K8s Integration

Prerequisites:

  • Connector version 1.3.2 and later
  • Admin permission to K8s

NOTE - the connector needs access to the desired K8s Cluster (using the K8s API), and will require a cluster-admin service account to operate.

Creating the service account:

  1. Run kubectl create serviceaccount admin-for-apono --context <context>

    • Run the command containing the correct context with the --context flag (kubeconfig)
  2. Check if a token was created for this service account:

    • kubectl describe serviceaccount admin-for-apono --context <context>
      In the results, check the Tokens section for the token name.
      If the token does not exist (auto-creation is disabled by default from k8s v1.24), create a token manually by running kubectl apply -f token.yml --context <context> (token.yml content is below).
apiVersion: v1
kind: Secret
metadata:
  name: admin-for-apono-token
  annotations:
    kubernetes.io/service-account.name: admin-for-apono
type: kubernetes.io/service-account-token
  1. If the secret was created manually, assign it to the created Apono service account admin-for-apono
  • retrieve by editing the service account yaml kubectl get serviceaccount admin-for-apono -o yaml --context <context>
  • save YAML and adding the output to admin-for-apono.yml
  • add below secrets section to the bottom of the yaml
    following block
secrets:
  - name: admin-for-apono-token
  • admin-for-apono.yml should have a similar context now
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: \"2020-01-01T12:00:00Z\"
  name: admin-for-apono
  namespace: default
  resourceVersion: \"12345678\"
  uid: aaaaaaaa-1111-bbbb-2222-cccccccccccc
secrets:
- name: admin-for-apono-token
  • apply the modified service account configuration with kubectl apply -f admin-for-apono.yml --context <context>
  1. Create a rolebind.yml file with the following snippet and apply it by running - kubectl apply -f rolebind.yml --context <context>.
    It will assign a cluster-admin role to the Apono service account.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-for-apono-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin 
subjects:
- namespace: default
  kind: ServiceAccount
  name: admin-for-apono
  1. Retrieve the token and CA (Certificate Authority) from the service account secret by running these commands:
    • kubectl get secret <token_name> -o jsonpath='{.data.ca\.crt}' --context <context>
    • kubectl get secret <token_name> -o jsonpath='{.data.token}' --context <context>

NOTE - save the outputs to use in the next step of creating a secret.

  1. Create a secret in your used Secret Store for the admin-for-apono service account

  2. Connect Kubernetes to Apono

    • Click on Integrations Catalog
    • Under Kubernetes, look for Kubernetes Roles and click Connect
    • Fill in the integration details:
      Cluster name
      Server URL (the Cluster URL)
      Cluster ca - take from apono service account secret -> data -> ca.crt, encode in base64
      Secret name where the token is stored
    • Click Connect