Discovering Kubernetes clusters managed by Rancher
Automatically discover your cloud-based Kubernetes clusters
Automatic discovery of cloud-based Kubernetes clusters occurs by default when you scan your supported cloud services. When BMC Discovery finds a Kubernetes cluster, it creates an automatic scan using a Kubernetes token obtained from the cloud provider. Automatic scanning of Kubernetes clusters can be disabled (Automatically scan Kubernetes clusters) for each scan. No additional credentials are required, the API token is generated depending on your existing privileges.The Cluster URL must be accessible to BMC Helix Discovery, this may be referred to as enabling the public API.Automatic scanning of Kubernetes clusters is supported in the following cloud vendor with no additional configuration:Automatic scanning of Kubernetes clusters is supported in the following cloud vendors, though it requires additional (RBAC) configuration:Automatic scanning of Kubernetes clusters is not supported in OpenStack.
The current IP address-based Kubernetes discovery (described in Discovering-containers) uses an IP scan and a host credential to discover Kubernetes management software running on a host. BMC Helix Discovery creates or updates an existing Kubernetes SI. The Kubernetes SI triggers additional patterns to discover the containers that the Kubernetes management software controls. Using this approach, you can determine the management software and structure of the containers. However, BMC Helix Discovery can discover hosts only if appropriate credentials are available.
Using the Kubernetes API enables you to discover the Kubernetes management software's view of the containers and hosts that it manages. This applies even to those hosts that cannot be reached with an IP scan.
To discover Kubernetes using an API provider
The following table describes the tasks that you must perform in the specified sequence, the description of the action that you must perform, and the reference to the procedure:
Task | Action | Procedure |
|---|---|---|
1 | Find Kubernetes management software using an IP scan | |
2 | Ensure that the Kubernetes management system has suitable permissions to enable you to access it. | |
3 | Create an API provider credential valid for the Kubernetes system. | |
4 | Perform an API scan |
Find Kubernetes management software using an IP scan
Ensure that you have scanned your estate to find all instances of Kubernetes. Once you have located them, you can target initial API scans to perform deeper discovery using the Kubernetes API.
For information on scanning, see Performing-a-discovery-run. After you have scanned the estate, you can search for Kubernetes SIs by performing the following steps:
- In the search box at the top right of the UI, enter Kubernetes.
- Click the Software instance row.
The Software Instance list is displayed.
Ensure that the Kubernetes management system has suitable permissions to enable you to access it
For any Kubernetes management system in which you want BMC Helix Discovery to be able to discover all supported resources, you must define a ClusterRole that grants read (get/list) permissions on required resources in the required API groups.
For the list of API queries executed by BMC Helix Discovery on Kubernetes, seeKubernetesin the BMC Helix Discovery content reference documentation. You must also create a ServiceAccount in the default namespace and bind it to the ClusterRole. You can do this by downloading a YAML file from this page and applying this file by using the Kubernetes kubectl utility. The RoleBindings must be set to cluster-wide type.
The YAML file is available for download at this link .
To apply the file and configure the permissions:
- Log in to the Kubernetes management system.
- Transfer the file to the Kubernetes management system, for example to the /tmp directory.
Apply the the kubernetes-rbac-setup.yaml file using the kubectl utility.
kubectl apply -f tmp/kubernetes-rbac-setup.yamlFind the name of the token that you created:
[tideway@kubeapp ~]$ kubectl get secret
NAME TYPE DATA AGE
default-token-zfwk4 kubernetes.io/service-account-token 3 218d
discovery-token-nkssp kubernetes.io/service-account-token 3 2d
efs-provisioner-token-pbcf5 kubernetes.io/service-account-token 3 8d
okteto-main Opaque 3 210d
sh.helm.release.v1.fred-dev.v1 helm.sh/release.v1 1 9d
sh.helm.release.v1.jane-dev.v1 helm.sh/release.v1 1 14d
[tideway@kubeapp ~]$The token is called discovery-token-nkssp.
Retrieve the token so that you can use it in the credential:
[tideway@kubeapp ~]$ kubectl describe secret discovery-token-nkssp
Name: discovery-token-nkssp
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name: discovery
kubernetes.io/service-account.uid: e489f3bf-aaaa-9999-b854-abcdeb12345e
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 7 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImlodUxYZ3doMWRtS1lTSl8wcmVpbGxTWTR6M196Rjk5eU5xRTFJa1ZmdU0ifQ.ey
Jpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZ
...
