To complete a Live Optics Kubernetes collection, you must use an account with at least read-only access to the API endpoints which Live Optics will access.
This article describes how to:
- Create a service account
- Create a user role with at least read-only access to the API
- Bind the user role to the service account
- Create a kubeconfig file for the account to be used by Live Optics for collection
Before You Begin
- Download and install kubectl.exe on the remote cluster using the following instructions: https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/
NOTE: There are three installation methods available depending on the distribution and package manager you are using. You must determine which method to use for your configuration. - Verify that the software version is within one minor version difference of your cluster (if kubectl.exe is already installed on your system)
- Download the attached YAML file (liveoptics-read-api-permissions.yaml) located at the end of this article
- Download the attached kubeconfig file (kube_config_template.txt) located at the end of this article
NOTE: The screenshots used in the article are for example purposes only. Ensure you use the correct log in credentials, including IP addresses and port numbers for your own environment.
- Copy the YAML file to your remote cluster using SCP. You can use any target path you wish. This example uses the home path for the logged in user.
scp <path to liveoptics-read-api-permissions.yaml> <remote_userid>@<remote_host>:<target_path>
- SSH to the remote cluster using the following command:
ssh -l <username> <remote hostname/IP>
You can use any SSH client you wish. This example uses the built in SSH command on Windows.
- Apply the YAML file you downloaded from this article using the following command:
sudo kubectl apply -f liveoptics-read-api-permissions.yaml
This creates:
- A service account (liveoptics-read-api)
- A token (liveoptics-read-api-token)
- A role (liveoptics-read-api-access)
- A role binding (liveoptics-read-api-binding)
The role created by the YAML file has Get, List, and Watch permissions for the following resources:- Apps/replicasets
- Apps/statefulsets
- Metrics.k8s.io/*
- Nodes
- Nodes/status
- Persistentvolumes
- Persistentvolumeclaims
- Pods
- Storage.k8s.io/*
- Snapshot.storage.k8s.io/*
- Use the following command to retrieve the token data created automatically in Step 3. The name of the token appears in the output of Step 3. In this example the token name is liveoptics-read-api-token.
sudo kubectl describe secret <token name>
- Copy the full token text (with no white spaces) and save it for Step 7.
- Next, you must retrieve the certificate authority data for the cluster. Use the following command to display the certificate data. Copy and save it for the next step.
sudo kubectl config view --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}' -
Open the kubeconfig template file in a text editor.
Replace <CA Data> with the certificate data you copied in the previous step.
Replace <Server URL> with the URL of your cluster, and ensure you include the port number.
Replace <Token Data> with the token copied in Step 5.
The following example shows a completed kubeconfig template file.
-
Save the file in the location of your choice. You can now begin a Kubernetes collection using the Live Optics collector. See Complete a Kubernetes collection for more information.