Read Only Kubeconfig
Guide to set up a new Service Account with Read only access to a K8s cluster
Kubernetes import is in private beta at the moment
if you are interested in testing this out, please reach out to the support team, and we will enable it on your account
To connect to your Kubernetes clusters you will need to create or obtain a copy of your kubeconfig configuration and import it into Hava.
We recommend creating a new service account that has read only access to the resources in the kubernetes cluster, and use that to provide access to Hava.
Hava does not support authentication methods that require access to external files or programs, such as use of the
client-certificate or cmd-path values in your users section, or the certificate-authority value in the clusters section.Unfortunately there is no replacement for
cmd-path and cmd-arg values.The best practice when creating a kubeconfig file for Hava is to create a new read-only role that can be attached to a service account for Hava to access. We'll also create it in a separate 'hava' namespace so that removing access is as simple as removing the namespace.
We'll use the following manifest to create the role and service account in your current context using kubectl, so make sure you have the correct context selected by running
kubectl config current-context.Create the following file as
hava-role-manifest.yml:---
kind: Namespace
apiVersion: v1
metadata:
name: hava
labels:
name: hava
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: hava-reader
namespace: hava
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
name: hava-read-only
namespace: hava
rules:
- apiGroups:
- ""
resources: ["*"]
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources: ["*"]
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources: ["*"]
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: hava-reader-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: hava-read-only
subjects:
- kind: ServiceAccount
name: hava-reader
namespace: hava
Now run
kubectl apply -f hava-role-manifest.yml to create your role and service account.This will allow Hava access to read data from all resource types across all namespaces. If this is still too open you can lock it down further by limiting it by namespace or resource types - Hava will ignore anything it doesn't have access to.
You can now run the following shell script to output a kubeconfig configuration file to allow Hava to access and import your cluster:
This script depends on
kubectl, jq, and base64It has been tested on MacOS,
jq and base64 might require slight modifications to the commands on linux and Windows#!/bin/bash
server=$(kubectl config view --minify --output jsonpath='{.clusters[*].cluster.server}')
name=$(kubectl get secrets --namespace=hava -o json | jq -r '.items[] | select(.metadata.name | test("hava-reader-token-")).metadata.name')
ca=$(kubectl get secret/$name --namespace=hava -o jsonpath='{.data.ca\.crt}')
token=$(kubectl get secret/$name --namespace=hava -o jsonpath='{.data.token}' | base64 --decode)
namespace=$(kubectl get secret/$name --namespace=hava -o jsonpath='{.data.namespace}' | base64 --decode)
echo "
apiVersion: v1
kind: Config
clusters:
- name: default-cluster
cluster:
certificate-authority-data: ${ca}
server: ${server}
contexts:
- name: default-context
context:
cluster: default-cluster
namespace: default
user: default-user
current-context: default-context
users:
- name: default-user
user:
token: ${token}
" > hava-kubeconfig.yml
After running this you can now upload the
hava-kubeconfig.yml file into Hava and click 'Import'.
Hava will connect to your environment and pull back the resources and relationships between them and build a complete visualisation of your environment.
Last modified 1yr ago