2_3oukto7HQhYL_cbAx2hdJwLmrUNDHf4MFuhiD9DGvEdBr7Wg_4OrQTn9v7PM7jHCfy_iE4fwt74Jz5zzqn-v82uBrpI3WsJgwcXFTBD
YmmF5JuO0FT5Dmaw
[tideway@kubeapp ~]$Retrieve the URL so that you can use it in the credential:
[tideway@kubeapp ~]$ kubectl cluster-info
Kubernetes master is running at https://ABCDEFGHIKLMNOPQRSTUVWXYZ1234567.gr7.us-east-1.eks.amazonaws.com
CoreDNS is running at https://ABCDEFGHIKLMNOPQRSTUVWXYZ1234567.gr7.us-east-1.eks.amazonaws.com/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
Metrics-server is running at https://ABCDEFGHIKLMNOPQRSTUVWXYZ1234567.gr7.us-east-1.eks.amazonaws.com/api/v1/namespaces/kube-system/services/https:metrics-server:/proxy
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
[tideway@kubeapp ~]$
Create an API provider credential valid for the Kubernetes system
Use the API URL and token that you have just created and retrieved to create the API provider credential. For information on creating credentials, see Adding-credentials.
API provider credentials use the URL to connect to the Kubernetes API, though you can also specify IP addresses in Matching criteria, and in Matching exceptions.
In an IP scan, when, for example container management software is discovered, this might trigger additional discovery using an API provider credential. The IP addresses specified in Matching criteria are those for which an API scan can be triggered using this API provider credential. Similarly, the IP addresses specified in Matching exceptions are those for which an API scan cannot be triggered using this API provider credential.
Perform a snapshot API scan
- On the Manage > Discovery page, click Add New Run.
- In the Timing field, select Snapshot.
- In the Targeting field, select API.
- Enter the information for the snapshot API provider discovery run in the fields.Field nameDetailsLabelEnter a label for the discovery run. Where the discovery run is referred to in the UI, it is this label that is shown.TimingSelect the run type, one of:
- Snapshot — The run is performed immediately.
- Scheduled — The run is performed according to the scheduling information you enter.
TargetingSelect the target for the discovery run. This is one of:- IP Address — Enter IP address information.
- Cloud — Enter cloud provider information.
- API — Enter API provider information.
ProviderSpecify the type of API provider. Currently, BMC Helix Discovery supports the following providers:- Kubernetes/OpenShift Cluster
- Meraki Dashboard
- MongoDB Atlas
- Rancher Managed Kubernetes Clusters
Restrict by OrganizationThis field is available only if you have enabled the Enable Restricted Organizations setting in the Administration > Other Settings UI. For more information, see Configuring discovery settings.Select the organization that you want to use for the scan. The organizations available in the list are limited to those organizations of which the logged-in user is a member. The organization you select impacts the Outposts available in the scope via field. For more information, see Outposts-restricted-by-organizations.CredentialThe list is populated with valid credentials for the selected provider. Select the credential or credentials to use for the discovery run. - Click OK to start the run.
For information on running all types of discovery runs, see Performing-a-discovery-run.
Viewing the discovered Kubernetes cluster
Once you have discovered a cluster, you can view it. To do so:
- From the Discovery page.
- Select the Recent Runs tab.
- Click the snapshot API scan you just performed.
- Click the Cluster icon.
For more information
For more information on the way that Kubernetes clusters are discovered, see Kubernetes in the BMC Discovery Content Reference documentation.
The current IP address-based Kubernetes discovery (described in Discovering-containers) uses an IP scan and a host credential to discover Kubernetes management software running on a host. BMC Helix Discovery creates or updates an existing Kubernetes SI. The Kubernetes SI triggers additional patterns to discover the containers that the Kubernetes management software controls. Using this approach, you can determine the management software and structure of the containers. However, BMC Helix Discovery can discover hosts only if appropriate credentials are available.
Using the Kubernetes API enables you to discover the Kubernetes management software's view of the containers and hosts that it manages. This applies even to those hosts that cannot be reached with an IP scan.
