To complete a Live Optics Kubernetes collection, you must use an account with at least read-only access to the API endpoints which Live Optics will access.
This article describes how to:
- Create a service account
- Create a user role with at least read-only access to the API
- Bind the user role to the service account
- Create a kubeconfig file for the account to be used by Live Optics for collection
Before You Begin
- Download and install the OpenShift CLI (oc). See https://docs.openshift.com/container-platform/4.15/cli_reference/openshift_cli/getting-started-cli.html for more information.
- Download the attached YAML file (liveoptics-read-api-permissions.yaml) located at the end of this article
NOTE: The screenshots used in the article are for example purposes only. Ensure you use the correct log in credentials, including IP addresses and port numbers for your own environment.
- Open a terminal or command prompt and enter the following command to log into your target cluster.
oc login <cluster-url> (Replace <cluster-url> with the URL of your target cluster).
- Enter your username and password when prompted.
- Apply the YAML file you downloaded from this article (located at the bottom) using the following command:
oc apply -f liveoptics-read-api.yaml
This creates:
- A service account (liveoptics-read-api)
- A token (liveoptics-read-api-token)
- A role (liveoptics-read-api-access)
- A role binding (liveoptics-read-api-binding)
The role created by the YAML file has Get, List, and Watch permissions for the following resources:
- Apps/replicasets
- Apps/statefulsets
- Metrics.k8s.io/*
- Nodes
- Nodes/status
- Persistentvolumes
- Persistentvolumeclaims
- Pods
- Storage.k8s.io/*
- Snapshot.storage.k8s.io/*
- Use the following command to retrieve the token data created automatically in Step 3. The name of the token appears in the output of Step 3. In this example the token name is liveoptics-read-api-token.
oc describe secret <token name>
- Copy the full token text (with no white spaces) and save it for the next step.
- To generate the kubeconfig file, run the below command. Replace <server name> with your server details, and $TOKEN with the token saved from the previous step. Enter a location for the kubeconfig file to be saved. In this example it is /tmp directory.
oc login --server=<server_name> --token=$TOKEN --kubeconfig=/tmp/serviceaccount-kubeconfig -
Navigate to your specified location to retrieve the kubeconfig file. You can now begin a Kubernetes collection using the Live Optics collector. See Complete a Kubernetes collection for more information.