Cluster Setup
In order to connect your cluster to the Console, there are some preparation steps that must be done.
You can choose between the automatic procedure and the manual one.
- Automatic
- Manual
Contact us to receive the Mia Platform Helm Chart and Template Console Helm Chart that will automatically create the needed ServiceAccount, ClusterRole and ClusterRoleBindings.
ServiceAccount
First, you must create a ServiceAccount on Kubernetes: this service account will be used by the Console to interact with the APIs exposed by Kubernetes on your cluster.
You can do this using the dedicated kubectl command or by creating a new Kubernetes object with the following template:
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{SERVICE_ACCOUNT_NAME}}
labels:
annotations:
ClusterRole
Next, make sure to define the roles needed by the previously created service account. These are the minimal roles required by the Console to work.
Here is the template to quickly define them:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{CLUSTER_ROLE_NAME}}
labels:
annotations:
rules:
- apiGroups:
- ""
resources:
- "pods"
verbs:
- "delete"
- "get"
- "list"
- apiGroups:
- "batch"
resources:
- "cronjobs"
verbs:
- "get"
- "list"
- apiGroups:
- "batch"
resources:
- "jobs"
verbs:
- "create"
- "delete"
- "get"
- "list"
- apiGroups:
- ""
resources:
- "secrets"
verbs:
- "create"
- "get"
- "list"
- apiGroups:
- ""
resources:
- pods/log
- nodes
- events
- services
verbs:
- "get"
- "list"
- apiGroups:
- "metrics.k8s.io"
resources:
- "pods"
verbs:
- "list"
- apiGroups:
- "apps"
resources:
- "deployments"
- "daemonsets"
verbs:
- "get"
- "list"
- apiGroups:
- "autoscaling"
resources:
- "horizontalpodautoscalers"
verbs:
- "get"
- "list"
- apiGroups:
- ""
resources:
- "namespaces"
verbs:
- "create"
- "delete"
- apiGroups:
- ""
resources:
- "limitranges"
- "resourcequotas"
verbs:
- "create"
- "get"
- "list"
- "patch"
- "update"
- apiGroups:
- ""
resources:
- "namespaces"
verbs:
- "get"
- apiGroups:
- "rbac.authorization.k8s.io"
resources:
- "rolebindings"
verbs:
- "create"
- apiGroups:
- ""
resources:
- "serviceaccounts"
verbs:
- "create"
- "get"
- apiGroups:
- "rbac.authorization.k8s.io"
resources:
- "clusterroles"
verbs:
- bind
resourceNames:
- {{NAME_OF_THE_SERVICE_ACCOUNT_USED_FOR_THE_DEPLOY}}
Monitoring custom resources from the Console
Follow these guidelines to configure the custom resources. You need to make sure that the Console has the correct permissions to display the information to the users.
Here is an example to show how to give the correct permissions to custom resource definitions:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
# ...
rules:
# For each custom resource definitions we need to add:
- apiGroups:
- "<custom-resource-definitions.group>"
resources:
- "<custom-resource-definitions.names.plural>"
verbs:
- get
- list
After adding the necessary permissions follow this guide to see your custom resources in the Console.
ClusterRoleBindings
Finally, make sure to associate the roles with the service account using the ClusterRoleBindings that can be created using the following template:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name:
labels:
annotations:
roleRef:
kind: ClusterRole
name: {{CLUSTER_ROLE_NAME}}
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: {{SERVICE_ACCOUNT_NAME}}
namespace:
CA and Token
If everything has been made correctly, we can now extract the Certificate Authority (CA) and the Token that will be mandatory for the cluster connection.
To extract the Token, you can use the following command, that will also automatically decode it for you:
kubectl get secret `kubectl -n get sa $(SERVICE_ACCOUNT_NAME) -o jsonpath='{.secrets[0].name}'` -o jsonpath='{.data.token}' | base64 -d
To extract the CA, you can use the following command, that will also automatically decode it for you:
kubectl get secret `kubectl get sa $(SERVICE_ACCOUNT_NAME) -o jsonpath='{.secrets[0].name}'` -o jsonpath="{.data['ca\.crt']}" | base64 -d
If you have created everything in a specific namespace, don't forget to specify it using the -n parameter of the kubectl.