DivvyCloud

Welcome to the DivvyCloud Docs!

DivvyCloud is a Cloud Security Posture Management (CSPM) platform that provides real-time analysis and automated remediation across leading cloud and container technologies.

For questions about documentation reach out to us [email protected]

Take Me to the Docs!    Release Notes

Managed Kubernetes

Overview

The following instructions walk through the steps to add a Kubernetes cluster to your current DivvyCloud installation. You will create an RBAC service account, ClusterRole, ClusterRoleBinding, and run a short script to generate a DivvyCloud-specific Kubernetes config file.

Note: A role can be created instead of ClusterRole; please ensure that resources match as close to a ClusterRole as possible.

Prerequisites

Before you can complete this setup, you will need to ensure you have the following:

  • An existing DivvyCloud account and installation
  • An existing Kubernetes account with admin access to creating cluster roles to which you want to connect with a service account.

For questions or concerns reach out to us at [email protected]

Steps to Connect Your Kubernetes Cluster

📘

Installation Notes

For customers attempting to onboard a Managed Kubernetes cluster to DivvyCloud with a cluster that is configured on a private IP address, you must validate that the cluster has VPC Peering/Transit Gateway configured and enabled in the same environment as your DivvyCloud installation. This ensures that the Managed Kubernetes server endpoint is accessible to DivvyCloud.

If you have questions or concerns about your configuration reach out to us at [email protected]

Creating the RBAC Service Account

The first step to add your Kubernetes cluster to DivvyCloud is to create a ServiceAccount, ClusterRole, and ClusterRoleBinding. Refer to the following steps:

1. Download the following files.

  • cluster_role.yaml
  • cluster_role_binding.yaml
  • service_account.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: divvycloud-cluster-role
rules:
  -
    apiGroups:
      - ""
      - apps
      - autoscaling
      - batch
      - extensions
      - policy
      - rbac.authorization.k8s.io
    resources:
      - componentstatuses
      - configmaps
      - daemonsets
      - deployments
      - events
      - endpoints
      - horizontalpodautoscalers
      - ingresses
      - jobs
      - limitranges
      - namespaces
      - nodes
      - pods
      - persistentvolumes
      - persistentvolumeclaims
      - podsecuritypolicies
      - networkpolicies 
      - resourcequotas
      - replicasets
      - replicationcontrollers
      - serviceaccounts
      - services
    verbs: ["*"]
  - nonResourceURLs: ["*"]
    verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: api-access
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: divvycloud-cluster-role
subjects:
- kind: ServiceAccount
  name: divvycloud-service-account
  namespace: default
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: divvycloud-service-account

2. From the directory where you’ve placed these three files, run the following commands to apply the YAML files.

Note: This sample deployment is using the default namespaces, but can be modified based on your requirements.

kubectl apply -f cluster_role.yaml
kubectl apply -f cluster_role_binding.yaml
kubectl apply -f service_account.yaml

Creating the Kubernetes Config File

The next step to connecting your Kubernetes cluster to DivvyCloud is to generate a custom Kubernetes config file. You will need to get the following information from the cluster:

  • cluster name
  • cluster server
  • CA Cert Data
  • Namespace
  • Token

We recommend using the following script to obtain this information:

🚧

This bash script requires including the property assignment for the service account you created earlier. Here we've used divvycloud-service-account. If you don't include the correct service account information, the script will fail.

#!/usr/bin/env bash

# Copyright 2017, Z Lab Corporation. All rights reserved.
# Copyright 2017, Kubernetes scripts contributors
#
# For the full copyright and license information, please view the LICENSE
# file that was distributed with this source code.

set -e

if [[ $# == 0 ]]; then
  echo "Usage: $0 SERVICEACCOUNT [kubectl options]" >&2
  echo "" >&2
  echo "This script creates a kubeconfig to access the apiserver with the specified serviceaccount and outputs it to stdout." >&2

  exit 1
fi

function _kubectl() {
  kubectl [email protected] $kubectl_options
}

serviceaccount="$1"
kubectl_options="${@:2}"

if ! secret="$(_kubectl get serviceaccount "$serviceaccount" -o 'jsonpath={.secrets[0].name}' 2>/dev/null)"; then
  echo "serviceaccounts \"$serviceaccount\" not found." >&2
  exit 2
fi

if [[ -z "$secret" ]]; then
  echo "serviceaccounts \"$serviceaccount\" doesn't have a serviceaccount token." >&2
  exit 2
fi

# context
context="$(_kubectl config current-context)"
# cluster
cluster="$(_kubectl config view -o "jsonpath={.contexts[?(@.name==\"$context\")].context.cluster}")"
server="$(_kubectl config view -o "jsonpath={.clusters[?(@.name==\"$cluster\")].cluster.server}")"
# token
ca_crt_data="$(_kubectl get secret "$secret" -o "jsonpath={.data.ca\.crt}" | openssl enc -d -base64 -A)"
namespace="$(_kubectl get secret "$secret" -o "jsonpath={.data.namespace}" | openssl enc -d -base64 -A)"
token="$(_kubectl get secret "$secret" -o "jsonpath={.data.token}" | openssl enc -d -base64 -A)"

export KUBECONFIG="$(mktemp)"
kubectl config set-credentials "$serviceaccount" --token="$token" >/dev/null
ca_crt="$(mktemp)"; echo "$ca_crt_data" > $ca_crt
kubectl config set-cluster "$cluster" --server="$server" --certificate-authority="$ca_crt" --embed-certs >/dev/null
kubectl config set-context "$context" --cluster="$cluster" --namespace="$namespace" --user="$serviceaccount" >/dev/null
kubectl config use-context "$context" >/dev/null

cat "$KUBECONFIG"
# vim: ft=sh :

Download the script above and run it using the following command:

sh create-kube-config-sa.sh divvycloud-service-account

This command will print a Kubernetes config file to STDOUT. This file can be used to add a Kubernetes cloud account to DivvyCloud.

Add the Configuration to DivvyCloud

1. Visit the Clouds section of DivvyCloud, select “Add Cloud”. Select 'Kubernetes' as the cloud type to add.

2. Give your Kubernetes cloud a name under “Nickname” and paste the script output STDOUT into the “Kubernetes Config” space of the dialog.

3. Select “Add Cloud” to complete.

Success! After adding your Kubernetes account you can confirm installation under the Clouds section, or under Resources, you can browse to Containers to see your Kubernetes data. (Note: Data will take some time to appear after harvesting is initiated.)

Updated 5 months ago


Managed Kubernetes


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.