Skip to main content

Configure migrations to use service accounts

​ If you set up migrations and migration schedules using user accounts, you will encounter token expiration-related errors. To avoid these errors, Portworx, Inc. recommends setting up migration and migration schedules using service accounts. ​ In contrast to user accounts, which expire after a specified interval of time has passed, service account tokens do not expire. Using service accounts ensures that you will not encounter token expiration-related errors. See the User accounts versus service accounts section of the Kubernetes documentation for more details about the differences between service accounts and user accounts. ​ Perform the following steps on the destination cluster to configure migrations to use service accounts. ​

Create a service account and a cluster role binding

  1. Create a file called service-account-migration.yaml with the following content, specifying the namespace: to match one of the existing namespaces in your cluster. For this example we will use the default namespace:

     apiVersion: v1
    kind: ServiceAccount
    name: migration
    namespace: default

  2. Apply the spec: ​

    kubectl apply -f service-account-migration.yaml

If you are using Kubernetes version 1.24 or newer, you also need to create a secret. In the example below, the name in the annotation must match the name of the service account that you created. ​

apiVersion: v1
kind: Secret
name: migration
namespace: default
annotations: migration

​ Apply the secret: ​

kubectl apply -f <migrationsecretname>.yaml

​ 3. Create a file called cluster-role-binding-migration.yaml with the following content, specifying the namespace: field to match the namespace in the previous step:

kind: ClusterRoleBinding
name: migration-clusterrolebinding
kind: ClusterRole
name: cluster-admin
- kind: ServiceAccount
name: migration
namespace: default

The field is set to cluster-admin. For details about super-user access, see the User-facing roles section of the Kubernetes documentation.

  1. Apply the spec: ​
    kubectl apply -f cluster-role-binding-migration.yaml

Create a kubeconfig file

  1. Download the script file. Edit the file and change the values of the SERVER and NAMESPACE variables to match your environment. ​
  2. To create a kubeconfig file, enter the following commands: ​
    chmod +x && ./ > ~/.kube/migration-config.conf
  3. Set the value of the KUBECONFIG environment variable to point to the kubeconfig file that you created in the previous step: ​
    export KUBECONFIG=~/.kube/migration-config.conf

Create a ClusterPair

​ See Create a synchronous DR ClusterPair and Create an asynchronous DR ClusterPair for more information. ​


You need to use the generated kubeconfig files, (using the Create a kubeconfig file procedure), before referring to the above topics to create a ClusterPair.

Was this page helpful?