To discover Kubernetes using an API provider
The following table describes the tasks that you must perform in the specified sequence, the description of the action that you must perform, and the reference to the procedure:
Task | Action | Procedure |
|---|---|---|
1 | Find Kubernetes management software using an IP scan | |
2 | Ensure that the Kubernetes management system has suitable permissions to enable you to access it. | |
3 | Create an API provider credential valid for the Kubernetes system. | |
4 | Perform an API scan |
Find Kubernetes management software using an IP scan
Ensure that you have scanned your estate to find all instances of Kubernetes. Once you have located them, you can target initial API scans to perform deeper discovery using the Kubernetes API.
For information on scanning, see Performing-a-discovery-run. After you have scanned the estate, you can search for Kubernetes SIs by performing the following steps:
- In the search box at the top right of the UI, enter Kubernetes.
- Click the Software instance row.
The Software Instance list is displayed.
Ensure that the Kubernetes management system has suitable permissions to enable you to access it
For any Kubernetes management system in which you want BMC Helix Discovery to be able to discover all supported resources, you must define a ClusterRole that grants read (get/list) permissions on required resources in the required API groups.
For the list of API queries executed by BMC Helix Discovery on Kubernetes, seeKubernetesin the BMC Helix Discovery content reference documentation. You must also create a ServiceAccount in the default namespace and bind it to the ClusterRole. You can do this by downloading a YAML file from this page and applying this file by using the Kubernetes kubectl utility. The RoleBindings must be set to cluster-wide type.
The YAML file is available for download at this link .
To apply the file and configure the permissions:
- Log in to the Kubernetes management system.
- Transfer the file to the Kubernetes management system, for example to the /tmp directory.
Apply the the kubernetes-rbac-setup.yaml file using the kubectl utility.
kubectl apply -f tmp/kubernetes-rbac-setup.yamlFind the name of the token that you created:
[tideway@kubeapp ~]$ kubectl get secret
NAME TYPE DATA AGE
default-token-zfwk4 kubernetes.io/service-account-token 3 218d
discovery-token-nkssp kubernetes.io/service-account-token 3 2d
efs-provisioner-token-pbcf5 kubernetes.io/service-account-token 3 8d
okteto-main Opaque 3 210d
sh.helm.release.v1.fred-dev.v1 helm.sh/release.v1 1 9d
sh.helm.release.v1.jane-dev.v1 helm.sh/release.v1 1 14d
[tideway@kubeapp ~]$The token is called discovery-token-nkssp.
Retrieve the token so that you can use it in the credential:
[tideway@kubeapp ~]$ kubectl describe secret discovery-token-nkssp
Name: discovery-token-nkssp
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name: discovery
kubernetes.io/service-account.uid: e489f3bf-aaaa-9999-b854-abcdeb12345e
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 7 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImlodUxYZ3doMWRtS1lTSl8wcmVpbGxTWTR6M196Rjk5eU5xRTFJa1ZmdU0ifQ.ey
Jpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZ
...
2_3oukto7HQhYL_cbAx2hdJwLmrUNDHf4MFuhiD9DGvEdBr7Wg_4OrQTn9v7PM7jHCfy_iE4fwt74Jz5zzqn-v82uBrpI3WsJgwcXFTBD
YmmF5JuO0FT5Dmaw
[tideway@kubeapp ~]$Retrieve the URL so that you can use it in the credential:
[tideway@kubeapp ~]$ kubectl cluster-info
Kubernetes master is running at https://ABCDEFGHIKLMNOPQRSTUVWXYZ1234567.gr7.us-east-1.eks.amazonaws.com
CoreDNS is running at https://ABCDEFGHIKLMNOPQRSTUVWXYZ1234567.gr7.us-east-1.eks.amazonaws.com/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
Metrics-server is running at https://ABCDEFGHIKLMNOPQRSTUVWXYZ1234567.gr7.us-east-1.eks.amazonaws.com/api/v1/namespaces/kube-system/services/https:metrics-server:/proxy
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
[tideway@kubeapp ~]$
Create an API provider credential valid for the Kubernetes system
Use the API URL and token that you have just created and retrieved to create the API provider credential. For information on creating credentials, see Adding-credentials.
API provider credentials use the URL to connect to the Kubernetes API, though you can also specify IP addresses in Matching criteria, and in Matching exceptions.
