# Cloud mode

{% hint style="warning" %}
The following content assumes you have [**`kubectl` binary**](https://kubernetes.io/docs/tasks/tools/#kubectl) **installed**, as well as a **privileged access** to your cluster.
{% endhint %}

{% hint style="info" %}
If you already have a *kubeconfig* file with enough [permissions](#permissions), you can [score your cluster](#score-your-cluster) right away!
{% endhint %}

## :construction\_worker: Service account

We recommend to create a specific ***ServiceAccount*** object in your cluster to authenticate KuboScore and grant it specific permissions, but nothing prevents you from using an already existing *ServiceAccount*.

In this example, the *ServiceAccount* `ksa-kuboscore` will be created in the `default` *Namespace*. You are free to rename the *ServiceAccount* and/or to create it in another *Namespace*.

```bash
kubectl create serviceaccount ksa-kuboscore --namespace default
```

{% hint style="warning" %}
**Kubernetes ≥ 1.24**

If your cluster version equals or is over 1.24 (or if you have the *`LegacyServiceAccountTokenNoAutoGeneration`* feature gate enabled), you will have to manually generate an authentication token for the *ServiceAccount*.

To get your cluster’s Kubernetes version, you can use this `kubectl` command:

```bash
kubectl version --short=true
```

To generate an authentication token for the *ServiceAccount*, you need to create a *Secret* defined by the following YAML. Save its content in a **`kuboscore-secret.yaml`** file:

```yaml
apiVersion: v1
kind: Secret
metadata:
  namespace: default
  name: ksa-kuboscore
  annotations:
    kubernetes.io/service-account.name: ksa-kuboscore
type: kubernetes.io/service-account-token
```

Apply the *Secret* on your cluster to generate the *ServiceAccount* token:

```bash
kubectl apply -f kuboscore-secret.yaml
```

{% endhint %}

References:

* [Managing Service Accounts](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/)
* [Service account tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens)
* [ServiceAccount reference](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/service-account-v1/)

## :scales: Permissions

{% hint style="info" %}
If you are using an already existing *ServiceAccount* that has broader permissions than what is listed below, you can skip this section.
{% endhint %}

KuboScore needs some privileges to be able to perform its analysis, therefore we need to create a ***ClusterRole*** and a ***ClusterRoleBinding*** object.

You will find below the *ClusterRole* definition. Create a new file called `kuboscore-clusterrole.yaml` and paste the content of this definition in it:

{% code title="kuboscore-clusterrole.yaml" lineNumbers="true" %}

```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kuboscore
rules:
  - apiGroups:
      - '*'
    resources:
      - '*'
    verbs:
      - list
      - get
  - apiGroups:
      - '*'
    resources:
      - configmaps
      - daemonsets
      - deployments
      - horizontalpodautoscalers
      - limitranges
      - namespaces
      - networkpolicies
      - persistentvolumeclaims
      - pods
      - pods/exec
      - pods/portforward
      - resourcequotas
      - secrets
      - services
      - statefulsets
    verbs:
      - create
      - delete
  - nonResourceURLs:
      - /metrics
    verbs:
      - get
```

{% endcode %}

Likewise, create a `kuboscore-clusterrolebinding.yaml` file and paste the content of the following *ClusterRoleBinding* definition in it:

{% hint style="warning" %}
If you want to use a different *ServiceAccount*, update the values of `subjects[0].name` and `subjects[0].namespace` to match your *ServiceAccount* name and its *Namespace*.
{% endhint %}

{% code title="kuboscore-clusterrolebinding.yaml" lineNumbers="true" %}

```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kuboscore
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kuboscore
subjects:
  - kind: ServiceAccount
    name: ksa-kuboscore
    apiGroup: ''
    namespace: default
```

{% endcode %}

References:

* [Using RBAC Authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
* [ClusterRole reference](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/)
* [ClusterRoleBinding reference](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-binding-v1/)

## :key: Generate your *kubeconfig*

{% hint style="warning" %}
If you want to use a different *ServiceAccount*, update the parameters provided to the script to match your *ServiceAccount* name and its *Namespace*.
{% endhint %}

```bash
curl -sO https://download.kubolabs.io/scripts/create_kubeconfig
chmod +x create_kubeconfig
./create_kubeconfig ksa-kuboscore --namespace default
```

## :rocket: Score your cluster

To score your cluster, we need to be able to reach it. You will find below the network restrictions that we support:

| Restriction       |       Supported      | Comment                                                                                                  |
| ----------------- | :------------------: | -------------------------------------------------------------------------------------------------------- |
| None              | :white\_check\_mark: | —                                                                                                        |
| Network whitelist | :white\_check\_mark: | Add the following IP to the list of authorized networks: **34.141.253.143**.                             |
| SSH bastion       | :white\_check\_mark: | [Learn how you can grant us access](https://docs.kubolabs.io/guides/grant-access-to-a-private-network)   |
| Fully private     |          :x:         | Use KuboScore in [**local mode**](https://docs.kubolabs.io/getting-started/kuboscore/local-mode) instead |

Once access to your cluster is configured, scoring it is pretty easy:

1. Go to [KuboScore](https://www.kuboscore.io)
2. Signing to your account
3. Upload your *kubeconfig* file
4. Fill in the form
5. Launch the scoring!

### How to fill the form?

<figure><img src="https://1027538846-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FALaQyn9R5AiEIcVCAxPW%2Fuploads%2F6QsVHbb64YdpCXDyUygN%2Fkuboscore-cluster-credentials-form.png?alt=media&#x26;token=9c762b9f-07f0-4071-a70d-6dfbecdf5dc3" alt=""><figcaption><p>Cluster credentials form.</p></figcaption></figure>

On the cluster credentials form, we ask you for a bunch of information to be able to connect to your cluster.

**Cluster description**

This is a description that you can set to quickly find your cluster among other analysis.

**Kubeconfig file**

This is the *kubeconfig* file you should have generated for the [service account that we created in the prerequisites section](#service-account).

{% hint style="info" %}
If your cluster sits in a private network only reachable through a bastion host, you must tick the **« This cluster is only reachable through an SSH tunnel »** checkbox and add the following additional information.
{% endhint %}

**Bastion host**

This is the IP address or DNS hostname on which your bastion is publicly exposed.

**Bastion port**

This is the port used for SSH connections by your bastion.

**Bastion login**

This is the user login that we should use to authenticate on your bastion. If you followed [our guide](https://docs.kubolabs.io/guides/grant-access-to-a-private-network) to the letter, it should be `kubolabs`.

**Bastion SSH key**

This is the SSH private key that was generated through [our guide](https://docs.kubolabs.io/guides/grant-access-to-a-private-network) for the `kubolabs` user.

**KubeApi address**

This is the Kubernetes API endpoint to use **from inside your network** in the following form:

```
protocol://hostname:port
```

Example:

```
https://10.1.1.10:6443
```