K8s Integration

Prerequisites:

• Connector version 1.3.2 and later
• Admin permission to K8s

NOTE - the connector needs access to the desired K8s Cluster (using the K8s API), and will require a cluster-admin service account to operate.

Creating the service account:

1. Run kubectl create serviceaccount admin-for-apono --context <context>

   • Run the command containing the correct context with the --context flag (kubeconfig)

2. Check if a token was created for this service account:

   • kubectl describe serviceaccount admin-for-apono --context <context>
     In the results, check the Tokens section for the token name.
     If the token does not exist (auto-creation is disabled by default from k8s v1.24), create a token manually by running kubectl apply -f token.yml --context <context> (token.yml content is below).

apiVersion: v1
kind: Secret
metadata:
  name: admin-for-apono-token
  annotations:
    kubernetes.io/service-account.name: admin-for-apono
type: kubernetes.io/service-account-token

3. If the secret was created manually, assign it to the created Apono service account admin-for-apono

• retrieve by editing the service account yaml kubectl get serviceaccount admin-for-apono -o yaml --context <context>
• save YAML and adding the output to admin-for-apono.yml
• add below secrets section to the bottom of the yaml
  following block

secrets:
  - name: admin-for-apono-token

• admin-for-apono.yml should have a similar context now

apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: \"2020-01-01T12:00:00Z\"
  name: admin-for-apono
  namespace: default
  resourceVersion: \"12345678\"
  uid: aaaaaaaa-1111-bbbb-2222-cccccccccccc
secrets:
- name: admin-for-apono-token

• apply the modified service account configuration with kubectl apply -f admin-for-apono.yml --context <context>

4. Create a rolebind.yml file with the following snippet and apply it by running - kubectl apply -f rolebind.yml --context <context>.
   It will assign a cluster-admin role to the Apono service account.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-for-apono-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin 
subjects:
- namespace: default
  kind: ServiceAccount
  name: admin-for-apono

5. Retrieve the token and CA (Certificate Authority) from the service account secret by running these commands:
   • kubectl get secret <token_name> -o jsonpath='{.data.ca\.crt}' --context <context>
   • kubectl get secret <token_name> -o jsonpath='{.data.token}' --context <context>

NOTE - save the outputs to use in the next step of creating a secret.

6. Create a secret in your used Secret Store for the admin-for-apono service account

   • Take the token value (From the previous step)
   • Use a key-value secret type, add key token with the token value
   • Follow this guide https://docs.apono.io/docs/using-secret-stores for more help on storing secrets

7. Connect Kubernetes to Apono

   • Click on Integrations Catalog
   • Under Kubernetes, look for Kubernetes Roles and click Connect
   • Fill in the integration details:
     Cluster name
     Server URL (the Cluster URL)
     Cluster ca - take from apono service account secret -> data -> ca.crt, encode in base64
     Secret name where the token is stored
   • Click Connect