which gives it access to Solace's enterprise Docker images.

The cloud-agent-role gives the Mission Control Agent permissions for the following namespace resources:

Secrets
The Mission Control Agent needs to create, update, and delete secrets for the event broker service it manages.
Services
The Mission Control Agent needs to create, update, and delete services to expose theevent broker serviceTCP ports to its clients.
configmaps
The Mission Control Agent needs to create, update, and delete configmaps for the event broker service it manages.
Pods
The Mission Control Agent needs to update and delete pods for the event broker service it manages.
Pods/Exec
The Mission Control Agent needs to execute commands in the event broker service's pods for certain operations such as in-service upgrades and configuring the monitoring agent.
Persistent Volume Claims
The Mission Control Agent needs to update and delete PVCs for the event broker service it manages.
Events
The Mission Control Agent needs to retrieve Events generated by Statefulsets, Jobs, and Services to report scheduling errors and Service creation failures.
Statefulsets
The Mission Control Agent uses Statefulsets as controllers for the event broker service pods. It needs to create, update and delete Statefulsets as part of managing the lifecycle of the event broker services.
Deployments
The Mission Control Agent needs deployment permissions to perform self-upgrades and to create, upgrade, and delete distributed tracing deployments.
Jobs
The Mission Control Agent needs to create, monitor, and delete Jobs to perform schema migration during upscaling operations. This is accomplished by launching a Pod via the Job controller.
Pod Disruption Budgets
The Mission Control Agent creates a Pod Disruption Budget (PDB) for each software event broker that it deploys. It also manages the PDBs afterward.

PDBs are required by Kubernetes worker node upgrades to ensure that event broker services remain operational during Kubernetes rolling upgrades.

Pods/Logs
The Mission Control Agent needs access to the pod logs to debug issues that may occur.
Replicasets
The Mission Control Agent needs to create and delete pods as needed for each software event broker that it delpoys.

The following Kubernetes YAML descriptor implements the permissions for the service account. In the example below, <target-namespace> is the name of the target namespace in your cluster. You can optionally specify the name of an existing role in your cluster to bind the service account to instead of cloud-agent-role.

apiVersion: v1
kind: ServiceAccount
metadata:
 name: cloud-agent
 namespace: <target-namespace>
imagePullSecrets:
  - name: gcr-reg-secret
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cloud-agent-role-binding
  namespace: <target-namespace>
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cloud-agent-role
subjects:
- kind: ServiceAccount
  name: cloud-agent
  namespace: <target-namespace>
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ .Values.serviceAccount.cloudAgent.name }}-role
rules:
  - apiGroups: [""]
    resources: ["secrets", "services", "configmaps"]
    verbs: ["create", "get", "update", "patch", "delete", "list", "watch"]
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "update", "patch", "list", "watch"]
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs: ["get", "update", "patch", "delete", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["pods/exec"]
    verbs: ["create", "get", "update", "patch", "delete", "list", "watch"]
  - apiGroups: ["apps"]
    resources: ["statefulsets"]
    verbs: ["create", "get", "update", "patch", "delete", "list", "watch"]
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["get", "create", "delete",  "update", "patch", "list", "watch"] 
  - apiGroups: ["batch"]
    resources: ["jobs"]
    verbs: ["create", "get", "update", "patch", "delete", "list", "watch"]
  - apiGroups:  ["policy"]
    resources: ["poddisruptionbudgets"]
    verbs: ["create", "get", "update", "patch", "delete", "list", "watch"]
  - apiGroups: [""]
    resources: ["pods/log"]
    verbs: ["get", "watch"]
  - apiGroups: ["apps"]
    resources: ["replicasets"]
    verbs: ["get", "list", "watch"]

Service Account for the Event Broker Pods

The event broker pods run a health-check script which needs Kubernetes API access to tag the pods as active.

To achieve this, the pods require a service account that's automatically created by the Helm chart with the following permissions:

  • Access to Patch the pods resource

The following Kubernetes YAML descriptor implements these permissions. In the example below, <target-namespace> is the name of the target namespace in your cluster. You can optionally specify the name of an existing role in your cluster to bind the service account to instead of solace-broker-role.

apiVersion: v1
kind: ServiceAccount
metadata:
 name: solace-broker
 namespace: <target-namespace>
imagePullSecrets:
  - name: gcr-reg-secret
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: solace-broker-role
  namespace: <target-namespace>
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["patch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: solace-broker-role-binding
  namespace: <target-namespace>
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: solace-broker-role
subjects:
- kind: ServiceAccount
  name: solace-broker
  namespace: solace