Discovering Red Hat OpenShift clusters

Red Hat OpenShift Open link  is a family of container software products, based on the Kubernetes and Docker technologies, running on Red Hat Enterprise Linux (RHEL). The core OpenShift product is OpenShift Container Platform, which is an on-premises platform as a service. Other OpenShift products provide this platform in the cloud, as managed or self-managed services on a selection of cloud providers.

The OpenShift Console provides developer and administrator views. Administrator views enable you to monitor and manage resources, container health, users, operators, and so on. Developer views enable you to work with application resources in a namespace.

OpenShift also provides a CLI that supports a superset of the actions that the Kubernetes CLI provides.

Related topics

Discovering containers

Red Hat OpenShift (BMC Discovery Content Reference) Open link

BMC Helix Discovery has been able to discover OpenShift for some releases. For more information, see Discovering containers. Using the API providers option to discover OpenShift through its API provides an accurate and efficient way of discovering OpenShift, though it can be used to complement the existing IP address-based method.

API provider discovery of OpenShift supports OpenShift 4.1 and later.

The current IP address-based OpenShift discovery (described in Discovering containers) uses an IP scan and a host credential to discover OpenShift software running on a host. BMC Helix Discovery creates or updates an existing OpenShift SI. The OpenShift SI triggers additional patterns to discover the containers that the OpenShift management software controls. Using this approach, you can determine the management software and structure of the containers. However, BMC Helix Discovery can discover hosts only if appropriate credentials are available.

Using the OpenShift API enables you to discover the OpenShift's view of the containers and hosts that it manages. This applies even to those hosts that cannot be reached with an IP scan. 

To discover OpenShift using an API provider

The following table describes the tasks that you must perform in the specified sequence, the description of the action that you must perform, and the reference to the procedure:

TaskActionProcedure
1Find OpenShift software using an IP scanPerform an IP scan
2

Ensure that the OpenShift management system has suitable permissions to enable you to access it.

Ensure access permissions for the OpenShift management system
3

Create an API provider credential valid for the OpenShift system.

Create an API provider credential
4

Perform an API scan

Perform an API scan

Find OpenShift management software using an IP scan 

Ensure that you have scanned your estate to find all instances of OpenShift. Once you have located them, you can target initial API scans to perform deeper discovery using the OpenShift API.

For information on scanning, see Performing a discovery run. After you have scanned the estate, you can search for OpenShift SIs by performing the following steps:

  1. In the search box at the top right of the UI, enter OpenShift.
  2. Click the Software instance row.
    The Software Instance list is displayed.

Check permissions

For any OpenShift system in which you want BMC Discovery to be able to discover all supported resources, you must define a ServiceAccount in the default namespace and bind it to the ClusterRole, where RoleBinding must be of a cluster-wide type. The ClusterRole should grant the read (get/list) permissions on required resources in the appropriate API groups. The required resources are retrieved using Discovery's API queries while scanning the Openshift cluster.

Note

The credential will fail if your default namespace has been changed. Add the changed namespace to ClusterRole and ServiceAccount to avoid the problem.

OpenShift OAuth

OpenShift OAuth authentication obtains an OAuth token from the OpenShift REST API Well Known Endpoint (WKE) using the provided username and password. Once the token is obtained, it is used to access and discover the OpenShift clusters specified in the credential. OpenShift OAuth provides the ability to discover many OpenShift clusters using a single credential. The WKE authorization server must be resolvable.

Bearer token

Bearer token authentication uses a token valid for a single OpenShift cluster to access and discover the cluster.

For instructions on obtaining the URL and non-expiring token to use in the API provider credential, see  Using service accounts in applications Open link .

For information on using OAuth, see  Using a service account as an OAuth client Open link .

Create an API provider credential valid for the OpenShift system 

Use the API URL and token that you have just created and retrieved to create the API provider credential. For information on creating credentials, see Adding credentials.

API provider credentials use the URL to connect to the OpenShift API, though you can also specify IP addresses in Matching criteria, and in Matching exceptions.

 In an IP scan, when, for example container management software is discovered, this might trigger additional discovery using an API provider credential. The IP addresses specified in Matching criteria are those for which an API scan can be triggered using this API provider credential. Similarly, the IP addresses specified in Matching exceptions are those for which an API scan cannot be triggered using this API provider credential.

Perform a snapshot API scan 

  1. On the Manage > Discovery page, click Add New Run.
  2. In the Timing field, select Snapshot.
  3. In the Targeting field, select API.

  4. Enter the information for the snapshot API provider discovery run in the fields.

    Field name

    Details

    Label

    Enter a label for the discovery run. Where the discovery run is referred to in the UI, it is this label that is shown.

    Timing

    Select the run type, one of:

    • Snapshot — The run is performed immediately.

    • Scheduled — The run is performed according to the scheduling information you enter.

    For this snapshot scan, select Snapshot.

    Targeting

    Select the target for the discovery run. This is one of:

    • IP Address — Enter IP address information.
    • Cloud — Enter cloud provider information.
    • API — Enter API provider information.

    For this API provider scan, select API.

    Provider

    Specify the type of API provider. Currently, BMC Helix Discovery supports the following providers:

    • Kubernetes/OpenShift Cluster
    • MongoDB Atlas
    • Rancher Managed Kubernetes Clusters 

    Restrict by Organization

    This field is available only if you have enabled the Enable Restricted Organizations setting in the Administration > Other Settings UI. For more information, see Configuring discovery settings.

    Select the organization that you want to use for the scan. The organizations available in the list are limited to those organizations of which the logged-in user is a member. The organization you select impacts the Outposts available in the scope via field. For more information, see Outposts restricted by organizations.  

    Credential

    The list is populated with valid credentials for the selected provider. Select the credential or credentials to use for the discovery run.

  5. Click OK to start the run.

 

For information on running all types of discovery runs, see Performing a discovery run.

When you view the Discovery Access page for the OpenShift discovery, the UI shows a script failure for the Openshift.ListClusterVersions method. This is expected.

Viewing the discovered OpenShift cluster

Once you have discovered a cluster, you can view it:

  1. From the Discovery page, select the Recent Runs tab.
  2. Click the snapshot API scan you have just performed. If you have discovered multiple clusters, then a Discovery Access node for each cluster is linked to the Discovery Run.


  3. Click the Cluster icon. 

For more information

For more information on the way that OpenShift clusters are discovered, see Red Hat OpenShift in the BMC Discovery Content Reference documentation.

Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Mani Singh

    Please help to update the document : a. Openshift/Kubernetes credential configuration , Cluster URL is mandatory to provide , it's not optional , else you wont get the drop down of the credential while discovery run. b. Please help to specify how can we update the multiple cluster URL in credential e.g. comma separated or in new line..etc.

    Oct 23, 2023 01:06
    1. Duncan Tweed

      Hi Mani,

      Sorry for the delay. You can enter a newline separated list of URLs, I tried a comma separated list and it converted it to newlines. I have updated the Adding credentials page with this information.

      Thanks, Duncan.

      Feb 09, 2024 11:40