In an IP scan, when, for example container management software is discovered, this might trigger additional discovery using an API provider credential. The IP addresses specified in Matching criteria are those for which an API scan can be triggered using this API provider credential. Similarly, the IP addresses specified in Matching exceptions are those for which an API scan cannot be triggered using this API provider credential.
Perform a snapshot API scan
- On the Manage > Discovery page, click Add New Run.
- In the Timing field, select Snapshot.
- In the Targeting field, select API.
- Enter the information for the snapshot API provider discovery run in the fields.Field nameDetailsLabelEnter a label for the discovery run. Where the discovery run is referred to in the UI, it is this label that is shown.TimingSelect the run type, one of:
- Snapshot — The run is performed immediately.
- Scheduled — The run is performed according to the scheduling information you enter.
TargetingSelect the target for the discovery run. This is one of:- IP Address — Enter IP address information.
- Cloud — Enter cloud provider information.
- API — Enter API provider information.
ProviderSpecify the type of API provider. Currently, BMC Helix Discovery supports the following providers:- Kubernetes/OpenShift Cluster
- Meraki Dashboard
- MongoDB Atlas
- Rancher Managed Kubernetes Clusters
Restrict by OrganizationThis field is available only if you have enabled the Enable Restricted Organizations setting in the Administration > Other Settings UI. For more information, see Configuring discovery settings.Select the organization that you want to use for the scan. The organizations available in the list are limited to those organizations of which the logged-in user is a member. The organization you select impacts the Outposts available in the scope via field. For more information, see Outposts-restricted-by-organizations.CredentialThe list is populated with valid credentials for the selected provider. Select the credential or credentials to use for the discovery run. - Click OK to start the run.
For information on running all types of discovery runs, see Performing-a-discovery-run.
Viewing the discovered Kubernetes cluster
Once you have discovered a cluster, you can view it. To do so:
- From the Discovery page.
- Select the Recent Runs tab.
- Click the snapshot API scan you just performed.
- Click the Cluster icon.
For more information
For more information on the way that Kubernetes clusters are discovered, see Kubernetes in the BMC Discovery Content Reference documentation.
The current IP address-based Kubernetes discovery (described in Discovering-containers) uses an IP scan and a host credential to discover Kubernetes management software running on a host.
BMC Helix Discovery
creates or updates an existing Kubernetes SI. The Kubernetes SI triggers additional patterns to discover the containers that the Kubernetes management software controls. Using this approach, you can determine the management software and structure of the containers. However,
BMC Helix Discovery
can discover hosts only if appropriate credentials are available.Using the Kubernetes API enables you to discover the Kubernetes management software's view of the containers and hosts that it manages. This applies even to those hosts that cannot be reached with an IP scan.
To discover Kubernetes using an API provider
The following table describes the tasks that you must perform in the specified sequence, the description of the action that you must perform, and the reference to the procedure:
Task | Action | Procedure |
|---|---|---|
1 | Find Kubernetes management software using an IP scan | |
2 | Ensure that the Kubernetes management system has suitable permissions to enable you to access it. | |
3 | Create an API provider credential valid for the Kubernetes system. | |
4 | Perform an API scan |
Find Kubernetes management software using an IP scan
Ensure that you have scanned your estate to find all instances of Kubernetes. Once you have located them, you can target initial API scans to perform deeper discovery using the Kubernetes API.For information on scanning, see Performing-a-discovery-run. After you have scanned the estate, you can search for Kubernetes SIs by performing the following steps:
- In the search box at the top right of the UI, enter Kubernetes.
- Click the Software instance row.
The Software Instance list is displayed.
Ensure that the Kubernetes management system has suitable permissions to enable you to access it
For any Kubernetes management system in which you want
BMC Helix Discovery
to be able to discover all supported resources, you must define a ClusterRole that grants read (get/list) permissions on required resources in the required API groups.
For the list of API queries executed by BMC Helix Discovery on Kubernetes, seeKubernetesin the BMC Helix Discovery content reference documentation. You must also create a ServiceAccount in the default namespace and bind it to the ClusterRole. You can do this by downloading a YAML file from this page and applying this file by using the Kubernetes kubectl utility. The RoleBindings must be set to cluster-wide type.
The YAML file is available for download at this link .
To apply the file and configure the permissions:
- Log in to the Kubernetes management system.
- Transfer the file to the Kubernetes management system, for example to the /tmp directory.
