Comment on page
Cloud mode
Run KuboScore on your cluster in cloud mode.
The following content assumes you have
kubectl
binary installed, as well as a privileged access to your cluster.If you already have a kubeconfig file with enough permissions, you can score your cluster right away!
We recommend to create a specific ServiceAccount object in your cluster to authenticate KuboScore and grant it specific permissions, but nothing prevents you from using an already existing ServiceAccount.
In this example, the ServiceAccount
ksa-kuboscore
will be created in the default
Namespace. You are free to rename the ServiceAccount and/or to create it in another Namespace.kubectl create serviceaccount ksa-kuboscore --namespace default
Kubernetes ≥ 1.24
If your cluster version equals or is over 1.24 (or if you have the
LegacyServiceAccountTokenNoAutoGeneration
feature gate enabled), you will have to manually generate an authentication token for the ServiceAccount.To get your cluster’s Kubernetes version, you can use this
kubectl
command:kubectl version --short=true
To generate an authentication token for the ServiceAccount, you need to create a Secret defined by the following YAML. Save its content in a
kuboscore-secret.yaml
file:apiVersion: v1
kind: Secret
metadata:
namespace: default
name: ksa-kuboscore
annotations:
kubernetes.io/service-account.name: ksa-kuboscore
type: kubernetes.io/service-account-token
Apply the Secret on your cluster to generate the ServiceAccount token:
kubectl apply -f kuboscore-secret.yaml
References:
If you are using an already existing ServiceAccount that has broader permissions than what is listed below, you can skip this section.
KuboScore needs some privileges to be able to perform its analysis, therefore we need to create a ClusterRole and a ClusterRoleBinding object.
You will find below the ClusterRole definition. Create a new file called
kuboscore-clusterrole.yaml
and paste the content of this definition in it:kuboscore-clusterrole.yaml
1
apiVersion: rbac.authorization.k8s.io/v1
2
kind: ClusterRole
3
metadata:
4
name: kuboscore
5
rules:
6
- apiGroups:
7
- '*'
8
resources:
9
- '*'
10
verbs:
11
- list
12
- get
13
- apiGroups:
14
- '*'
15
resources:
16
- configmaps
17
- daemonsets
18
- deployments
19
- horizontalpodautoscalers
20
- limitranges
21
- namespaces
22
- networkpolicies
23
- persistentvolumeclaims
24
- pods
25
- pods/exec
26
- pods/portforward
27
- resourcequotas
28
- secrets
29
- services
30
- statefulsets
31
verbs:
32
- create
33
- delete
34
- nonResourceURLs:
35
- /metrics
36
verbs:
37
- get
Likewise, create a
kuboscore-clusterrolebinding.yaml
file and paste the content of the following ClusterRoleBinding definition in it:If you want to use a different ServiceAccount, update the values of
subjects[0].name
and subjects[0].namespace
to match your ServiceAccount name and its Namespace.kuboscore-clusterrolebinding.yaml
1
apiVersion: rbac.authorization.k8s.io/v1
2
kind: ClusterRoleBinding
3
metadata:
4
name: kuboscore
5
roleRef:
6
apiGroup: rbac.authorization.k8s.io
7
kind: ClusterRole
8
name: kuboscore
9
subjects:
10
- kind: ServiceAccount
11
name: ksa-kuboscore
12
apiGroup: ''
13
namespace: default
References:
If you want to use a different ServiceAccount, update the parameters provided to the script to match your ServiceAccount name and its Namespace.
curl -sO https://download.kubolabs.io/scripts/create_kubeconfig
chmod +x create_kubeconfig
./create_kubeconfig ksa-kuboscore --namespace default
To score your cluster, we need to be able to reach it. You will find below the network restrictions that we support:
Restriction | Supported | Comment |
---|---|---|
None | ✅ | — |
Network whitelist | ✅ | Add the following IP to the list of authorized networks: 34.141.253.143. |
SSH bastion | ✅ | |
Fully private | ❌ |
Once access to your cluster is configured, scoring it is pretty easy:
- 1.
- 2.Signing to your account
- 3.Upload your kubeconfig file
- 4.Fill in the form
- 5.Launch the scoring!

Cluster credentials form.
On the cluster credentials form, we ask you for a bunch of information to be able to connect to your cluster.
Cluster description
This is a description that you can set to quickly find your cluster among other analysis.
Kubeconfig file
This is the kubeconfig file you should have generated for the service account that we created in the prerequisites section.
If your cluster sits in a private network only reachable through a bastion host, you must tick the « This cluster is only reachable through an SSH tunnel » checkbox and add the following additional information.
Bastion host
This is the IP address or DNS hostname on which your bastion is publicly exposed.
Bastion port
This is the port used for SSH connections by your bastion.
Bastion login
This is the user login that we should use to authenticate on your bastion. If you followed our guide to the letter, it should be
kubolabs
.Bastion SSH key
KubeApi address
This is the Kubernetes API endpoint to use from inside your network in the following form:
protocol://hostname:port
Example:
https://10.1.1.10:6443
Last modified 5mo ago