...
2. Locate Kubernetes in the list of Cloud Integrations. Click +Add.
...
3. Click Get New Certificate Request.
...
3. Insert Cluster Name and Cluster URL.
*If your Kubernetes Cluster is public, use a direct web link in 'Cluster URL'.
If your Kubernetes Cluster is private, install Breeze agent, set up TunHub Gateway and use the TunHub route URL (e.g. https://tunhub.cloudaware.com:12345) in 'Cluster URL'.
Kubernetes Certificate
1) Click Using Kubernetes Certificate.
2) Insert the username that will be utilized in Kubernetes. Click Generate.
...
As a result, a certificate will be generated in .csr format (e.g. cloudaware_test.csr)
4. 3) Sign the Cloudaware certificate request that will be used by Kubernetes control plane node - see the example below:
| Code Block |
|---|
openssl x509 -req -in cloudaware_test.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out cloudaware_test.crt -days 3650 |
5. 4) Set up authorization for the user on RBAC level. Create a custom Cluster role node-reader for Cloudaware to be able to fetch the information about Cluster nodes:
...
| Code Block |
|---|
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cloudaware_test-binding subjects: - kind: User name: cloudaware_test namespace: default apiGroup: "" roleRef: kind: ClusterRole name: view apiGroup: "" --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cloudaware_test-binding2 subjects: - kind: User name: cloudaware_test namespace: default apiGroup: "" roleRef: kind: ClusterRole name: node-reader apiGroup: "" |
5. 6) Once the certificate is signed, go back to Cloudaware. Insert Cluster URL* and click Upload Signed Certificate to upload the certificate. Click Save.
...
*If your Kubernetes Cluster is public, use a direct web link in 'Cluster URL'.
...
Kubernetes Service Account
Ensure you have kubectl installed and configured.
1) Click Using Kubernetes Service Account.
2) Launch kubectl to access the cluster you are adding to Cloudaware.
Create required Kubernetes objects using the following manifest:
| Code Block |
|---|
apiVersion: v1
kind: ServiceAccount
metadata:
name: cloudaware-sa
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cloudaware-node-reader
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cloudaware-node-reader-binding
subjects:
- kind: ServiceAccount
name: cloudaware-sa
namespace: default
apiGroup: ""
roleRef:
kind: ClusterRole
name: cloudaware-node-reader
apiGroup: ""
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cloudaware-view-binding
subjects:
- kind: ServiceAccount
name: cloudaware-sa
namespace: default
apiGroup: ""
roleRef:
kind: ClusterRole
name: view
apiGroup: "" |
The manifest creates a service account named cloudaware-sa and grants it with the cluster-wide read-only access, along with the permissions to get/list/watch cluster nodes. Learn more on Kubernetes RBAC here.
Save the manifest content to a file, e.g. cloudaware-sa.yaml, and run the command:
| Code Block |
|---|
kubectl create -f cloudaware-sa.yaml |
Get the service account token using the command:
| Code Block |
|---|
kubectl get secret $(kubectl get secret | awk '/cloudaware-sa/{print $1}') -o jsonpath={.data.token} | base64 -d |
The newly created service account token is being stored in Kubernetes as a secret. The command above reads and decodes the token from the secret value. Learn more on service account tokens here.
3) Go back to Cloudaware. Insert the token. Click Save.
List of Kubernetes Cluster Objects
...