Setting up trusted profiles for the Block Storage for VPC cluster add-on
Virtual Private Cloud
You can use trusted profiles to limit the access that running pods in your cluster have to other resources in your account or cluster. For more information about trusted profiles, see Creating trusted profiles.
Enabling the Block Storage for VPC cluster add-on
-
Get the version number of the
vpc-block-csi-driver
add-on that is installed in your cluster.ibmcloud oc cluster addon ls --cluster CLUSTER
-
If you have an add-on version earlier than 4.4 of the Block Storage for VPC cluster add-on installed in your cluster, you must first disable the add-on and then enable version 4.4 or later.
ibmcloud oc cluster addon disable vpc-block-csi-driver --cluster CLUSTER-ID
ibmcloud oc cluster addon enable vpc-block-csi-driver --version 4.4 --cluster CLUSTER-ID
Example output
Enabling add-on vpc-block-csi-driver(4.4) for cluster CLUSTER-ID The add-on might take several minutes to deploy and become ready for use.
-
Verify that the add-on state is
normal
and the status isready
.ibmcloud oc cluster addon ls --cluster CLUSTER-ID
Name Version Health State Health Status vpc-block-csi-driver 4.4 (4.3 default) normal Addon Ready. For more info: http://ibm.biz/addon-state (H1500)
-
Verify that the driver pods are deployed and the status is
Running
.kubectl get pods -n kube-system | grep block
Example output
ibm-vpc-block-csi-controller-0 7/7 Running 0 77s ibm-vpc-block-csi-node-56c85 4/4 Running 0 77s ibm-vpc-block-csi-node-87j2t 4/4 Running 0 77s ibm-vpc-block-csi-node-cmh2h 4/4 Running 0 77s
Setting up trusted profiles
-
Follow the steps to create a trusted profile. In the Conditions for the profile, be sure to specify the following access.
- Allow access when Service account equals
ibm-vpc-block-controller-sa
. - Allow access when Namespace equals
kube-system
.
You can create the trusted profile for specific clusters or for all current and future clusters.
Make sure to give the trusted profile the following access.
- Resource group - Viewer
- Service access - Reader and Writer
- Platform access - Viewer, Operator, Editor
- Allow access when Service account equals
-
After you create your trusted profile, copy the ID from the Trusted profiles page in the console.
-
Decide if you want to use the Profile ID or an API key in the Kubernetes secret that the add-on uses. Save the following text and enter your credentials. You can follow the steps to create the secret manually or you can use the shell script to automatically create the secret in your cluster.
Example credentials with pod identity
IBMCLOUD_AUTHTYPE=pod-identity IBMCLOUD_PROFILEID=<TRUSTED-PROFILE-ID>
Example credentials with an API key.
IBMCLOUD_AUTHTYPE=iam IBMCLOUD_APIKEY=<API-KEY>
-
Encode the credentials to base64.
echo -n "IBMCLOUD_AUTHTYPE=<IAM-OR-POD-IDENTITY> IBMCLOUD_APIKEY=<API-KEY>" | base64
-
Create a secret in your cluster that contains the credentials for the trusted profile. You can create the secret by using the ID or API key for the trusted profile. Save the following YAML to a file called
ibm-cloud-credentials.yaml
. In theibm-credentials.env:
field, enter the base64 encoded API key or the ID of trusted profile.apiVersion: v1 data: ibm-credentials.env: # Trusted profile ID kind: Secret metadata: name: ibm-cloud-credentials namespace: kube-system type: Opaque
-
Create the secret in your cluster.
kubectl apply -f ibm-cloud-credentials.yaml
-
Restart the driver pods by disabling and re-enabling the add-on.
- Disable the add-on.
ibmcloud oc cluster addon disable vpc-block-csi-driver
- Re-enable the add-on.
ibmcloud oc cluster addon enable vpc-block-csi-driver --cluster CLUSTER --version VERSION
- Disable the add-on.
