Discovering Red Hat OpenShift clusters
is a family of container software products, based on the Kubernetes and Docker technologies, running on Red Hat Enterprise Linux (RHEL). The core OpenShift product is OpenShift Container Platform, which is an on-premises platform as a service. Other OpenShift products provide this platform in the cloud, as managed or self-managed services on a selection of cloud providers.
The OpenShift Console provides developer and administrator views. Administrator views enable you to monitor and manage resources, container health, users, operators, and so on. Developer views enable you to work with application resources in a namespace.
OpenShift also provides a CLI that supports a superset of the actions that the Kubernetes CLI provides.
BMC Helix Discovery has been able to discover OpenShift for some releases. For more information, see Discovering containers. Using the API providers option to discover OpenShift through its API provides an accurate and efficient way of discovering OpenShift, though it can be used to complement the existing IP address-based method.
API provider discovery of OpenShift supports OpenShift 4.1 and later.
The current IP address-based OpenShift discovery (described in Discovering containers) uses an IP scan and a host credential to discover OpenShift software running on a host. BMC Helix Discovery creates or updates an existing OpenShift SI. The OpenShift SI triggers additional patterns to discover the containers that the OpenShift management software controls. Using this approach, you can determine the management software and structure of the containers. However, BMC Helix Discovery can discover hosts only if appropriate credentials are available.
Using the OpenShift API enables you to discover the OpenShift's view of the containers and hosts that it manages. This applies even to those hosts that cannot be reached with an IP scan.
To discover OpenShift using an API provider
The following table describes the tasks that you must perform in the specified sequence, the description of the action that you must perform, and the reference to the procedure:
|Find OpenShift software using an IP scan
|Perform an IP scan
Ensure that the OpenShift management system has suitable permissions to enable you to access it.
|Ensure access permissions for the OpenShift management system
Create an API provider credential valid for the OpenShift system.
|Create an API provider credential
Perform an API scan
|Perform an API scan
Find OpenShift management software using an IP scan
Ensure that you have scanned your estate to find all instances of OpenShift. Once you have located them, you can target initial API scans to perform deeper discovery using the OpenShift API.
For information on scanning, see Performing a discovery run. After you have scanned the estate, you can search for OpenShift SIs by performing the following steps:
- In the search box at the top right of the UI, enter OpenShift.
- Click the Software instance row.
The Software Instance list is displayed.
For any OpenShift system in which you want BMC Discovery to be able to discover all supported resources, you must define a ServiceAccount in the default namespace and bind it to the ClusterRole, where RoleBinding must be of a cluster-wide type. The ClusterRole should grant the read (get/list) permissions on required resources in the appropriate API groups. The required resources are retrieved using Discovery's API queries while scanning the Openshift cluster.
The credential will fail if your default namespace has been changed. Add the changed namespace to ClusterRole and ServiceAccount to avoid the problem.
OpenShift OAuth authentication obtains an OAuth token from the OpenShift REST API Well Known Endpoint (WKE) using the provided username and password. Once the token is obtained, it is used to access and discover the OpenShift clusters specified in the credential. OpenShift OAuth provides the ability to discover many OpenShift clusters using a single credential. The WKE authorization server must be resolvable.
Bearer token authentication uses a token valid for a single OpenShift cluster to access and discover the cluster.
For instructions on obtaining the URL and non-expiring token to use in the API provider credential, see .
For information on using OAuth, see .
Create an API provider credential valid for the OpenShift system
Use the API URL and token that you have just created and retrieved to create the API provider credential. For information on creating credentials, see Adding credentials.
API provider credentials use the URL to connect to the OpenShift API, though you can also specify IP addresses in Matching criteria, and in Matching exceptions.
In an IP scan, when, for example container management software is discovered, this might trigger additional discovery using an API provider credential. The IP addresses specified in Matching criteria are those for which an API scan can be triggered using this API provider credential. Similarly, the IP addresses specified in Matching exceptions are those for which an API scan cannot be triggered using this API provider credential.
Perform a snapshot API scan
- On the Manage > Discovery page, click Add New Run.
- In the Timing field, select Snapshot.
In the Targeting field, select API.
Enter the information for the snapshot API provider discovery run in the fields.
Enter a label for the discovery run. Where the discovery run is referred to in the UI, it is this label that is shown.
Select the run type, one of:
Snapshot — The run is performed immediately.
Scheduled — The run is performed according to the scheduling information you enter.
For this snapshot scan, select Snapshot.
Select the target for the discovery run. This is one of:
- IP Address — Enter IP address information.
- Cloud — Enter cloud provider information.
- API — Enter API provider information.
For this API provider scan, select API.
Specify the type of API provider. Currently, supports the following providers:
- Kubernetes/OpenShift Cluster
- MongoDB Atlas
- Rancher Managed Kubernetes Clusters
Restrict by Organization
This field is available only if you have enabled the Enable Restricted Organizations setting in the Administration > Other Settings UI. For more information, see Configuring discovery settings.
Select the organization that you want to use for the scan. The organizations available in the list are limited to those organizations of which the logged-in user is a member. The organization you select impacts the Outposts available in the scope via field. For more information, see Outposts restricted by organizations.
The list is populated with valid credentials for the selected provider. Select the credential or credentials to use for the discovery run.
Click OK to start the run.
For information on running all types of discovery runs, see Performing a discovery run.
When you view the Discovery Access page for the OpenShift discovery, the UI shows a script failure for the Openshift.ListClusterVersions method. This is expected.
Viewing the discovered OpenShift cluster
Once you have discovered a cluster, you can view it:
- From the Discovery page, select the Recent Runs tab.
- Click the snapshot API scan you have just performed. If you have discovered multiple clusters, then a Discovery Access node for each cluster is linked to the Discovery Run.
- Click the Cluster icon.
For more information
For more information on the way that OpenShift clusters are discovered, see Red Hat OpenShift in the BMC Discovery Content Reference documentation.