Service Accounts in Kubernetes
As part of the installation of the Mission Control Agent, the Helm chart automatically creates the following service accounts:
Service Account for the Mission Control Agent
The Mission Control Agent is assigned a service account called cloud-agent
; this account is created automatically by the Helm chart.
This service account is bound to a role called cloud-agent-role
, which is scoped to the target namespace. Solace does not support the integration of event broker services with service meshes, such as Itsio, Cillium, and Linkerd. If your cluster has a service mesh, this namespace must be excluded from it. The service account is also bound to the Docker Registry secret which gives it access to Solace's enterprise Docker images.
The cloud-agent-role
gives the Mission Control Agent permissions for the following namespace resources:
- Secrets
- The Mission Control Agent needs to create, update, and delete secrets for the event broker service it manages.
- Services
- The Mission Control Agent needs to create, update, and delete services to expose theevent broker serviceTCP ports to its clients.
- configmaps
- The Mission Control Agent needs to create, update, and delete
configmaps
for the event broker service it manages. - Pods
- The Mission Control Agent needs to update and delete pods for the event broker service it manages.
- Pods/Exec
- The Mission Control Agent needs to execute commands in the event broker service's pods for certain operations such as in-service upgrades and configuring the monitoring agent.
- Persistent Volume Claims
- The Mission Control Agent needs to update and delete PVCs for the event broker service it manages.
- Events
- The Mission Control Agent needs to retrieve Events generated by Statefulsets, Jobs, and Services to report scheduling errors and Service creation failures.
- Statefulsets
- The Mission Control Agent uses Statefulsets as controllers for the event broker service pods. It needs to create, update and delete Statefulsets as part of managing the lifecycle of the event broker services.
- Deployments
- The Mission Control Agent needs deployment permissions to perform self-upgrades and to create, upgrade, and delete distributed tracing deployments.
- Jobs
- The Mission Control Agent needs to create, monitor, and delete Jobs to perform schema migration during upscaling operations. This is accomplished by launching a Pod via the Job controller.
- Pod Disruption Budgets
- The Mission Control Agent creates a Pod Disruption Budget (PDB) for each software event broker that it deploys. It also manages the PDBs afterward.
PDBs are required by Kubernetes worker node upgrades to ensure that event broker services remain operational during Kubernetes rolling upgrades.
- Pods/Logs
- The Mission Control Agent needs access to the pod logs to debug issues that may occur.
- Replicasets
- The Mission Control Agent needs to create and delete pods as needed for each software event broker that it delpoys.
The following Kubernetes YAML descriptor implements the permissions for the service account. In the example below,
<target-namespace>
is the name of the target namespace in your cluster. You can optionally specify the name of an existing role in your cluster to bind the service account to instead of cloud-agent-role
.
apiVersion: v1 kind: ServiceAccount metadata: name: cloud-agent namespace: <target-namespace> imagePullSecrets: - name: gcr-reg-secret --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cloud-agent-role-binding namespace: <target-namespace> roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: cloud-agent-role subjects: - kind: ServiceAccount name: cloud-agent namespace: <target-namespace> --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ .Values.serviceAccount.cloudAgent.name }}-role rules: - apiGroups: [""] resources: ["secrets", "services", "configmaps"] verbs: ["create", "get", "update", "patch", "delete", "list", "watch"] - apiGroups: [""] resources: ["pods"] verbs: ["get", "update", "patch", "list", "watch"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "update", "patch", "delete", "list", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["pods/exec"] verbs: ["create", "get", "update", "patch", "delete", "list", "watch"] - apiGroups: ["apps"] resources: ["statefulsets"] verbs: ["create", "get", "update", "patch", "delete", "list", "watch"] - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "create", "delete", "update", "patch", "list", "watch"] - apiGroups: ["batch"] resources: ["jobs"] verbs: ["create", "get", "update", "patch", "delete", "list", "watch"] - apiGroups: ["policy"] resources: ["poddisruptionbudgets"] verbs: ["create", "get", "update", "patch", "delete", "list", "watch"] - apiGroups: [""] resources: ["pods/log"] verbs: ["get", "watch"] - apiGroups: ["apps"] resources: ["replicasets"] verbs: ["get", "list", "watch"]
Service Account for the Event Broker Pods
The event broker pods run a health-check script which needs Kubernetes API access to tag the pods as active.
To achieve this, the pods require a service account that's automatically created by the Helm chart with the following permissions:
- Access to Patch the pods resource
The following Kubernetes YAML descriptor implements these permissions. In the example below, <target-namespace>
is the name of the target namespace in your cluster. You can optionally specify the name of an existing role in your cluster to bind the service account to instead of solace-broker-role
.
apiVersion: v1 kind: ServiceAccount metadata: name: solace-broker namespace: <target-namespace> imagePullSecrets: - name: gcr-reg-secret --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: solace-broker-role namespace: <target-namespace> rules: - apiGroups: [""] # "" indicates the core API group resources: ["pods"] verbs: ["patch"] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: solace-broker-role-binding namespace: <target-namespace> roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: solace-broker-role subjects: - kind: ServiceAccount name: solace-broker namespace: solace