Automatically creating a secret by using a Shell script
-
Save the following script to a file called
generate-secret.sh
.#!/bin/bash IBMCLOUD_AUTHTYPE= SECRET= error() { if [[ $? != 0 ]]; then echo $1; exit 1 fi } #validate_options validates the options provided to the script validate_options() { if [[ "$#" -eq 1 ]]; then if [[ "$1" == "-h" ]] || [[ "$1" == "--help" ]]; then usage; exit 1 fi fi #number of options provided to the script must be 2 if [[ "$#" -ne 2 ]]; then echo "Invalid number of options provided" usage; exit 1 fi #1st option must be 'iam' or 'pod-identity' if [[ "$1" != "iam" ]] && [[ "$1" != "pod-identity" ]]; then echo "Provide a valid auth-type" usage; exit 1 fi IBMCLOUD_AUTHTYPE=$1 SECRET=$2 } #usage - prints the usage for execution of script usage() { echo "USAGE: bash generate-secret.sh <auth-type> <apikey/profile-id> auth-type: auth-type should be either iam or pod-identity. Provide iam to use api key, pod-identity to use trusted profile" } #main main() { validate_options "$@" auth_type="IBMCLOUD_AUTHTYPE=$IBMCLOUD_AUTHTYPE" secret= if [[ "$IBMCLOUD_AUTHTYPE" == "iam" ]]; then secret="IBMCLOUD_APIKEY=$SECRET" else secret="IBMCLOUD_PROFILEID=$SECRET" fi encodedValue=$(echo -e "$auth_type\n$secret" | base64) #on certain os, base64 encoding introduces newline, removing the same here. encodedValue=${encodedValue//$'\n'/} #fetch the controller pod name controllerPodName=$(kubectl get pods -n kube-system | grep ibm-vpc-block-csi-controller | awk '{print $1}') error "$(date +"%b %d %G %H:%M:%S"): Unable to fetch controller pod." if [[ "$controllerPodName" == "" ]]; then echo "$(date +"%b %d %G %H:%M:%S"): VPC Block CSI Driver addon is not enabled" exit 1 fi echo "apiVersion: v1 data: ibm-credentials.env: $encodedValue kind: Secret metadata: name: ibm-cloud-credentials namespace: kube-system type: Opaque" > ibm-cloud-credentials.yaml #create the k8s secret kubectl apply -f ibm-cloud-credentials.yaml &> /dev/null error "$(date +"%b %d %G %H:%M:%S"): Error creating ibm-cloud-credentials secret." echo "$(date +"%b %d %G %H:%M:%S"): Created ibm-cloud-credentials secret" #restart the controller pod echo "$(date +"%b %d %G %H:%M:%S"): Restarting $controllerPodName pod" kubectl delete pod $controllerPodName -n kube-system &> /dev/null error "$(date +"%b %d %G %H:%M:%S"): Error restarting $controllerPodName pod in kube-system namespace." controllerPodStatus= for i in {1..12} do sleep 5 controllerPodStatus=$(kubectl get pods -n kube-system | grep ibm-vpc-block-csi-controller | awk '{print $3}') if [[ "$controllerPodStatus" == "Running" ]]; then echo "$(date +"%b %d %G %H:%M:%S"): VPC Block CSI Driver is now using ibm-cloud-credentials secret" rm ibm-cloud-credentials.yaml error "Error deleting ibm-cloud-credentials.yaml." exit 0 fi done error "$(date +"%b %d %G %H:%M:%S"): Error - ibm-vpc-block-csi-controller is in $controllerPodStatus state" } main "$@"
-
Run the
generate-secret.sh
script and specifyiam
orpod-identity
as theIBMCLOUD_AUTHTYPE
and yourPROFILE-ID
orAPI-KEY
.Example command to run
generate-secret.sh
by usingpod-identity
with your trusted profiled ID.sh ./generate-secret.sh pod-identity PROFILE-ID
Example command to run
generate-secret.sh
by usingiam
with an API key.sh ./generate-secret.sh iam API-KEY
-
After the secret is created in your your cluster, disable and re-enable the add-on.
ibmcloud oc cluster addon disable vpc-block-csi-driver --cluster CLUSTER-ID
ibmcloud oc cluster addon enable vpc-block-csi-driver --version 4.4 --cluster CLUSTER-ID
-
Get the logs of the driver pod to verify the driver is using the correct credentials by looking for the
secret type
in the output. For example,"secret-used":"ibm-cloud-credentials","type":"pod-identity"}
.kubectl logs ibm-vpc-block-csi-controller-0 -c storage-secret-sidecar -n kube-system