Docs
  • Introduction
  • πŸ–₯️Products
    • KuboScore
    • KuboVisor
  • πŸš€Getting started
    • KuboScore
      • Cloud mode
      • Local mode
    • KuboVisor
      • Cloud mode
        • Automatic setup
        • Manual setup
      • Agent mode
      • Troubleshooting
  • πŸŽ“Guides
    • Generate Kubernetes credentials
    • Grant access to a private network
  • 🧐FAQ
Powered by GitBook
On this page
  • Service account
  • Permissions
  • Limited write
  • Read-only
  • Credentials generation
  1. Getting started
  2. KuboVisor
  3. Cloud mode

Manual setup

Setup KuboVisor cloud manually.

PreviousAutomatic setupNextAgent mode

Last updated 2 years ago

The following content assumes you have installed, as well as a privileged access to your cluster to create listed resources.

Service account

We recommend to create a specific ServiceAccount object in your cluster to authenticate KuboVisor and grant it specific permissions, but nothing prevents you from using an already existing service account.

In this example, the service account ksa-kubovisor will be created in the kubovisor namespace. You are free to rename the service account and/or to create it in another namespace.

kubectl create namespace kubovisor
kubectl create serviceaccount ksa-kubovisor --namespace kubovisor

Kubernetes β‰₯ 1.24

If your cluster version equals or is over 1.24 (or if you have the LegacyServiceAccountTokenNoAutoGeneration feature gate enabled), you will have to manually generate an authentication token for the ServiceAccount.

To get your cluster’s Kubernetes version, you can use this kubectl command:

kubectl version --short=true

To generate an authentication token for the ServiceAccount, you need to create a Secret defined by the following YAML. Save its content in a kubovisor-secret.yaml file:

apiVersion: v1
kind: Secret
metadata:
  namespace: kubovisor
  name: ksa-kubovisor
  annotations:
    kubernetes.io/service-account.name: ksa-kubovisor
type: kubernetes.io/service-account-token

Apply the Secret on your cluster to generate the ServiceAccount token:

kubectl apply -f kubovisor-secret.yaml

References:

This section uses the kubovisor namespace to reference and create objects. Be sure to update the namespace references if you used another name.

We currently provide two different set of permissions:

Permissions may evolve as we introduce new features.

Limited write

This set of permissions grants us read-only access to all deployed resources on your cluster, in all namespaces, as well as read-write access to pods in kubovisor namespace. We won’t be able to temper with resources outside of kubovisor namespace, only see them.

To define these permissions, we use the ClusterRole, ClusterRoleBinding, Role and RoleBinding objects and link them to the service account we created earlier.

This is the YAML definition of these objects:

kubovisor-limited-permissions.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubovisor
rules:
  - apiGroups:
      - '*'
    resources:
      - '*'
    verbs:
      - list
      - get
      - watch
  - nonResourceURLs:
      - /metrics
    verbs:
      - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubovisor
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubovisor
subjects:
  - kind: ServiceAccount
    name: ksa-kubovisor
    apiGroup: ''
    namespace: kubovisor
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: kubovisor
  name: kubovisor-limited
rules:
  - apiGroups:
      - ''
    resources:
      - pods
      - pods/log
    verbs:
      - create
      - get
      - delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace: kubovisor
  name: kubovisor-limited
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubovisor-limited
subjects:
  - kind: ServiceAccount
    name: ksa-kubovisor
    apiGroup: ''
    namespace: kubovisor

You can create them by applying the YAML definition or with the following commands:

kubectl create clusterrole kubovisor \
  --verb=list,get,watch \
  --resource='*.*'
kubectl patch clusterrole kubovisor \
  --patch '{"rules":[{"apiGroups":["*"],"resources":["*"],"verbs":["list","get","watch"]},{"nonResourceURLs":["/metrics"],"verbs":["get"]}]}'
kubectl create clusterrolebinding kubovisor \
  --clusterrole=kubovisor \
  --serviceaccount=kubovisor:ksa-kubovisor
kubectl create role kubovisor-limited \
  --namespace kubovisor \
  --verb=create,get,delete \
  --resource=pods,pods/log
kubectl create rolebinding kubovisor-limited \
  --namespace kubovisor \
  --role=kubovisor-limited \
  --serviceaccount=kubovisor:ksa-kubovisor

Read-only

This set of permissions grants us read-only access to all deployed resources on your cluster, in all namespaces. We won’t be able to temper with them, only see them.

To define these permissions, we use the ClusterRole and ClusterRoleBinding objects and link them to the service account we created earlier.

This is the YAML definition of these objects:

kubovisor-readonly-permissions.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubovisor
rules:
  - apiGroups:
      - '*'
    resources:
      - '*'
    verbs:
      - list
      - get
      - watch
  - nonResourceURLs:
      - /metrics
    verbs:
      - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubovisor
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubovisor
subjects:
  - kind: ServiceAccount
    name: ksa-kubovisor
    apiGroup: ''
    namespace: kubovisor

You can create them by applying the YAML definition or with the following commands:

kubectl create clusterrole kubovisor \
  --verb=list,get,watch \
  --resource='*.*'
kubectl patch clusterrole kubovisor \
  --patch '{"rules":[{"apiGroups":["*"],"resources":["*"],"verbs":["list","get","watch"]},{"nonResourceURLs":["/metrics"],"verbs":["get"]}]}'
kubectl create clusterrolebinding kubovisor \
  --clusterrole=kubovisor \
  --serviceaccount=kubovisor:ksa-kubovisor

If you want to use a different ServiceAccount, update the parameters provided to the script to match your ServiceAccount name and its Namespace.

curl -sO https://download.kubolabs.io/scripts/create_kubeconfig
chmod +x create_kubeconfig
./create_kubeconfig ksa-kubovisor --namespace kubovisor

Permissions

**** that will allow us to dig deeper in our analysis of your cluster.

**** that will enable a base set of features.

If you encounter permissions-related issues, be sure to review the minimum required permissions listed below before .

Note that we currently only provide permissions definition for authorization mode. Make sure that your cluster supports it.

Credentials generation

Last step is to generate a kubeconfig file for the ksa-kubovisor ServiceAccount that we created earlier. You can use our to quickly generate one:

Learn more about what this script does on our .

At the end of the execution, a kubeconfig file will be generated in the current directory. Use this kubeconfig on KuboVisor to .

πŸš€
βš–οΈ
πŸ”‘
πŸ‘·
kubectl binary
Managing Service Accounts
Service account tokens
ServiceAccount reference
asking for support
Role Based Access Control
hand-crafted Bash script
dedicated article
limited permissions
read-only permissions
add your cluster