×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
BMC Discovery 23.1 ... Using Discovering services with API providers

Discovering Kubernetes clusters


Kubernetes Open link  is an open-source platform for automating deployment, scaling, and operations of application containers across clusters of hosts, and providing container-based infrastructure. BMC Discovery has been able to discover Kubernetes for some releases. For more information, see Discovering containers. Using the API providers option to discover Kubernetes through its API provides an accurate and efficient way of discovering Kubernetes, though it can be used to complement the existing IP address-based method.

Related topics

Discovering containers

Kubernetes (BMC Discovery Content Reference)

The current IP address-based Kubernetes discovery (described in Discovering containers) uses an IP scan and a host credential to discover Kubernetes management software running on a host. BMC Discovery creates or updates an existing Kubernetes SI. The Kubernetes SI triggers additional patterns to discover the containers that the Kubernetes management software controls. Using this approach, you can determine the management software and structure of the containers. However, BMC Discovery can discover hosts only if appropriate credentials are available.

Using the Kubernetes API enables you to discover the Kubernetes management software's view of the containers and hosts that it manages. This applies even to those hosts that cannot be reached with an IP scan.

To discover Kubernetes using an API provider

The following table describes the tasks that you must perform in the specified sequence, the description of the action that you must perform, and the reference to the procedure:

TaskActionProcedure
1Find Kubernetes management software using an IP scanPerform an IP scan
2

Ensure that the Kubernetes management system has suitable permissions to enable you to access it.

Ensure access permissions for the Kubernetes management system
3

Create an API provider credential valid for the Kubernetes system.

Create an API provider credential
4

Perform an API scan

Perform an API scan

Find Kubernetes management software using an IP scan 

Ensure that you have scanned your estate to find all instances of Kubernetes. Once you have located them, you can target initial API scans to perform deeper discovery using the Kubernetes API.

For information on scanning, see Performing a discovery run. After you have scanned the estate, you can search for Kubernetes SIs by performing the following steps:

  1. In the search box at the top right of the UI, enter Kubernetes.
  2. Click the Software instance row.
    The Software Instance list is displayed.

Ensure that the Kubernetes management system has suitable permissions to enable you to access it 

For any Kubernetes management system in which you want BMC Discovery to be able to discover all supported resources, you must define a ClusterRole that grants read (get/list) permissions on required resources in the required API groups

For the list of API queries executed by BMC Discovery or the BMC Discovery on Kubernetes, see Kubernetes Open link in the BMC Discovery content reference documentation. You must also create a ServiceAccount in the default namespace and bind it to the ClusterRole. You can do this by downloading a YAML file from the BMC Discovery UI and applying it by using the Kubernetes kubectl utility.

To download the file:

  1. From the main menu, select Manage > Discovery Tools.
  2. In the Kubernetes RBAC Setup section, click Download Kubernetes RBAC Setup YAML and download the file.


Important

The Kubernetes RBAC Setup YAML file is a template that provides "allow-read (get/list)" access to all resources and API groups by default.

Before applying the Kubernetes RBAC Setup YAML file, ensure that the default configurations comply with your security policies and environment. If not, modify the file (for example, restrict permissions to API groups). If your default namespace has been changed, ensure to add it to ClusterRole and ServiceAccount. Overwise, credentials fail. 

To apply the file and configure the permissions:

  1. Log in to the Kubernetes management system.
  2. Transfer the file to the Kubernetes management system, for example to the /tmp directory.

  3. Apply the the kubernetes-rbac-setup.yaml file using the kubectl utility.

    kubectl apply -f tmp/kubernetes-rbac-setup.yaml

  4. Find the name of the token that you created:

    [tideway@kubeapp ~]$ kubectl get secret
NAME                                           TYPE                                  DATA   AGE
default-token-zfwk4                            kubernetes.io/service-account-token   3      218d
discovery-token-nkssp                          kubernetes.io/service-account-token   3      2d
efs-provisioner-token-pbcf5                    kubernetes.io/service-account-token   3      8d
okteto-main                                    Opaque                                3      210d
sh.helm.release.v1.fred-dev.v1                 helm.sh/release.v1                    1      9d
sh.helm.release.v1.jane-dev.v1                 helm.sh/release.v1                    1      14d
[tideway@kubeapp ~]$

    The token is called discovery-token-nkssp.

