LogoLogo
HomePricingSelf-hosted docsAPI docsLogin
  • Home
  • Login to hava
  • Developer
  • Getting Started
    • Quickstart
      • Create New Account
      • Import Demo Data
      • Creating Environments
      • Exporting Diagrams
  • AWS Marketplace
  • Using Hava
    • Providers & Sources
    • Environments
      • Creating Environments
      • Filtering Environments
  • Importing Data
    • Demo Data
    • AWS
      • Getting Started with AWS
        • Cross Account Role
        • Read Only IAM User
        • Minimum Access IAM User
      • AWS Supported Resources
      • AWS Views
        • Infrastructure
        • Security
        • Container - ECS
        • List
    • Azure
      • Getting Started with Azure
        • Powershell
        • Azure Portal
      • Azure Supported Resources
      • Azure Views
        • Infrastructure
        • Azure Security View
        • List
    • Google Cloud
      • Getting Started with GCP
        • Service Account
        • Import Multiple Projects
        • Enabling APIs
      • GCP Supported Resources
      • GCP Views
        • Infrastructure
        • List
    • Kubernetes
      • Getting Started with Kubernetes
        • Read Only Kubeconfig
        • Automatic Import of Managed Kubernetes
          • AWS EKS Cluster Configuration
        • Converting certificate files to certificate data fields
      • Kubernetes Supported Resources
      • Kubernetes Views
        • Container
        • List
    • Import Errors
  • Discover
    • Importing
    • Searching
      • Search Overview
      • Search Syntax
        • VPC Search
        • Wildcard Search
        • Tag Search
        • Deep Search
      • Search Examples
        • Discover Resources From Regions
        • Create a multiple VPC diagram
        • Defining Custom Environments
    • Versioning
      • Tracking Changes in Cloud Architecture
    • Manual Sync
  • Diagram
    • Listing Environments
      • Filtering Environments
      • Favouriting Environments
    • Viewing Environments
      • Diagram Controls
      • Diagram Layout
      • Switch Between Views
      • Diagram Canvas Resource Filters
    • Draw Custom Connections
  • Diagnose
    • Architectural Monitoring Alerts
    • Attributes
    • Cost Estimation
    • Diff View - Comparing Diagrams
    • Infrastructure
      • View Route Tables
      • View ACLs
      • View Security Groups
    • Reports
      • AWS Compliance Reports
  • Document
    • Environment Notes
    • Embed
    • Exporting Diagrams
    • Edit
      • Draw.io
  • Collaboration
    • Teams
    • Inviting Users
    • Disabling users
    • SSO/SAML
      • Overview
      • Azure AD - SAML Setup
      • Azure AD - OIDC Setup
      • Okta - SAML Setup
      • Okta - OIDC Setup
      • Trouble Shooting SSO
    • Project folders
  • Integrations
    • AWS Control Tower
    • CLI
    • Confluence Cloud
    • GitHub
    • Terraform
  • API
    • API Docs
  • Account & Billing
    • Types Of Hava Accounts
    • Change Subscription
    • Switch to AWS marketplace
    • Change Password
    • MFA
    • Download Invoice
    • Cancel Account
    • Account Audit Log
  • Quick Look
    • Quick AWS Overview
    • Security Overview
    • Customize the Hava Dashboard
Powered by GitBook
On this page
  • Supported kubeconfig authentication methods
  • Creating a read-only kubeconfig access file

Was this helpful?

  1. Importing Data
  2. Kubernetes
  3. Getting Started with Kubernetes

Read Only Kubeconfig

Guide to set up a new Service Account with Read only access to a K8s cluster

PreviousGetting Started with KubernetesNextAutomatic Import of Managed Kubernetes

Last updated 2 years ago

Was this helpful?

Kubernetes import is in private beta at the moment

if you are interested in testing this out, please reach out to the support team, and we will enable it on your account

To connect to your Kubernetes clusters you will need to create or obtain a copy of your configuration and import it into Hava.

We recommend creating a new service account that has read only access to the resources in the kubernetes cluster, and use that to provide access to Hava.

Supported kubeconfig authentication methods

Hava does not support authentication methods that require access to external files or programs, such as use of the client-certificate or cmd-path values in your users section, or the certificate-authority value in the clusters section.

If you make use of certificate files you can .

Unfortunately there is no replacement for cmd-path and cmd-arg values.

Creating a read-only kubeconfig access file

The best practice when creating a kubeconfig file for Hava is to create a new read-only role that can be attached to a service account for Hava to access. We'll also create it in a separate 'hava' namespace so that removing access is as simple as removing the namespace.

Creating the role and service account

We'll use the following manifest to create the role and service account in your current context using kubectl, so make sure you have the correct context selected by running kubectl config current-context.

Create the following file as hava-role-manifest.yml:

---
kind: Namespace
apiVersion: v1
metadata:
  name: hava
  labels:
    name: hava
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: hava-reader
  namespace: hava
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
  name: hava-read-only
  namespace: hava
rules:
  - apiGroups:
      - ""
    resources: ["*"]
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources: ["*"]
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - apps
    resources: ["*"]
    verbs:
      - get
      - list
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: hava-reader-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: hava-read-only
subjects:
  - kind: ServiceAccount
    name: hava-reader
    namespace: hava

Now run kubectl apply -f hava-role-manifest.yml to create your role and service account.

This will allow Hava access to read data from all resource types across all namespaces. If this is still too open you can lock it down further by limiting it by namespace or resource types - Hava will ignore anything it doesn't have access to.

Use the service account details to create your kubeconfig

You can now run the following shell script to output a kubeconfig configuration file to allow Hava to access and import your cluster:

This script depends onkubectl, jq, and base64

It has been tested on MacOS, jq and base64 might require slight modifications to the commands on linux and Windows

#!/bin/bash

server=$(kubectl config view --minify --output jsonpath='{.clusters[*].cluster.server}')
name=$(kubectl get secrets --namespace=hava -o json | jq -r '.items[] | select(.metadata.name | test("hava-reader-token-")).metadata.name')
ca=$(kubectl get secret/$name --namespace=hava -o jsonpath='{.data.ca\.crt}')
token=$(kubectl get secret/$name --namespace=hava -o jsonpath='{.data.token}' | base64 --decode)
namespace=$(kubectl get secret/$name --namespace=hava -o jsonpath='{.data.namespace}' | base64 --decode)

echo "
apiVersion: v1
kind: Config
clusters:
- name: default-cluster
  cluster:
    certificate-authority-data: ${ca}
    server: ${server}
contexts:
- name: default-context
  context:
    cluster: default-cluster
    namespace: default
    user: default-user
current-context: default-context
users:
- name: default-user
  user:
    token: ${token}
" > hava-kubeconfig.yml

After running this you can now upload the hava-kubeconfig.yml file into Hava and click 'Import'.

Hava will connect to your environment and pull back the resources and relationships between them and build a complete visualisation of your environment.

kubeconfig
convert them to the corresponding -data fields