Manual setup

Setup KuboVisor cloud manually.

The following content assumes you have kubectl binary installed, as well as a privileged access to your cluster to create listed resources.

πŸ‘· Service account

We recommend to create a specific ServiceAccount object in your cluster to authenticate KuboVisor and grant it specific permissions, but nothing prevents you from using an already existing service account.

In this example, the service account ksa-kubovisor will be created in the kubovisor namespace. You are free to rename the service account and/or to create it in another namespace.

kubectl create namespace kubovisor
kubectl create serviceaccount ksa-kubovisor --namespace kubovisor

References:

βš–οΈ Permissions

This section uses the kubovisor namespace to reference and create objects. Be sure to update the namespace references if you used another name.

We currently provide two different set of permissions:

Limited write

This set of permissions grants us read-only access to all deployed resources on your cluster, in all namespaces, as well as read-write access to pods in kubovisor namespace. We won’t be able to temper with resources outside of kubovisor namespace, only see them.

To define these permissions, we use the ClusterRole, ClusterRoleBinding, Role and RoleBinding objects and link them to the service account we created earlier.

This is the YAML definition of these objects:

kubovisor-limited-permissions.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubovisor
rules:
  - apiGroups:
      - '*'
    resources:
      - '*'
    verbs:
      - list
      - get
      - watch
  - nonResourceURLs:
      - /metrics
    verbs:
      - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubovisor
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubovisor
subjects:
  - kind: ServiceAccount
    name: ksa-kubovisor
    apiGroup: ''
    namespace: kubovisor
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: kubovisor
  name: kubovisor-limited
rules:
  - apiGroups:
      - ''
    resources:
      - pods
      - pods/log
    verbs:
      - create
      - get
      - delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace: kubovisor
  name: kubovisor-limited
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubovisor-limited
subjects:
  - kind: ServiceAccount
    name: ksa-kubovisor
    apiGroup: ''
    namespace: kubovisor

You can create them by applying the YAML definition or with the following commands:

kubectl create clusterrole kubovisor \
  --verb=list,get,watch \
  --resource='*.*'
kubectl patch clusterrole kubovisor \
  --patch '{"rules":[{"apiGroups":["*"],"resources":["*"],"verbs":["list","get","watch"]},{"nonResourceURLs":["/metrics"],"verbs":["get"]}]}'
kubectl create clusterrolebinding kubovisor \
  --clusterrole=kubovisor \
  --serviceaccount=kubovisor:ksa-kubovisor
kubectl create role kubovisor-limited \
  --namespace kubovisor \
  --verb=create,get,delete \
  --resource=pods,pods/log
kubectl create rolebinding kubovisor-limited \
  --namespace kubovisor \
  --role=kubovisor-limited \
  --serviceaccount=kubovisor:ksa-kubovisor

Read-only

This set of permissions grants us read-only access to all deployed resources on your cluster, in all namespaces. We won’t be able to temper with them, only see them.

To define these permissions, we use the ClusterRole and ClusterRoleBinding objects and link them to the service account we created earlier.

This is the YAML definition of these objects:

kubovisor-readonly-permissions.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubovisor
rules:
  - apiGroups:
      - '*'
    resources:
      - '*'
    verbs:
      - list
      - get
      - watch
  - nonResourceURLs:
      - /metrics
    verbs:
      - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubovisor
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubovisor
subjects:
  - kind: ServiceAccount
    name: ksa-kubovisor
    apiGroup: ''
    namespace: kubovisor

You can create them by applying the YAML definition or with the following commands:

kubectl create clusterrole kubovisor \
  --verb=list,get,watch \
  --resource='*.*'
kubectl patch clusterrole kubovisor \
  --patch '{"rules":[{"apiGroups":["*"],"resources":["*"],"verbs":["list","get","watch"]},{"nonResourceURLs":["/metrics"],"verbs":["get"]}]}'
kubectl create clusterrolebinding kubovisor \
  --clusterrole=kubovisor \
  --serviceaccount=kubovisor:ksa-kubovisor

πŸ”‘ Credentials generation

Last step is to generate a kubeconfig file for the ksa-kubovisor ServiceAccount that we created earlier. You can use our hand-crafted Bash script to quickly generate one:

curl -sO https://download.kubolabs.io/scripts/create_kubeconfig
chmod +x create_kubeconfig
./create_kubeconfig ksa-kubovisor --namespace kubovisor

Learn more about what this script does on our dedicated article.

At the end of the execution, a kubeconfig file will be generated in the current directory. Use this kubeconfig on KuboVisor to add your cluster.

Last updated