Apply the the
kubernetes-rbac-setup.yamlfile using the
kubectlutility.
kubectl apply -f tmp/kubernetes-rbac-setup.yamlkubectl apply -f tmp/kubernetes-rbac-setup.yaml
Find the name of the token that you created:
[tideway@kubeapp ~]$ kubectl get secret
NAME TYPE DATA AGE
default-token-zfwk4 kubernetes.io/service-account-token 3 218d
discovery-token-nkssp kubernetes.io/service-account-token 3 2d
efs-provisioner-token-pbcf5 kubernetes.io/service-account-token 3 8d
okteto-main Opaque 3 210d
sh.helm.release.v1.fred-dev.v1 helm.sh/release.v1 1 9d
sh.helm.release.v1.jane-dev.v1 helm.sh/release.v1 1 14d
[tideway@kubeapp ~]$[tideway@kubeapp ~]$ kubectl get secret
NAME TYPE DATA AGE
default-token-zfwk4 kubernetes.io/service-account-token 3 218d
discovery-token-nkssp kubernetes.io/service-account-token 3 2d
efs-provisioner-token-pbcf5 kubernetes.io/service-account-token 3 8d
okteto-main Opaque 3 210d
sh.helm.release.v1.fred-dev.v1 helm.sh/release.v1 1 9d
sh.helm.release.v1.jane-dev.v1 helm.sh/release.v1 1 14d
[tideway@kubeapp ~]$The token is called
discovery-token-nkssp.
Retrieve the token so that you can use it in the credential:
[tideway@kubeapp ~]$ kubectl describe secret discovery-token-nkssp
Name: discovery-token-nkssp
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name: discovery
kubernetes.io/service-account.uid: e489f3bf-aaaa-9999-b854-abcdeb12345e
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 7 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImlodUxYZ3doMWRtS1lTSl8wcmVpbGxTWTR6M196Rjk5eU5xRTFJa1ZmdU0ifQ.ey
Jpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZ
...
2_3oukto7HQhYL_cbAx2hdJwLmrUNDHf4MFuhiD9DGvEdBr7Wg_4OrQTn9v7PM7jHCfy_iE4fwt74Jz5zzqn-v82uBrpI3WsJgwcXFTBD
YmmF5JuO0FT5Dmaw
[tideway@kubeapp ~]$[tideway@kubeapp ~]$ kubectl describe secret discovery-token-nkssp
Name: discovery-token-nkssp
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name: discovery
kubernetes.io/service-account.uid: e489f3bf-aaaa-9999-b854-abcdeb12345e
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 7 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImlodUxYZ3doMWRtS1lTSl8wcmVpbGxTWTR6M196Rjk5eU5xRTFJa1ZmdU0ifQ.ey
Jpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZ
...
2_3oukto7HQhYL_cbAx2hdJwLmrUNDHf4MFuhiD9DGvEdBr7Wg_4OrQTn9v7PM7jHCfy_iE4fwt74Jz5zzqn-v82uBrpI3WsJgwcXFTBD
YmmF5JuO0FT5Dmaw
[tideway@kubeapp ~]$Retrieve the URL so that you can use it in the credential:
[tideway@kubeapp ~]$ kubectl cluster-info
Kubernetes master is running at https://ABCDEFGHIKLMNOPQRSTUVWXYZ1234567.gr7.us-east-1.eks.amazonaws.com
CoreDNS is running at https://ABCDEFGHIKLMNOPQRSTUVWXYZ1234567.gr7.us-east-1.eks.amazonaws.com/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
Metrics-server is running at https://ABCDEFGHIKLMNOPQRSTUVWXYZ1234567.gr7.us-east-1.eks.amazonaws.com/api/v1/namespaces/kube-system/services/https:metrics-server:/proxy
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
[tideway@kubeapp ~]$[tideway@kubeapp ~]$ kubectl cluster-info
Kubernetes master is running at https://ABCDEFGHIKLMNOPQRSTUVWXYZ1234567.gr7.us-east-1.eks.amazonaws.com
CoreDNS is running at https://ABCDEFGHIKLMNOPQRSTUVWXYZ1234567.gr7.us-east-1.eks.amazonaws.com/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
Metrics-server is running at https://ABCDEFGHIKLMNOPQRSTUVWXYZ1234567.gr7.us-east-1.eks.amazonaws.com/api/v1/namespaces/kube-system/services/https:metrics-server:/proxy
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
[tideway@kubeapp ~]$
Create an API provider credential valid for the Kubernetes system
Use the API URL and token that you have just created and retrieved to create the API provider credential. For information on creating credentials, see Adding-credentials.API provider credentials use the URL to connect to the Kubernetes API, though you can also specify IP addresses in Matching criteria, and in Matching exceptions.
