Live Optics | Kubernetes | Create a service account with Kubectl

To complete a Live Optics Kubernetes collection, you must use an account with at least read-only access to the API endpoints which Live Optics will access.

This article describes how to:

• Create a service account
• Create a user role with at least read-only access to the API
• Bind the user role to the service account
• Create a kubeconfig file for the account to be used by Live Optics for collection

Before You Begin 

• Download and install kubectl.exe on the remote cluster using the following instructions: https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/
  NOTE: There are three installation methods available depending on the distribution and package used. The user must determine which method to use for your configuration.
• Verify that the software version is within one minor version difference of your cluster (if kubectl.exe is already installed on your system)
• Download the attached YAML file (liveoptics-read-api-permissions.yaml) located at the end of this article
• Download the attached Kubeconfig file (kube_config_template.txt) located at the end of this article
   

NOTE: The screenshots used in the article are, for example, purposes only. Ensure you use the correct login credentials, including IP addresses and port numbers for your own environment.
 

1. Copy the YAML file to your remote cluster using SCP. Target the path that you want. This example uses the home path for the logged-in user.

   scp <path to liveoptics-read-api-permissions.yaml> <remote_userid>@<remote_host>:<target_path>

   
   
    
   
    
2. SSH to the remote cluster using the following command:

   ssh -l <username> <remote hostname/IP>

   
   You can use any SSH client you want. This example uses the integrated SSH command on Windows.
   
    
    
3. Apply the YAML file attached to this article, using the following command:
    

   sudo kubectl apply -f liveoptics-read-api-permissions.yaml

   
   This creates:
      - A service account (liveoptics-read-api)
      - A token (liveoptics-read-api-token)
      - A role (liveoptics-read-api-access)
      - A role binding (liveoptics-read-api-binding)
   
    
   
   The role created by the YAML file has Get, List, and Watch permissions for the following resources:
   • Apps/replicasets
   • Apps/statefulsets
   • Metrics.k8s.io/*
   • Nodes
   • Nodes/status
   • Persistentvolumes
   • Persistentvolumeclaims
   • Pods
   • Storage.k8s.io/*
   • Snapshot.storage.k8s.io/*
      
4. Use the following command to retrieve the token data created automatically in Step 3. The name of the token appears in the output of Step 3. In this example the token name is liveoptics-read-api-token.
    

   sudo kubectl describe secret <token name>

   
    
    
5. Copy the full token text (with no white spaces) and save it for Step 7. 
   
    
    
6. Next, you must retrieve the certificate authority data for the cluster. Use the following command to display the certificate data. Copy and save it for the next step.

   sudo kubectl config view --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}'

   
    
    
7. Open the Kubeconfig template file in a text editor.
   Replace <CA Data> with the certificate data that you copied in the previous step. 
   Replace <Server URL> with the URL of your cluster, and ensure you include the port number.
   Replace <Token Data> with the token copied in Step 5. 
   
   The following example shows a completed Kubeconfig template file. 
   
    
    
8. Save the file in the location of your choice. You can now begin a Kubernetes collection using the Live Optics collector. See Complete a Kubernetes collection for more information. 

If you have any questions, please reach out to Live Optics Support at liveoptics.support@dell.com.