# Cloud mode
{% hint style="warning" %}
The following content assumes you have [**`kubectl` binary**](https://kubernetes.io/docs/tasks/tools/#kubectl) **installed**, as well as a **privileged access** to your cluster.
{% endhint %}
{% hint style="info" %}
If you already have a *kubeconfig* file with enough [permissions](#permissions), you can [score your cluster](#score-your-cluster) right away!
{% endhint %}
## :construction\_worker: Service account
We recommend to create a specific ***ServiceAccount*** object in your cluster to authenticate KuboScore and grant it specific permissions, but nothing prevents you from using an already existing *ServiceAccount*.
In this example, the *ServiceAccount* `ksa-kuboscore` will be created in the `default` *Namespace*. You are free to rename the *ServiceAccount* and/or to create it in another *Namespace*.
```bash
kubectl create serviceaccount ksa-kuboscore --namespace default
```
{% hint style="warning" %}
**Kubernetes ≥ 1.24**
If your cluster version equals or is over 1.24 (or if you have the *`LegacyServiceAccountTokenNoAutoGeneration`* feature gate enabled), you will have to manually generate an authentication token for the *ServiceAccount*.
To get your cluster’s Kubernetes version, you can use this `kubectl` command:
```bash
kubectl version --short=true
```
To generate an authentication token for the *ServiceAccount*, you need to create a *Secret* defined by the following YAML. Save its content in a **`kuboscore-secret.yaml`** file:
```yaml
apiVersion: v1
kind: Secret
metadata:
namespace: default
name: ksa-kuboscore
annotations:
kubernetes.io/service-account.name: ksa-kuboscore
type: kubernetes.io/service-account-token
```
Apply the *Secret* on your cluster to generate the *ServiceAccount* token:
```bash
kubectl apply -f kuboscore-secret.yaml
```
{% endhint %}
References:
* [Managing Service Accounts](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/)
* [Service account tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens)
* [ServiceAccount reference](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/service-account-v1/)
## :scales: Permissions
{% hint style="info" %}
If you are using an already existing *ServiceAccount* that has broader permissions than what is listed below, you can skip this section.
{% endhint %}
KuboScore needs some privileges to be able to perform its analysis, therefore we need to create a ***ClusterRole*** and a ***ClusterRoleBinding*** object.
You will find below the *ClusterRole* definition. Create a new file called `kuboscore-clusterrole.yaml` and paste the content of this definition in it:
{% code title="kuboscore-clusterrole.yaml" lineNumbers="true" %}
```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kuboscore
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- list
- get
- apiGroups:
- '*'
resources:
- configmaps
- daemonsets
- deployments
- horizontalpodautoscalers
- limitranges
- namespaces
- networkpolicies
- persistentvolumeclaims
- pods
- pods/exec
- pods/portforward
- resourcequotas
- secrets
- services
- statefulsets
verbs:
- create
- delete
- nonResourceURLs:
- /metrics
verbs:
- get
```
{% endcode %}
Likewise, create a `kuboscore-clusterrolebinding.yaml` file and paste the content of the following *ClusterRoleBinding* definition in it:
{% hint style="warning" %}
If you want to use a different *ServiceAccount*, update the values of `subjects[0].name` and `subjects[0].namespace` to match your *ServiceAccount* name and its *Namespace*.
{% endhint %}
{% code title="kuboscore-clusterrolebinding.yaml" lineNumbers="true" %}
```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kuboscore
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kuboscore
subjects:
- kind: ServiceAccount
name: ksa-kuboscore
apiGroup: ''
namespace: default
```
{% endcode %}
References:
* [Using RBAC Authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
* [ClusterRole reference](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/)
* [ClusterRoleBinding reference](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-binding-v1/)
## :key: Generate your *kubeconfig*
{% hint style="warning" %}
If you want to use a different *ServiceAccount*, update the parameters provided to the script to match your *ServiceAccount* name and its *Namespace*.
{% endhint %}
```bash
curl -sO https://download.kubolabs.io/scripts/create_kubeconfig
chmod +x create_kubeconfig
./create_kubeconfig ksa-kuboscore --namespace default
```
## :rocket: Score your cluster
To score your cluster, we need to be able to reach it. You will find below the network restrictions that we support:
| Restriction | Supported | Comment |
| ----------------- | :------------------: | ----------------------------------------------------------------------------------- |
| None | :white\_check\_mark: | — |
| Network whitelist | :white\_check\_mark: | Add the following IP to the list of authorized networks: **34.141.253.143**. |
| SSH bastion | :white\_check\_mark: | [Learn how you can grant us access](/guides/grant-access-to-a-private-network.md) |
| Fully private | :x: | Use KuboScore in [**local mode**](/getting-started/kuboscore/local-mode.md) instead |
Once access to your cluster is configured, scoring it is pretty easy:
1. Go to [KuboScore](https://www.kuboscore.io)
2. Signing to your account
3. Upload your *kubeconfig* file
4. Fill in the form
5. Launch the scoring!
### How to fill the form?
Cluster credentials form.
On the cluster credentials form, we ask you for a bunch of information to be able to connect to your cluster.
**Cluster description**
This is a description that you can set to quickly find your cluster among other analysis.
**Kubeconfig file**
This is the *kubeconfig* file you should have generated for the [service account that we created in the prerequisites section](#service-account).
{% hint style="info" %}
If your cluster sits in a private network only reachable through a bastion host, you must tick the **« This cluster is only reachable through an SSH tunnel »** checkbox and add the following additional information.
{% endhint %}
**Bastion host**
This is the IP address or DNS hostname on which your bastion is publicly exposed.
**Bastion port**
This is the port used for SSH connections by your bastion.
**Bastion login**
This is the user login that we should use to authenticate on your bastion. If you followed [our guide](/guides/grant-access-to-a-private-network.md) to the letter, it should be `kubolabs`.
**Bastion SSH key**
This is the SSH private key that was generated through [our guide](/guides/grant-access-to-a-private-network.md) for the `kubolabs` user.
**KubeApi address**
This is the Kubernetes API endpoint to use **from inside your network** in the following form:
```
protocol://hostname:port
```
Example:
```
https://10.1.1.10:6443
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.kubolabs.io/getting-started/kuboscore/cloud-mode.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.