Kubernetes Cluster
Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications.
This article instructs on how to integrate on-prem Kubernetes Clusters with Cloudaware.
To see how Cloudaware seamlessly integrates with Kubernetes Cluster in action, request a demo.
Adding Kubernetes Cluster
Â
1. Log in to your Cloudaware account. Select Admin under your username in the upper right corner.
2. Locate Kubernetes Clusters in the list of Cloud Integrations. Click +Add.
3. Insert Cluster Name and Cluster URL*:
*If your Kubernetes Cluster is public, use a direct web link in 'Cluster URL'.
If your Kubernetes Cluster is private, install Breeze agent, set up TunHub Gateway and use the TunHub route URL (e.g. https://tunhub.cloudaware.com:12345) in 'Cluster URL'.
Â
Kubernetes Certificate
Â
1) Select Using Kubernetes Certificate.
2) Insert the username that will be utilized in Kubernetes. Click Generate.
As a result, a certificate will be generated in .csr format (e.g. cloudaware_test.csr)
3) Sign the Cloudaware certificate request that will be used by Kubernetes control plane node - see the example below:
openssl x509 -req -in cloudaware_test.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out cloudaware_test.crt -days 3650
4) Set up authorization for the user on RBAC level. Create a custom Cluster role node-reader
for Cloudaware to be able to fetch the information about Cluster nodes:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: node-reader
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "watch", "list"]
Â
Create a RoleBinding - see the sample command below:
kubectl create -f cloudaware-user.yaml
Â
Two bindings are in use, the first one binds the default role view
, the second one binds the custom Cluster role node-reader
:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cloudaware_test-binding
subjects:
- kind: User
name: cloudaware_test
namespace: default
apiGroup: ""
roleRef:
kind: ClusterRole
name: view
apiGroup: ""
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cloudaware_test-binding2
subjects:
- kind: User
name: cloudaware_test
namespace: default
apiGroup: ""
roleRef:
kind: ClusterRole
name: node-reader
apiGroup: ""
Â
6) Once the certificate is signed, go back to Cloudaware. Click Upload Signed Certificate to upload the certificate:
Click Save.
7) The green light in ‘Status’ means that Kubernetes Cluster has been successfully added. If there is a red light, please contact support@cloudaware.com.
Â
Kubernetes Service Account
Ensure you have kubectl installed and configured.
1) Select Using Kubernetes Service Account:
2) Launch kubectl to access the cluster you are adding to Cloudaware.
Create required Kubernetes objects using the following manifest:
apiVersion: v1
kind: ServiceAccount
metadata:
name: cloudaware-sa
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cloudaware-node-reader
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cloudaware-node-reader-binding
subjects:
- kind: ServiceAccount
name: cloudaware-sa
namespace: default
apiGroup: ""
roleRef:
kind: ClusterRole
name: cloudaware-node-reader
apiGroup: ""
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cloudaware-view-binding
subjects:
- kind: ServiceAccount
name: cloudaware-sa
namespace: default
apiGroup: ""
roleRef:
kind: ClusterRole
name: view
apiGroup: ""
The manifest creates a service account named cloudaware-sa and grants it with the cluster-wide read-only access, along with the permissions to get/list/watch cluster nodes. Learn more on Kubernetes RBAC here.
Â
Save the manifest content to a file, e.g. cloudaware-sa.yaml, and run the command:
kubectl create -f cloudaware-sa.yaml
Â
Get the service account token using the command:
kubectl get secret $(kubectl get secret | awk '/cloudaware-sa/{print $1}') -o jsonpath={.data.token} | base64 -d
The newly created service account token is being stored in Kubernetes as a secret. The command above reads and decodes the token from the secret value. Learn more on Service Account Tokens here.
Â
3) Go back to Cloudaware. Insert the Service Account token in the form. Click Save.
4) The green light in ‘Status’ means that Kubernetes Cluster has been successfully added. If there is a red light, please contact support@cloudaware.com.
Â
List of Kubernetes Cluster Objects
Cloudaware supports the following Kubernetes Cluster objects:
Kubernetes Cluster | Kubernetes Cluster Pod |
Â