Kubernetes Cluster
A Kubernetes cluster is a set of nodes that run containerized applications. This guide explains how to integrate on-prem Kubernetes clusters with Cloudaware.
To see how Cloudaware seamlessly integrates with Kubernetes Cluster in action, request a demo.
Prerequisites
If Kubernetes cluster is private, set up TunHub gateway and use the TunHub route URL (e.g. https://tunhub.cloudaware.com:12345) as Cluster URL.
Add Kubernetes cluster
Log in to Cloudaware account → Admin.
Find Kubernetes in the list of cloud Integrations. Click +Add.
Fill out the form:
WHERE
Cluster Name - insert a meaningful cluster name
Cluster URL - insert the cluster URL*
*If Kubernetes cluster is public, use a direct web link to the cluster.
If Kubernetes cluster is private, install Breeze agent, set up TunHub gateway and use the TunHub route URL (e.g. https://tunhub.cloudaware.com:12345).
Select one of the options below:
Kubernetes certificate
1) Select Using Kubernetes Certificate. Click GET NEW CERTIFICATE REQUEST.
2) Insert the username that will be utilized in Kubernetes. Click Generate. The certificate will be generated in .csr format.
3) Sign the Cloudaware certificate request that will be used by Kubernetes control plane node - see the example below:
openssl x509 -req -in cloudaware_test.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out cloudaware_test.crt -days 36504) Set up authorization for the user on RBAC level. Create a custom Cluster role node-reader for Cloudaware to be able to fetch the information about Cluster nodes:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: node-reader
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "watch", "list"]Create a RoleBinding - see the sample command below:
kubectl create -f cloudaware-user.yamlTwo bindings are in use, the first one binds the default role view, the second one binds the custom Cluster role node-reader:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cloudaware_test-binding
subjects:
- kind: User
name: cloudaware_test
namespace: default
apiGroup: ""
roleRef:
kind: ClusterRole
name: view
apiGroup: ""
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cloudaware_test-binding2
subjects:
- kind: User
name: cloudaware_test
namespace: default
apiGroup: ""
roleRef:
kind: ClusterRole
name: node-reader
apiGroup: ""5) Once the certificate is signed, go back to Cloudaware. Click UPLOAD SIGNED CERTIFICATE and upload the certificate file. Click Save.
Kubernetes service account
Ensure you have kubectl installed and configured.
1) Select Using Kubernetes Service Account.
2) Launch kubectl to access the cluster that will be added to Cloudaware. Create required Kubernetes objects using the following manifest:
apiVersion: v1
kind: ServiceAccount
metadata:
name: cloudaware-sa
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cloudaware-node-reader
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cloudaware-node-reader-binding
subjects:
- kind: ServiceAccount
name: cloudaware-sa
namespace: default
apiGroup: ""
roleRef:
kind: ClusterRole
name: cloudaware-node-reader
apiGroup: ""
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cloudaware-view-binding
subjects:
- kind: ServiceAccount
name: cloudaware-sa
namespace: default
apiGroup: ""
roleRef:
kind: ClusterRole
name: view
apiGroup: ""The manifest creates a service account named cloudaware-sa and grants it with the cluster-wide read-only access, along with the permissions to get/list/watch cluster nodes. Learn more on Kubernetes RBAC here.
2) Save the manifest content to a file, e.g. cloudaware-sa.yaml, and run the command:
kubectl create -f cloudaware-sa.yaml3) Get the service account token using the command:
kubectl get secret $(kubectl get secret | awk '/cloudaware-sa/{print $1}') -o jsonpath={.data.token} | base64 -d The newly created service account token is being stored in Kubernetes as a secret. The command above reads and decodes the token from the secret value. Learn more on Service Account Tokens here.
4) Go back to Cloudaware. Insert the service account token in the form. Click Save.
The green light in 'Status' means that Kubernetes integration has been successfully configured. If there is a red light, please contact support@cloudaware.com.
To view Kubernetes-related data, go to Cloudaware CMDB Navigator. Select KUBERNETES in the menu on the left:
List of Kubernetes objects
Cloudaware supports the following Kubernetes objects:
Kubernetes Cluster
Kubernetes Cluster Config Map
Kubernetes Cluster Daemon Set
Kubernetes Cluster Deployment
Kubernetes Cluster Endpoint
Kubernetes Cluster HPA
Kubernetes Cluster Ingress
Kubernetes Cluster Limit Range
Kubernetes Cluster Namespace
Kubernetes Cluster Network Policy
Kubernetes Cluster Network Policy Rule
Kubernetes Cluster Node
Kubernetes Cluster Node Address
Kubernetes Cluster Pod
Kubernetes Cluster Pod Container
Kubernetes Cluster Pod Disruption Budget
Kubernetes Cluster Replica Set
Kubernetes Cluster Resource Quota
Kubernetes Cluster Role
Kubernetes Cluster Role Binding
Kubernetes Cluster Secret
Kubernetes Cluster Service
Kubernetes Cluster Service Account
Kubernetes Cluster Service Account Secret
Kubernetes Cluster Stateful Set
Kubernetes Cluster Storage Class