K8s Integration
Prerequisites:
- Connector version 1.3.2 and later
- Admin permission to K8s
NOTE - the connector needs access to the desired K8s Cluster (using the K8s API), and will require a cluster-admin service account to operate.
Creating the service account:
-
Run
kubectl create serviceaccount admin-for-apono --context <context>
- Run the command containing the correct context with the
--context
flag (kubeconfig)
- Run the command containing the correct context with the
-
Check if a token was created for this service account:
kubectl describe serviceaccount admin-for-apono --context <context>
In the results, check theTokens
section for the token name.
If the token does not exist (auto-creation is disabled by default from k8s v1.24), create a token manually by runningkubectl apply -f token.yml --context <context>
(token.yml content is below).
apiVersion: v1
kind: Secret
metadata:
name: admin-for-apono-token
annotations:
kubernetes.io/service-account.name: admin-for-apono
type: kubernetes.io/service-account-token
- If the secret was created manually, assign it to the created Apono service account
admin-for-apono
- retrieve by editing the service account yaml
kubectl get serviceaccount admin-for-apono -o yaml --context <context>
- save YAML and adding the output to
admin-for-apono.yml
- add below secrets section to the bottom of the yaml
following block
secrets:
- name: admin-for-apono-token
admin-for-apono.yml
should have a similar context now
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: \"2020-01-01T12:00:00Z\"
name: admin-for-apono
namespace: default
resourceVersion: \"12345678\"
uid: aaaaaaaa-1111-bbbb-2222-cccccccccccc
secrets:
- name: admin-for-apono-token
- apply the modified service account configuration with
kubectl apply -f admin-for-apono.yml --context <context>
- Create a rolebind.yml file with the following snippet and apply it by running -
kubectl apply -f rolebind.yml --context <context>
.
It will assign acluster-admin
role to the Apono service account.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-for-apono-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- namespace: default
kind: ServiceAccount
name: admin-for-apono
- Retrieve the token and CA (Certificate Authority) from the service account secret by running these commands:
kubectl get secret <token_name> -o jsonpath='{.data.ca\.crt}' --context <context>
kubectl get secret <token_name> -o jsonpath='{.data.token}' --context <context>
NOTE - save the outputs to use in the next step of creating a secret.
-
Create a secret in your used Secret Store for the
admin-for-apono
service account- Take the token value (From the previous step)
- Use a key-value secret type, add key
token
with the token value - Follow this guide https://docs.apono.io/docs/using-secret-stores for more help on storing secrets
-
Connect Kubernetes to Apono
- Click on Integrations Catalog
- Under Kubernetes, look for Kubernetes Roles and click Connect
- Fill in the integration details:
Cluster name
Server URL (the Cluster URL)
Cluster ca - take from apono service account secret -> data -> ca.crt, encode in base64
Secret name where the token is stored - Click Connect
Updated about 1 month ago