Cloud mode

Run KuboScore on your cluster in cloud mode.

The following content assumes you have kubectl binary installed, as well as a privileged access to your cluster.

If you already have a kubeconfig file with enough permissions, you can score your cluster right away!

👷 Service account

We recommend to create a specific ServiceAccount object in your cluster to authenticate KuboScore and grant it specific permissions, but nothing prevents you from using an already existing ServiceAccount.

In this example, the ServiceAccount ksa-kuboscore will be created in the default Namespace. You are free to rename the ServiceAccount and/or to create it in another Namespace.

kubectl create serviceaccount ksa-kuboscore --namespace default

Kubernetes ≥ 1.24

If your cluster version equals or is over 1.24 (or if you have the LegacyServiceAccountTokenNoAutoGeneration feature gate enabled), you will have to manually generate an authentication token for the ServiceAccount.

To get your cluster’s Kubernetes version, you can use this kubectl command:

kubectl version --short=true

To generate an authentication token for the ServiceAccount, you need to create a Secret defined by the following YAML. Save its content in a kuboscore-secret.yaml file:

apiVersion: v1
kind: Secret
metadata:
  namespace: default
  name: ksa-kuboscore
  annotations:
    kubernetes.io/service-account.name: ksa-kuboscore
type: kubernetes.io/service-account-token

Apply the Secret on your cluster to generate the ServiceAccount token:

kubectl apply -f kuboscore-secret.yaml

References:

⚖️ Permissions

If you are using an already existing ServiceAccount that has broader permissions than what is listed below, you can skip this section.

KuboScore needs some privileges to be able to perform its analysis, therefore we need to create a ClusterRole and a ClusterRoleBinding object.

You will find below the ClusterRole definition. Create a new file called kuboscore-clusterrole.yaml and paste the content of this definition in it:

kuboscore-clusterrole.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kuboscore
rules:
  - apiGroups:
      - '*'
    resources:
      - '*'
    verbs:
      - list
      - get
  - apiGroups:
      - '*'
    resources:
      - configmaps
      - daemonsets
      - deployments
      - horizontalpodautoscalers
      - limitranges
      - namespaces
      - networkpolicies
      - persistentvolumeclaims
      - pods
      - pods/exec
      - pods/portforward
      - resourcequotas
      - secrets
      - services
      - statefulsets
    verbs:
      - create
      - delete
  - nonResourceURLs:
      - /metrics
    verbs:
      - get

Likewise, create a kuboscore-clusterrolebinding.yaml file and paste the content of the following ClusterRoleBinding definition in it:

If you want to use a different ServiceAccount, update the values of subjects[0].name and subjects[0].namespace to match your ServiceAccount name and its Namespace.

kuboscore-clusterrolebinding.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kuboscore
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kuboscore
subjects:
  - kind: ServiceAccount
    name: ksa-kuboscore
    apiGroup: ''
    namespace: default

References:

🔑 Generate your kubeconfig

If you want to use a different ServiceAccount, update the parameters provided to the script to match your ServiceAccount name and its Namespace.

curl -sO https://download.kubolabs.io/scripts/create_kubeconfig
chmod +x create_kubeconfig
./create_kubeconfig ksa-kuboscore --namespace default

🚀 Score your cluster

To score your cluster, we need to be able to reach it. You will find below the network restrictions that we support:

Restriction	Supported	Comment
None		—
Network whitelist		Add the following IP to the list of authorized networks: 34.141.253.143.
SSH bastion		Learn how you can grant us access
Fully private		Use KuboScore in local mode instead

Restriction

Supported

Comment

None

—

Network whitelist

Add the following IP to the list of authorized networks: 34.141.253.143.

SSH bastion

Learn how you can grant us access

Fully private

Use KuboScore in local mode instead

Once access to your cluster is configured, scoring it is pretty easy:

Go to KuboScore
Signing to your account
Upload your kubeconfig file
Fill in the form
Launch the scoring!

How to fill the form?

On the cluster credentials form, we ask you for a bunch of information to be able to connect to your cluster.

Cluster description

This is a description that you can set to quickly find your cluster among other analysis.

Kubeconfig file

This is the kubeconfig file you should have generated for the service account that we created in the prerequisites section.

If your cluster sits in a private network only reachable through a bastion host, you must tick the « This cluster is only reachable through an SSH tunnel » checkbox and add the following additional information.

Bastion host

This is the IP address or DNS hostname on which your bastion is publicly exposed.

Bastion port

This is the port used for SSH connections by your bastion.

Bastion login

This is the user login that we should use to authenticate on your bastion. If you followed our guide to the letter, it should be kubolabs.

Bastion SSH key

This is the SSH private key that was generated through our guide for the kubolabs user.

KubeApi address

This is the Kubernetes API endpoint to use from inside your network in the following form:

protocol://hostname:port

Example:

https://10.1.1.10:6443

PreviousKuboScore NextLocal mode

Last updated 10 months ago