WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Automation / How to create a kubernetes service account for vSphere with Tanzu?

How to create a kubernetes service account for vSphere with Tanzu?

11.29.2021 by William Lam // 4 Comments

Before you can interact and consume resources from a vSphere with Tanzu enabled cluster, users must first login and one way to accomplish this is by using the kubectl-vsphere plugin.

Once authenticated, a JWT (JSON Web Token), pronounced jot token, will be issued along with other values which will be appended to your local ~/.kube/config file. Users will then be able to perform kubectl operations based on the roles they have been assigned for a given vSphere Namespace. In case you did not know, these JWT tokens are only valid for 10 hours and after that, you will need to login again to retrieve a new JWT token.

We can also confirm this by decoding our JWT token found within the ~/.kube/config file and using jwt.io website. Once decoded, we can see when the token was issued using iat (Issued At) and when the token will expired using exp (Expiration Time) as shown in the screenshot below.

The default 10 hour expiry is currently not configurable which can be a challenge for anyone looking to setup unattended automation or GitOps with vSphere with Tanzu.

An alternative solution is to create a Kubernetes (k8s) service account, which by default does not contain a token expiry. Using this information and my recent Deep Dive into vSphere Namespace Roles, I was able to create a service account that can perform the same set of vSphere with Tanzu operations without having to re-login every 10 hours.

Note (06/07/22) - The "Edit" vSphere Namespace Role now includes the ability to create K8s service account and rolebinding without having to go into Supervisor Cluster Control Plane VM

Step 1 - SSH to the VCSA and then run the following script to retrieve the Supervisor Cluster Control Plane VM credentials:

/usr/lib/vmware-wcp/decryptK8Pwd.py

Step 2 - SSH to the IP Address using root username and the password provided from the previous command

Step 3 - Create a new K8s service account that is scoped to the specific vSphere Namespace. In my example, service account name is called tanzu-svc and it is scoped to primp-industries vSphere Namespace.

SA_NAME="tanzu-svc"
SV_NAMESPACE="primp-industries"

kubectl -n ${SV_NAMESPACE} create serviceaccount ${SA_NAME}

Step 4a - Create a ClusterRoleBinding for either the view or edit vSphere Namespace role for our service account.

SA_PERMISSION="edit" # view or edit

cat << EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ${SA_NAME}:${SA_PERMISSION}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ${SA_PERMISSION}
subjects:
- kind: ServiceAccount
  name: ${SA_NAME}
  namespace: ${SV_NAMESPACE}
EOF

Step 4b (Optional) - To configure our service account to have the "owner" vSphere Namespace role, we need to create an additional ClusterRoleBinding after completing Step 4a.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ${SA_NAME}:namespace-delete
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: vmware-system-nsop-namespace-delete-cluster-role
subjects:
- kind: ServiceAccount
  name: ${SA_NAME}
  namespace: ${SV_NAMESPACE}
EOF

At this point, you can now log out of the VCSA and the remainder steps can be performed using any account that can login to vSphere with Tanzu enabled Cluster.

Step 5 - Once you are logged in using the kubectl-vsphere plugin, specify the name of the service account, vSphere Namespace and the Control Plane address to automatically create the kubeconfig file for our service account.

SA_NAME="tanzu-svc"
SV_NAMESPACE="primp-industries"
SV_CONTROL_PLANE_ADDRESS="10.10.0.65"

SA_SECRET_NAME=$(kubectl get sa ${SA_NAME} -o jsonpath='{.secrets[0].name}')
SA_SECRET_VALUE=$(kubectl get secret/${SA_SECRET_NAME} -o jsonpath='{.data.token}' | base64 --decode)
SA_SERVER_URI="https://${SV_CONTROL_PLANE_ADDRESS}:6443"

cat << EOF > ${SA_NAME}-kubeconfig
apiVersion: v1
kind: Config
current-context: ${SV_NAMESPACE}
clusters:
- cluster:
    server: ${SA_SERVER_URI}
  name: ${SV_CONTROL_PLANE_ADDRESS}
contexts:
- context:
    cluster: ${SV_CONTROL_PLANE_ADDRESS}
    namespace: ${SV_NAMESPACE}
    user: ${SA_NAME}
  name: ${SV_NAMESPACE}
users:
- name: ${SA_NAME}
  user:
    token: ${SA_SECRET_VALUE}
EOF

Step 6 - Lastly, lets now verify our kubeconfig file is valid by running a basic kubectl command such as listing the available Tanzu Kubernetes Releases (TKR):

kubectl --kubeconfig tanzu-svc-kubeconfig get tkr


If the previous command was successful, you now have a valid kubeconfig that can be used for automation and/or GitOps purposes without having to re-authenticate every 10hrs.

More from my site

  • Packer reference for VMware Harbor Virtual Appliance
  • Is vSphere with Kubernetes available for evaluation? 
  • Admin account for embedded Harbor registry in vSphere with Kubernetes
  • Setup custom login banner when logging into a vSphere with Kubernetes Cluster
  • Workload Management PowerCLI Module for automating vSphere with Kubernetes

Categories // Automation, VMware Tanzu, vSphere 7.0 Tags // vSphere with Kubernetes

Comments

  1. *protectedArvind Patil says

    08/24/2022 at 1:58 pm

    Hi William,
    This kubeconfig is for the supervisor cluster. How do I create similar kubeconfig for a workload cluster. Kubeconfig for workload cluster also expires after 10 hours.

    I tried following the same steps but I am stuck at creating a ClusterRoleBinding. I would like to create a kubeconfig that should work for all namespaces in the workload cluster. ClusterRoleBinding specs requires to specify a namespace. But at the workload cluster level I want the kubeconfig to work for multiple namespaces. How do I create such kubeconfig for a workload cluster?
    Thanks,
    Arvind

    Reply
  2. *protectedBjoern says

    08/24/2023 at 8:19 am

    Hi William, is this still true (that Note (06/07/22) section)?
    Tried both edit/owner roles, both times auth can-i create ClusterRoleBinding or RoleBinding tells me "no" 🙁
    ServiceAccount creation is possible - but of course only a unprivileged one.

    My current workaround is an AD-Based "serviceaccount" ( aka dummy user with credentials in hashicorp vault) and that KUBECTL_VSPHERE_PASSWORD env var to bypass interactive logins which is somehow ugly 🙂

    Reply
  3. *protectedRajesh says

    09/29/2023 at 10:34 am

    can we create vSphere namespace automated way?

    Reply
    • William Lam says

      09/29/2023 at 10:48 am

      Yes, you can use the self-service namespace feature https://docs.vmware.com/en/VMware-vSphere/7.0/vmware-vsphere-with-tanzu/GUID-126834C7-2577-4670-A9A3-4F05849C8ADD.html OR use the vSphere API to also create them https://developer.vmware.com/apis/vsphere-automation/latest/vcenter/namespaces/

      Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...