Skip to main content
Skip table of contents

Kubernetes Cluster

This article instructs on how to integrate on-prem Kubernetes Clusters with Cloudaware.

Adding Kubernetes Cluster

1. Log in to your Cloudaware account. Select Admin under your username in the upper right corner.

2. Locate Kubernetes Clusters in the list of Cloud Integrations. Click +Add.

3. Insert Cluster Name and Cluster URL*:

*If your Kubernetes Cluster is public, use a direct web link in 'Cluster URL'.

If your Kubernetes Cluster is private, install Breeze agent, set up TunHub Gateway and use the TunHub route URL (e.g. https://tunhub.cloudaware.com:12345) in 'Cluster URL'.

Kubernetes Certificate

1) Select Using Kubernetes Certificate.

2) Insert the username that will be utilized in Kubernetes. Click Generate.

As a result, a certificate will be generated in .csr format (e.g. cloudaware_test.csr)

3) Sign the Cloudaware certificate request that will be used by Kubernetes control plane node - see the example below:

CODE
openssl x509 -req -in cloudaware_test.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out cloudaware_test.crt -days 3650

4) Set up authorization for the user on RBAC level. Create a custom Cluster role node-reader for Cloudaware to be able to fetch the information about Cluster nodes:

CODE
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: node-reader
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "watch", "list"]

Create a RoleBinding - see the sample command below:

CODE
kubectl create -f cloudaware-user.yaml

Two bindings are in use, the first one binds the default role view, the second one binds the custom Cluster role node-reader:

CODE
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cloudaware_test-binding
subjects:
- kind: User
  name: cloudaware_test
  namespace: default
  apiGroup: ""
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: ""
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cloudaware_test-binding2
subjects:
- kind: User
  name: cloudaware_test
  namespace: default
  apiGroup: ""
roleRef:
  kind: ClusterRole
  name: node-reader
  apiGroup: ""

6) Once the certificate is signed, go back to Cloudaware. Click Upload Signed Certificate to upload the certificate:

Click Save.

7) The green light in ‘Status’ means that Kubernetes Cluster has been successfully added. If there is a red light, please contact support@cloudaware.com.

Kubernetes Service Account

Ensure you have kubectl installed and configured.

1) Select Using Kubernetes Service Account:

2) Launch kubectl to access the cluster you are adding to Cloudaware.

Create required Kubernetes objects using the following manifest:

CODE
apiVersion: v1
kind: ServiceAccount
metadata:
 name: cloudaware-sa
 namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
 name: cloudaware-node-reader
rules:
- apiGroups: [""]
 resources: ["nodes"]
 verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
 name: cloudaware-node-reader-binding
subjects:
- kind: ServiceAccount
 name: cloudaware-sa
 namespace: default
 apiGroup: ""
roleRef:
 kind: ClusterRole
 name: cloudaware-node-reader
 apiGroup: ""
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
 name: cloudaware-view-binding
subjects:
- kind: ServiceAccount
 name: cloudaware-sa
 namespace: default
 apiGroup: ""
roleRef:
 kind: ClusterRole
 name: view
 apiGroup: ""

The manifest creates a service account named cloudaware-sa and grants it with the cluster-wide read-only access, along with the permissions to get/list/watch cluster nodes. Learn more on Kubernetes RBAC here.

Save the manifest content to a file, e.g. cloudaware-sa.yaml, and run the command:

CODE
kubectl create -f cloudaware-sa.yaml

Get the service account token using the command:

CODE
kubectl get secret $(kubectl get secret | awk '/cloudaware-sa/{print $1}') -o jsonpath={.data.token} | base64 -d 

The newly created service account token is being stored in Kubernetes as a secret. The command above reads and decodes the token from the secret value. Learn more on Service Account Tokens here.

3) Go back to Cloudaware. Insert the Service Account token in the form. Click Save.

4) The green light in ‘Status’ means that Kubernetes Cluster has been successfully added. If there is a red light, please contact support@cloudaware.com.

List of Kubernetes Cluster Objects

Cloudaware supports the following Kubernetes Cluster objects:

Kubernetes Cluster
Kubernetes Cluster Config Map
Kubernetes Cluster Daemon Set
Kubernetes Cluster Deployment
Kubernetes Cluster Endpoint
Kubernetes Cluster HPA
Kubernetes Cluster Ingress
Kubernetes Cluster Limit Range
Kubernetes Cluster Namespace
Kubernetes Cluster Network Policy
Kubernetes Cluster Network Policy Rule
Kubernetes Cluster Node
Kubernetes Cluster Node Address

Kubernetes Cluster Pod
Kubernetes Cluster Pod Container
Kubernetes Cluster Pod Disruption Budget
Kubernetes Cluster Replica Set
Kubernetes Cluster Resource Quota
Kubernetes Cluster Role
Kubernetes Cluster Role Binding
Kubernetes Cluster Secret
Kubernetes Cluster Service
Kubernetes Cluster Service Account
Kubernetes Cluster Service Acc Secret
Kubernetes Cluster Stateful Set

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.