Manual setup
Setup KuboVisor cloud manually.
π· Service account
We recommend to create a specific ServiceAccount object in your cluster to authenticate KuboVisor and grant it specific permissions, but nothing prevents you from using an already existing service account.
In this example, the service account ksa-kubovisor will be created in the kubovisor namespace. You are free to rename the service account and/or to create it in another namespace.
kubectl create namespace kubovisor
kubectl create serviceaccount ksa-kubovisor --namespace kubovisorKubernetes β₯ 1.24
If your cluster version equals or is over 1.24 (or if you have the LegacyServiceAccountTokenNoAutoGeneration feature gate enabled), you will have to manually generate an authentication token for the ServiceAccount.
To get your clusterβs Kubernetes version, you can use this kubectl command:
kubectl version --short=trueTo generate an authentication token for the ServiceAccount, you need to create a Secret defined by the following YAML. Save its content in a kubovisor-secret.yaml file:
apiVersion: v1
kind: Secret
metadata:
namespace: kubovisor
name: ksa-kubovisor
annotations:
kubernetes.io/service-account.name: ksa-kubovisor
type: kubernetes.io/service-account-tokenApply the Secret on your cluster to generate the ServiceAccount token:
kubectl apply -f kubovisor-secret.yamlReferences:
βοΈ Permissions
We currently provide two different set of permissions:
****limited permissions that will allow us to dig deeper in our analysis of your cluster.
****read-only permissions that will enable a base set of features.
Permissions may evolve as we introduce new features.
If you encounter permissions-related issues, be sure to review the minimum required permissions listed below before asking for support.
Note that we currently only provide permissions definition for Role Based Access Control authorization mode. Make sure that your cluster supports it.
Limited write
This set of permissions grants us read-only access to all deployed resources on your cluster, in all namespaces, as well as read-write access to pods in kubovisor namespace. We wonβt be able to temper with resources outside of kubovisor namespace, only see them.
To define these permissions, we use the ClusterRole, ClusterRoleBinding, Role and RoleBinding objects and link them to the service account we created earlier.
This is the YAML definition of these objects:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubovisor
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- list
- get
- watch
- nonResourceURLs:
- /metrics
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubovisor
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubovisor
subjects:
- kind: ServiceAccount
name: ksa-kubovisor
apiGroup: ''
namespace: kubovisor
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: kubovisor
name: kubovisor-limited
rules:
- apiGroups:
- ''
resources:
- pods
- pods/log
verbs:
- create
- get
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
namespace: kubovisor
name: kubovisor-limited
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubovisor-limited
subjects:
- kind: ServiceAccount
name: ksa-kubovisor
apiGroup: ''
namespace: kubovisorYou can create them by applying the YAML definition or with the following commands:
kubectl create clusterrole kubovisor \
--verb=list,get,watch \
--resource='*.*'
kubectl patch clusterrole kubovisor \
--patch '{"rules":[{"apiGroups":["*"],"resources":["*"],"verbs":["list","get","watch"]},{"nonResourceURLs":["/metrics"],"verbs":["get"]}]}'
kubectl create clusterrolebinding kubovisor \
--clusterrole=kubovisor \
--serviceaccount=kubovisor:ksa-kubovisor
kubectl create role kubovisor-limited \
--namespace kubovisor \
--verb=create,get,delete \
--resource=pods,pods/log
kubectl create rolebinding kubovisor-limited \
--namespace kubovisor \
--role=kubovisor-limited \
--serviceaccount=kubovisor:ksa-kubovisorRead-only
This set of permissions grants us read-only access to all deployed resources on your cluster, in all namespaces. We wonβt be able to temper with them, only see them.
To define these permissions, we use the ClusterRole and ClusterRoleBinding objects and link them to the service account we created earlier.
This is the YAML definition of these objects:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubovisor
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- list
- get
- watch
- nonResourceURLs:
- /metrics
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubovisor
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubovisor
subjects:
- kind: ServiceAccount
name: ksa-kubovisor
apiGroup: ''
namespace: kubovisorYou can create them by applying the YAML definition or with the following commands:
kubectl create clusterrole kubovisor \
--verb=list,get,watch \
--resource='*.*'
kubectl patch clusterrole kubovisor \
--patch '{"rules":[{"apiGroups":["*"],"resources":["*"],"verbs":["list","get","watch"]},{"nonResourceURLs":["/metrics"],"verbs":["get"]}]}'
kubectl create clusterrolebinding kubovisor \
--clusterrole=kubovisor \
--serviceaccount=kubovisor:ksa-kubovisorπ Credentials generation
Last step is to generate a kubeconfig file for the ksa-kubovisor ServiceAccount that we created earlier. You can use our hand-crafted Bash script to quickly generate one:
If you want to use a different ServiceAccount, update the parameters provided to the script to match your ServiceAccount name and its Namespace.
curl -sO https://download.kubolabs.io/scripts/create_kubeconfig
chmod +x create_kubeconfig
./create_kubeconfig ksa-kubovisor --namespace kubovisorAt the end of the execution, a kubeconfig file will be generated in the current directory. Use this kubeconfig on KuboVisor to add your cluster.
Last updated