In an IP scan, when, for example container management software is discovered, this might trigger additional discovery using an API provider credential. The IP addresses specified in Matching criteria are those for which an API scan can be triggered using this API provider credential. Similarly, the IP addresses specified in Matching exceptions are those for which an API scan cannot be triggered using this API provider credential.
Perform a snapshot API scan
- On the Manage > Discovery page, click Add New Run.
- In the Timing field, select Snapshot.
In the Targeting field, select API.
Enter the information for the snapshot API provider discovery run in the fields.
Field name
Details
Label
Enter a label for the discovery run. Where the discovery run is referred to in the UI, it is this label that is shown.
Timing
Select the run type, one of:
- Snapshot — The run is performed immediately.
- Scheduled — The run is performed according to the scheduling information you enter.
For this snapshot scan, select Snapshot.
Targeting
Select the target for the discovery run. This is one of:
- IP Address — Enter IP address information.
- Cloud — Enter cloud provider information.
- API — Enter API provider information.
For this API provider scan, select API.
Provider
Specify the type of API provider. Currently, BMC Helix Discovery supports the following providers:
- Kubernetes/OpenShift Cluster
- Meraki Dashboard
- MongoDB Atlas
- Rancher Managed Kubernetes Clusters
Restrict by Organization
This field is available only if you have enabled the Enable Restricted Organizations setting in the Administration > Other Settings UI. For more information, see Configuring discovery settings.
Select the organization that you want to use for the scan. The organizations available in the list are limited to those organizations of which the logged-in user is a member. The organization you select impacts the Outposts available in the scope via field. For more information, see Outposts-restricted-by-organizations.
Credential
The list is populated with valid credentials for the selected provider. Select the credential or credentials to use for the discovery run.
- Click OK to start the run.
- On the Manage > Discovery page, click Add New Run.
- In the Timing field, select Snapshot.
In the Targeting field, select API.
Enter the information for the snapshot API provider discovery run in the fields.
Field name
Details
Label
Enter a label for the discovery run. Where the discovery run is referred to in the UI, it is this label that is shown.
Timing
Select the run type, one of:
- Snapshot — The run is performed immediately.
- Scheduled — The run is performed according to the scheduling information you enter.
For this snapshot scan, select Snapshot.
Targeting
Select the target for the discovery run. This is one of:
- IP Address — Enter IP address information.
- Cloud — Enter cloud provider information.
- API — Enter API provider information.
For this API provider scan, select API.
Provider
Specify the type of API provider. Currently, BMC Helix Discovery supports the following providers:
- Kubernetes/OpenShift Cluster
- MongoDB Atlas
- Rancher Managed Kubernetes Clusters
Restrict by Organization
This field is available only if you have enabled the Enable Restricted Organizations setting in the Administration > Other Settings UI. For more information, see Configuring discovery settings.
Select the organization that you want to use for the scan. The organizations available in the list are limited to those organizations of which the logged-in user is a member. The organization you select impacts the Outposts available in the scope via field. For more information, see Outposts-restricted-by-organizations.
Credential
The list is populated with valid credentials for the selected provider. Select the credential or credentials to use for the discovery run.
- Click OK to start the run.
For information on running all types of discovery runs, see Performing-a-discovery-run.
Viewing the discovered Kubernetes cluster
Once you have discovered a cluster, you can view it. To do so:
- From the Discovery page.
- Select the Recent Runs tab.
- Click the snapshot API scan you just performed.
- Click the Cluster icon.
For more information
For more information on the way that Kubernetes clusters are discovered, see Kubernetes in the BMC Discovery Content Reference documentation.
