Manual
This method can be used, when you want to manually configure each cluster.
Value | Description |
---|---|
Name | The name of the cluster, how it will be displayed in kubenav. |
Server | The URL of the Kubernetes API server. |
Certificate Authority Data | The certificate of the Kubernetes API server. This can be the base64 encoded value or the plain certificate. |
Insecure Skip TLS Verify | If you haven't a certificate for the server, you can enabled the insecure mode, to skip the TLS verification. |
Client Certificate Data | The client certificate. This can be the base64 encoded value or the plain certificate. |
Client Key Data | The client key. This can be the base64 encoded value or the plain key. |
Token | The access token for the Kubernetes API server. |
Username | When you are using basic authentication you can use the username and password field. |
Password | When you are using basic authentication you can use the username and password field. |
Use a Service Account
If you haven't a Kubeconfig file which is compatible with kubenav or if your cloud provider isn't supported you can create a Service Account and use these credentials for the authentication.
In the first step you have to create a ServiceAccount
, ClusterRole
and ClusterRoleBinding
. In the following example we create the required resources in a new Namespace named kubenav
:
cat <<EOF | kubectl apply -f -
---
apiVersion: v1
kind: Namespace
metadata:
name: kubenav
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubenav
namespace: kubenav
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubenav
namespace: kubenav
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubenav
namespace: kubenav
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubenav
subjects:
- kind: ServiceAccount
name: kubenav
namespace: kubenav
EOF
Now we have to use the created secret, which is used by the Service Account. To get the name of the secret run the following command:
export SECRET_NAME=$(kubectl get sa --namespace kubenav kubenav -o=jsonpath='{.secrets[*].name}')
To get the certificate and access token to authenticate against the Kubernetes API we can run the following:
kubectl get secret $SECRET_NAME -o=jsonpath='{.data.ca\.crt}' | base64 --decode
kubectl get secret $SECRET_NAME -o=jsonpath='{.data.token}' | base64 --decode
The output from the first command can now be used for the Certificate Authority Data
field and the output from the second command for the Token
field.
Attention
The specified RBAC rules from the example provide full cluster access wihtout any restrictions. More information can be found in the Kubernets documentation: Using RBAC Authorization.