Manual setup

Setup KuboVisor cloud manually.

The following content assumes you have kubectl binary installed, as well as a privileged access to your cluster to create listed resources.

👷 Service account

We recommend to create a specific ServiceAccount object in your cluster to authenticate KuboVisor and grant it specific permissions, but nothing prevents you from using an already existing service account.

In this example, the service account ksa-kubovisor will be created in the kubovisor namespace. You are free to rename the service account and/or to create it in another namespace.

kubectl create namespace kubovisor
kubectl create serviceaccount ksa-kubovisor --namespace kubovisor

Kubernetes ≥ 1.24

If your cluster version equals or is over 1.24 (or if you have the LegacyServiceAccountTokenNoAutoGeneration feature gate enabled), you will have to manually generate an authentication token for the ServiceAccount.

To get your cluster’s Kubernetes version, you can use this kubectl command:

kubectl version --short=true

To generate an authentication token for the ServiceAccount, you need to create a Secret defined by the following YAML. Save its content in a kubovisor-secret.yaml file:

apiVersion: v1
kind: Secret
metadata:
  namespace: kubovisor
  name: ksa-kubovisor
  annotations:
    kubernetes.io/service-account.name: ksa-kubovisor
type: kubernetes.io/service-account-token

Apply the Secret on your cluster to generate the ServiceAccount token:

kubectl apply -f kubovisor-secret.yaml

References:

⚖️ Permissions

This section uses the kubovisor namespace to reference and create objects. Be sure to update the namespace references if you used another name.

We currently provide two different set of permissions:

****limited permissions that will allow us to dig deeper in our analysis of your cluster.
****read-only permissions that will enable a base set of features.

Permissions may evolve as we introduce new features.

If you encounter permissions-related issues, be sure to review the minimum required permissions listed below before asking for support.

Note that we currently only provide permissions definition for Role Based Access Control authorization mode. Make sure that your cluster supports it.

Limited write

This set of permissions grants us read-only access to all deployed resources on your cluster, in all namespaces, as well as read-write access to pods in kubovisor namespace. We won’t be able to temper with resources outside of kubovisor namespace, only see them.

To define these permissions, we use the ClusterRole, ClusterRoleBinding, Role and RoleBinding objects and link them to the service account we created earlier.

This is the YAML definition of these objects:

kubovisor-limited-permissions.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubovisor
rules:
  - apiGroups:
      - '*'
    resources:
      - '*'
    verbs:
      - list
      - get
      - watch
  - nonResourceURLs:
      - /metrics
    verbs:
      - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubovisor
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubovisor
subjects:
  - kind: ServiceAccount
    name: ksa-kubovisor
    apiGroup: ''
    namespace: kubovisor
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: kubovisor
  name: kubovisor-limited
rules:
  - apiGroups:
      - ''
    resources:
      - pods
      - pods/log
    verbs:
      - create
      - get
      - delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace: kubovisor
  name: kubovisor-limited
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubovisor-limited
subjects:
  - kind: ServiceAccount
    name: ksa-kubovisor
    apiGroup: ''
    namespace: kubovisor

You can create them by applying the YAML definition or with the following commands:

kubectl create clusterrole kubovisor \
  --verb=list,get,watch \
  --resource='*.*'
kubectl patch clusterrole kubovisor \
  --patch '{"rules":[{"apiGroups":["*"],"resources":["*"],"verbs":["list","get","watch"]},{"nonResourceURLs":["/metrics"],"verbs":["get"]}]}'
kubectl create clusterrolebinding kubovisor \
  --clusterrole=kubovisor \
  --serviceaccount=kubovisor:ksa-kubovisor
kubectl create role kubovisor-limited \
  --namespace kubovisor \
  --verb=create,get,delete \
  --resource=pods,pods/log
kubectl create rolebinding kubovisor-limited \
  --namespace kubovisor \
  --role=kubovisor-limited \
  --serviceaccount=kubovisor:ksa-kubovisor

Read-only

This set of permissions grants us read-only access to all deployed resources on your cluster, in all namespaces. We won’t be able to temper with them, only see them.

To define these permissions, we use the ClusterRole and ClusterRoleBinding objects and link them to the service account we created earlier.

This is the YAML definition of these objects:

kubovisor-readonly-permissions.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubovisor
rules:
  - apiGroups:
      - '*'
    resources:
      - '*'
    verbs:
      - list
      - get
      - watch
  - nonResourceURLs:
      - /metrics
    verbs:
      - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubovisor
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubovisor
subjects:
  - kind: ServiceAccount
    name: ksa-kubovisor
    apiGroup: ''
    namespace: kubovisor

You can create them by applying the YAML definition or with the following commands:

kubectl create clusterrole kubovisor \
  --verb=list,get,watch \
  --resource='*.*'
kubectl patch clusterrole kubovisor \
  --patch '{"rules":[{"apiGroups":["*"],"resources":["*"],"verbs":["list","get","watch"]},{"nonResourceURLs":["/metrics"],"verbs":["get"]}]}'
kubectl create clusterrolebinding kubovisor \
  --clusterrole=kubovisor \
  --serviceaccount=kubovisor:ksa-kubovisor

🔑 Credentials generation

Last step is to generate a kubeconfig file for the ksa-kubovisor ServiceAccount that we created earlier. You can use our hand-crafted Bash script to quickly generate one:

If you want to use a different ServiceAccount, update the parameters provided to the script to match your ServiceAccount name and its Namespace.

curl -sO https://download.kubolabs.io/scripts/create_kubeconfig
chmod +x create_kubeconfig
./create_kubeconfig ksa-kubovisor --namespace kubovisor

Learn more about what this script does on our dedicated article.

At the end of the execution, a kubeconfig file will be generated in the current directory. Use this kubeconfig on KuboVisor to add your cluster.

PreviousAutomatic setup NextAgent mode

Last updated 1 year ago