  5. Retrieve the token so that you can use it in the credential:

    [tideway@kubeapp ~]$  kubectl describe secret discovery-token-nkssp
Name:         discovery-token-nkssp
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: discovery
              kubernetes.io/service-account.uid: e489f3bf-aaaa-9999-b854-abcdeb12345e

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  7 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6ImlodUxYZ3doMWRtS1lTSl8wcmVpbGxTWTR6M196Rjk5eU5xRTFJa1ZmdU0ifQ.ey
Jpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZ
... 
2_3oukto7HQhYL_cbAx2hdJwLmrUNDHf4MFuhiD9DGvEdBr7Wg_4OrQTn9v7PM7jHCfy_iE4fwt74Jz5zzqn-v82uBrpI3WsJgwcXFTBD
YmmF5JuO0FT5Dmaw
[tideway@kubeapp ~]$

  6. Retrieve the URL so that you can use it in the credential:

    [tideway@kubeapp ~]$ kubectl cluster-info
Kubernetes master is running at https://ABCDEFGHIKLMNOPQRSTUVWXYZ1234567.gr7.us-east-1.eks.amazonaws.com
CoreDNS is running at https://ABCDEFGHIKLMNOPQRSTUVWXYZ1234567.gr7.us-east-1.eks.amazonaws.com/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
Metrics-server is running at https://ABCDEFGHIKLMNOPQRSTUVWXYZ1234567.gr7.us-east-1.eks.amazonaws.com/api/v1/namespaces/kube-system/services/https:metrics-server:/proxy

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
[tideway@kubeapp ~]$

Create an API provider credential valid for the Kubernetes system 

Use the API URL and token that you have just created and retrieved to create the API provider credential. For information on creating credentials, see Adding credentials.

API provider credentials use the URL to connect to the Kubernetes API, though you can also specify IP addresses in Matching criteria, and in Matching exceptions.

 In an IP scan, when, for example container management software is discovered, this might trigger additional discovery using an API provider credential. The IP addresses specified in Matching criteria are those for which an API scan can be triggered using this API provider credential. Similarly, the IP addresses specified in Matching exceptions are those for which an API scan cannot be triggered using this API provider credential.

Perform a snapshot API scan 

  1. On the Manage > Discovery page, click Add New Run.
  2. In the Timing field, select Snapshot.
  3. In the Targeting field, select API.



  4. Enter the information for the snapshot API provider discovery run in the fields.

    Field name

    Details

    Label

    Enter a label for the discovery run. Where the discovery run is referred to in the UI, it is this label that is shown.

    Timing

    Select the run type, one of:

    • Snapshot — The run is performed immediately.

    • Scheduled — The run is performed according to the scheduling information you enter.

    For this snapshot scan, select Snapshot.

    Targeting

    Select the target for the discovery run. This is one of:

    • IP Address — Enter IP address information.
    • Cloud — Enter cloud provider information.
    • API — Enter API provider information.

    For this API provider scan, select API.

    Provider

    Specify the type of API provider. Currently, BMC Discovery supports the following providers:

    • Kubernetes/OpenShift Cluster
    • MongoDB Atlas
    • Rancher Managed Kubernetes Clusters 
    Credential

    The list is populated with valid credentials for the selected provider. Select the credential or credentials to use for the discovery run.

  5. Click OK to start the run.

 

For information on running all types of discovery runs, see Performing a discovery run.

Viewing the discovered Kubernetes cluster

Once you have discovered a cluster, you can view it. To do so:

  1. From the Discovery page.
  2. Select the Recent Runs tab.
  3. Click the snapshot API scan you just performed.

  4. Click the Cluster icon. 

For more information

For more information on the way that Kubernetes clusters are discovered, see Kubernetes in the BMC Discovery Content Reference documentation.

Was this page helpful? Yes No Submitting... Thank you
Last modified by Olha Horbachuk on Jan 10, 2024
kubernetes kubernetes_clusters help_op_manage_disco production_ready help_op_manage_creds help_disco_tasks help_addconfig_creds help_addconfig_creds_op

Comments

  1. Peng Li

    With the release of Kubernetes 1.24, service accounts are no longer created with a corresponding secret token. The kubernetes-rbac-setup.yaml file need to be modified accordingly.

    Feb 16, 2023 02:41

Log in or register to comment.

Adding and viewing supported API providers
Discovering Kubernetes clusters managed by Rancher
© Copyright 2004 - 2023 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.