To discover Kubernetes clusters by using Rancher API provider
The following table describes the tasks that you must perform in the specified sequence, the description of the action that you must perform, and the reference to the procedure:
Task | Action | Procedure |
|---|---|---|
1 | Ensure that the Rancher management system has suitable permissions to enable you access to Kubernetes clusters managed by it. | |
2 | Create an API provider credential valid for the Rancher. | |
3 | Perform an API scan |
Ensure that the Rancher management system has suitable permissions to enable you access to Kubernetes clusters managed by it
For any Rancher clusters in which you want to discover all supported resources, you must provide BMC Helix Discovery with a token to authenticate with Rancher. You can obtain a token by using the Rancher UI. The Rancher user must have at least the read (get/list) permissions on the required resources in the appropriate API groups for each cluster.
More details about Rancher users management can be obtained here. The required resources are retrieved by using BMC Helix Discovery API queries while scanning the Rancher clusters.
Rancher Bearer token
Rancher token authentication uses a token valid for all clusters or individual Rancher clusters according to scope.
For instructions on obtaining a token to use in the API provider credential, see API Keys and User Authentication
Create an API provider credential valid for the Rancher system
Use the Rancher URL and token that you have just created and retrieved to create the API provider credential. For information on creating credentials, see Adding-credentials.
API provider credentials use the Rancher URL to connect.
Perform a snapshot API scan
- On the Manage > Discovery page, click Add New Run.
- In the Timing field, select Snapshot.
In the Targeting field, select API.
Enter the information for the snapshot API provider discovery run in the fields.
Field name
Details
Label
Enter a label for the discovery run. Where the discovery run is referred to in the UI, it is this label that is shown.
Timing
Select the run type, one of:
- Snapshot — The run is performed immediately.
- Scheduled — The run is performed according to the scheduling information you enter.
For this snapshot scan, select Snapshot.
Targeting
Select the target for the discovery run. This is one of:
- IP Address — Enter IP address information.
- Cloud — Enter cloud provider information.
- API — Enter API provider information.
For this API provider scan, select API.
Provider
Specify the type of API provider. Currently, BMC Helix Discovery supports the following providers:
- Kubernetes/OpenShift Cluster
- Meraki Dashboard
- MongoDB Atlas
- Rancher Managed Kubernetes Clusters
Restrict by Organization
This field is available only if you have enabled the Enable Restricted Organizations setting in the Administration > Other Settings UI. For more information, see Configuring discovery settings.
Select the organization that you want to use for the scan. The organizations available in the list are limited to those organizations of which the logged-in user is a member. The organization you select impacts the Outposts available in the scope via field. For more information, see Outposts-restricted-by-organizations.
Credential
The list is populated with valid credentials for the selected provider. Select the credential or credentials to use for the discovery run.
- Click OK to start the run.
- On the Manage > Discovery page, click Add New Run.
- In the Timing field, select Snapshot.
In the Targeting field, select API.
Enter the information for the snapshot API provider discovery run in the fields.
Field name
Details
Label
Enter a label for the discovery run. Where the discovery run is referred to in the UI, it is this label that is shown.
Timing
Select the run type, one of:
- Snapshot — The run is performed immediately.
- Scheduled — The run is performed according to the scheduling information you enter.
For this snapshot scan, select Snapshot.
Targeting
Select the target for the discovery run. This is one of:
- IP Address — Enter IP address information.
- Cloud — Enter cloud provider information.
- API — Enter API provider information.
For this API provider scan, select API.
Provider
Specify the type of API provider. Currently, BMC Helix Discovery supports the following providers:
- Kubernetes/OpenShift Cluster
- MongoDB Atlas
- Rancher Managed Kubernetes Clusters
Restrict by Organization
This field is available only if you have enabled the Enable Restricted Organizations setting in the Administration > Other Settings UI. For more information, see Configuring discovery settings.
Select the organization that you want to use for the scan. The organizations available in the list are limited to those organizations of which the logged-in user is a member. The organization you select impacts the Outposts available in the scope via field. For more information, see Outposts-restricted-by-organizations.
Credential
The list is populated with valid credentials for the selected provider. Select the credential or credentials to use for the discovery run.
- Click OK to start the run.
This example uses a snapshot scan. For information on running scheduled cans, see Performing-a-discovery-run.
Viewing the discovered Rancher clusters
Once you have discovered a Rancher, you can view the clusters it manages. To do so:
- From the Discovery page, select the Recent Runs tab.
Click the snapshot API scan you just performed.
- Click the Clusters icon.
- Click any Cluster from the list.
For more information
For more information about the discovery of each Kubernetes cluster, see Kubernetes in the BMC Discovery Content Reference.