Discovering Red Hat OpenShift clusters
BMC Discovery has been able to discover OpenShift for some releases. For more information, see Discovering-containers. Using the API providers option to discover OpenShift through its API provides an accurate and efficient way of discovering OpenShift, though it can be used to complement the existing IP address-based method.
API provider discovery of OpenShift supports OpenShift 4.1 and later.
The current IP address-based OpenShift discovery (described in Discovering-containers) uses an IP scan and a host credential to discover OpenShift software running on a host. BMC Discovery creates or updates an existing OpenShift SI. The OpenShift SI triggers additional patterns to discover the containers that the OpenShift management software controls. Using this approach, you can determine the management software and structure of the containers. However, BMC Discovery can discover hosts only if appropriate credentials are available.
Using the OpenShift API enables you to discover the OpenShift's view of the containers and hosts that it manages. This applies even to those hosts that cannot be reached with an IP scan.
To discover OpenShift using an API provider
The following table describes the tasks that you must perform in the specified sequence, the description of the action that you must perform, and the reference to the procedure:
Task | Action | Procedure |
|---|---|---|
1 | Find OpenShift software using an IP scan | |
2 | Ensure that the OpenShift management system has suitable permissions to enable you to access it. | |
3 | Create an API provider credential valid for the OpenShift system. | |
4 | Perform an API scan |
Find OpenShift management software using an IP scan
Ensure that you have scanned your estate to find all instances of OpenShift. Once you have located them, you can target initial API scans to perform deeper discovery using the OpenShift API.
For information on scanning, see Performing-a-discovery-run. After you have scanned the estate, you can search for OpenShift SIs by performing the following steps:
- In the search box at the top right of the UI, enter OpenShift.
- Click the Software instance row.
The Software Instance list is displayed.
Ensure that the OpenShift management system has suitable permissions to enable you to access it
For any OpenShift system in which you want BMC Discovery to be able to discover all supported resources, you must define a service account with sufficient permissions to see all projects and resources.
For instructions on creating service accounts and roles, see the OpenShift documentation.
OpenShift OAuth
OpenShift OAuth authentication obtains an OAuth token from the OpenShift REST API Well Known Endpoint (WKE) using the provided username and password. Once the token is obtained, it is used to access and discover the OpenShift clusters specified in the credential. OpenShift OAuth provides the ability to discover many OpenShift clusters using a single credential. The WKE authorization server must be resolvable.
Bearer token
Bearer token authentication uses a token valid for a single OpenShift cluster to access and discover the cluster.
For instructions on obtaining the URL and non-expiring token to use in the API provider credential, see Using service accounts in applications.
For information on using OAuth, see Using a service account as an OAuth client.
Create an API provider credential valid for the OpenShift system
Use the API URL and token that you have just created and retrieved to create the API provider credential. For information on creating credentials, see Adding-credentials.
API provider credentials use the URL to connect to the OpenShift API, though you can also specify IP addresses in Matching criteria, and in Matching exceptions.
In an IP scan, when, for example container management software is discovered, this might trigger additional discovery using an API provider credential. The IP addresses specified in Matching criteria are those for which an API scan can be triggered using this API provider credential. Similarly, the IP addresses specified in Matching exceptions are those for which an API scan cannot be triggered using this API provider credential.
Perform a snapshot API scan
- On the Manage > Discovery page, click Add New Run.
- In the Timing field, select Snapshot.
- In the Targeting field, select API.
- Enter the information for the snapshot API provider discovery run in the fields.
- Click OK to start the run.
For information on running all types of discovery runs, see Performing-a-discovery-run.
Viewing the discovered OpenShift cluster
Once you have discovered a cluster, you can view it. To do so:
- From the Discovery page.
- Select the Recent Runs tab.
- Click the snapshot API scan you just performed. If you have discovered multiple clusters, then a Discovery Access node for each cluster is linked to the Discovery Run.
- Click the Cluster icon.
For more information
For more information on the way that OpenShift clusters are discovered, see Red Hat OpenShift in the BMC Discovery Content Reference documentation.