# Read Only Kubeconfig {% hint style="warning" %} Kubernetes import is in private beta at the moment if you are interested in testing this out, please reach out to the support team, and we will enable it on your account {% endhint %} To connect to your Kubernetes clusters you will need to create or obtain a copy of your [kubeconfig](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) configuration and import it into Hava. We recommend creating a new service account that has read only access to the resources in the kubernetes cluster, and use that to provide access to Hava. ### Supported kubeconfig authentication methods Hava does not support authentication methods that require access to external files or programs, such as use of the `client-certificate` or `cmd-path` values in your users section, or the `certificate-authority` value in the clusters section. If you make use of certificate files you can [convert them to the corresponding -data fields](https://docs.hava.io/importing/kubernetes/getting-started-with-kubernetes/converting-certificate-files-to-certificate-data-fields). Unfortunately there is no replacement for `cmd-path` and `cmd-arg` values. ### Creating a read-only kubeconfig access file The best practice when creating a kubeconfig file for Hava is to create a new read-only role that can be attached to a service account for Hava to access. We'll also create it in a separate 'hava' namespace so that removing access is as simple as removing the namespace. #### Creating the role and service account We'll use the following manifest to create the role and service account in your current context using kubectl, so make sure you have the correct context selected by running `kubectl config current-context`. Create the following file as `hava-role-manifest.yml`: ``` --- kind: Namespace apiVersion: v1 metadata: name: hava labels: name: hava --- apiVersion: v1 kind: ServiceAccount metadata: name: hava-reader namespace: hava --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" labels: name: hava-read-only namespace: hava rules: - apiGroups: - "" resources: ["*"] verbs: - get - list - watch - apiGroups: - extensions resources: ["*"] verbs: - get - list - watch - apiGroups: - apps resources: ["*"] verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: hava-reader-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: hava-read-only subjects: - kind: ServiceAccount name: hava-reader namespace: hava ``` Now run `kubectl apply -f hava-role-manifest.yml` to create your role and service account. This will allow Hava access to read data from all resource types across all namespaces. If this is still too open you can lock it down further by limiting it by namespace or resource types - Hava will ignore anything it doesn't have access to. #### Use the service account details to create your kubeconfig You can now run the following shell script to output a kubeconfig configuration file to allow Hava to access and import your cluster: {% hint style="info" %} This script depends on`kubectl`, `jq`, and `base64` It has been tested on MacOS, `jq` and `base64` might require slight modifications to the commands on linux and Windows {% endhint %} ``` #!/bin/bash server=$(kubectl config view --minify --output jsonpath='{.clusters[*].cluster.server}') name=$(kubectl get secrets --namespace=hava -o json | jq -r '.items[] | select(.metadata.name | test("hava-reader-token-")).metadata.name') ca=$(kubectl get secret/$name --namespace=hava -o jsonpath='{.data.ca\.crt}') token=$(kubectl get secret/$name --namespace=hava -o jsonpath='{.data.token}' | base64 --decode) namespace=$(kubectl get secret/$name --namespace=hava -o jsonpath='{.data.namespace}' | base64 --decode) echo " apiVersion: v1 kind: Config clusters: - name: default-cluster cluster: certificate-authority-data: ${ca} server: ${server} contexts: - name: default-context context: cluster: default-cluster namespace: default user: default-user current-context: default-context users: - name: default-user user: token: ${token} " > hava-kubeconfig.yml ``` After running this you can now upload the `hava-kubeconfig.yml` file into Hava and click 'Import'. ![](https://3601125483-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Loco-kTiJ7Tu_lfPZqb%2Fuploads%2Fdhfp5LtsVQcEopEDRvtn%2FScreen%20Shot%202022-05-02%20at%203.40.36%20pm.png?alt=media\&token=9d639a43-2119-4072-9479-144696c83be5) Hava will connect to your environment and pull back the resources and relationships between them and build a complete visualisation of your environment. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.hava.io/importing/kubernetes/getting-started-with-kubernetes/read-only-kubeconfig.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.