Skip to main content
Skip table of contents

Manually Enroll Kubernetes Clusters

Overview

In QueryPie, you can manually register Kubernetes clusters located on on-premises environments where access control needs to be applied.

Enrolling Cluster Manually

To manually register individual servers, you need to input basic information about the cluster.

image-20240721-054859.png

Administrator > Kubernetes > Connection Management > Clusters

  1. Navigate to the Administrator > Kubernetes > Connection Management > Clusters menu.

  2. Click the + Create Cluster button located at the top right.

  3. Here are the details to be entered for manual cluster registration:

    1. Information
      Enter the basic information for the cluster you want to register manually.

      image-20240721-055007.png
      1. Name : Enter a name to identify the cluster. (Required)

        • This information cannot be modified in the future.

      2. Version : Enter the version of the cluster. (Optional)

        • This will be automatically filled in later during credential authentication testing.

      3. API URL : Enter the API URL of the cluster to receive Kubernetes API requests. (Required)

    2. Credential
      To grant access to the Kubernetes API server of your cluster, you need to retrieve the service account token and CA certificate from the cluster itself. Please refer to the Kubernetes Cluster Integration Script Guide below.

      image-20240721-055046.png
      1. Service Account Token : Enter the service account token of the Kubernetes cluster that QueryPie Proxy will use for user Kubernetes API calls.

      2. Certificate Authority : Enter the CA certificate used by QueryPie to validate the Kubernetes API server's certificate.

      3. Verify Credential : Once both the service account token and CA certificate are entered, this button will become active. Clicking it will check if a successful connection can be established.

        • Execution Results:

          1. (tick) Verified : Indicates a successful cluster connection, confirming that both the service account token and CA certificate are correctly entered.

          2. (오류) Verification Failed : Indicates a failed cluster connection. This could be due to errors in the service account token or CA certificate values, or it could indicate a network connection issue.

    3. Logging Options
      Choose logging options for this cluster.

      image-20240721-055129.png
      1. Request Audit : Request Audit: Enables logging for Kubernetes API call history on this cluster. The default setting is On. If this feature is turned Off,

        1. No Kubernetes API call history will be logged for this cluster.

        2. All sub-options under Request Audit Types and Pod Session Recording will be disabled in bulk.

      2. Request Audit Types : Administrators can select the verbs to audit for this cluster. The default setting selects all basic verbs listed below.

        1. Verb Types:

          1. get

          2. list

          3. watch

          4. create

          5. update

          6. patch

          7. delete

          8. deletecollection

        2. ✅ Select All : Conducts auditing for all API calls.

      3. Pod Session Recording : Enables recording for sessions opened by Pod exec commands within this cluster. The default setting is On. This feature will be turned Off unless the following conditions are met:

        1. Request Audit is enabled (On).

        2. The following verbs are selected in Request Audit Types:

          1. create

          2. get

    4. Tags
      You can manually input tags for individual clusters if needed. For clusters synchronized via a Cloud Provider, tags imported from the platform will also be displayed. (Note that tags imported through synchronization cannot be deleted or modified.)

      image-20240721-055210.png
      1. Click the + Add Tag button to add a new row and enter the desired tag values.

      2. Tags should be entered in a key-value format.

        1. Key : Enter a key value that distinguishes the tag, up to 512 characters.

          1. The key is mandatory, and duplicate keys cannot be entered.

          2. Duplicates are checked case-sensitively.

        2. Value : Enter a value, up to 256 characters, to be used for filtering.

  4. After completing these steps, click the Save button to successfully register the cluster.

Kubernetes Cluster Integration Script Guide

image-20240511-033842.png

Sample of Script Execution (Note: The token values shown above are not valid examples.)

  • The administrator must have prior access to the target Kubernetes cluster.

  • The administrator can navigate to Administrator > Kubernetes > Connection Management > Clusters > Create Cluster > Credential, and click on the "download and run this script" link within the guidance box to download the script.

generate_kubepie_sa.sh script contents
CODE
#!/bin/bash

set -o nounset -o errexit -o pipefail

RESOURCE_PREFIX=querypie
NAMESPACE=querypie

SERVICE_ACCOUNT_NAME=${RESOURCE_PREFIX}-sa
CLUSTER_ROLE_NAME=${RESOURCE_PREFIX}-role
CLUSTER_ROLE_BINDING_NAME=${RESOURCE_PREFIX}-crb
SERVICE_ACCOUNT_SECRET_NAME=${SERVICE_ACCOUNT_NAME}-secret

echo "Creating the Queypie Service Account and grant permission"
kubectl apply -f - <<EOF
apiVersion: v1
kind: Namespace
metadata:
  name: ${NAMESPACE}
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ${SERVICE_ACCOUNT_NAME}
  namespace: ${NAMESPACE}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ${CLUSTER_ROLE_NAME}
rules:
- apiGroups:
  - ""
  resources:
  - users
  - groups
  - serviceaccounts
  verbs:
  - impersonate
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ${CLUSTER_ROLE_BINDING_NAME}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ${CLUSTER_ROLE_NAME}
subjects:
- kind: ServiceAccount
  name: ${SERVICE_ACCOUNT_NAME}
  namespace: ${NAMESPACE}
EOF


SA_SECRET_NAME=$(kubectl get -n ${NAMESPACE} sa/${SERVICE_ACCOUNT_NAME} -o "jsonpath={.secrets[0]..name}")
if [ -z $SA_SECRET_NAME ]
then
kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: ${SERVICE_ACCOUNT_SECRET_NAME}
  namespace: ${NAMESPACE}
  annotations:
    kubernetes.io/service-account.name: "${SERVICE_ACCOUNT_NAME}"
EOF
SA_SECRET_NAME=${SERVICE_ACCOUNT_SECRET_NAME}
fi

if [[ "$OSTYPE" == "linux-gnu" ]]; then
    BASE64_DECODE_FLAG="-d"
elif [[ "$OSTYPE" == "darwin"* ]]; then
    BASE64_DECODE_FLAG="-D"
elif [[ "$OSTYPE" == "linux-musl" ]]; then
    BASE64_DECODE_FLAG="-d"
else
    echo "Unknown OS ${OSTYPE}"
    exit 1
fi

SA_TOKEN=$(kubectl get -n ${NAMESPACE} secrets/${SA_SECRET_NAME} -o "jsonpath={.data['token']}" | base64 ${BASE64_DECODE_FLAG})
CA_CERT=$(kubectl get -n ${NAMESPACE} secrets/${SA_SECRET_NAME} -o "jsonpath={.data['ca\.crt']}" | base64 ${BASE64_DECODE_FLAG})

echo "
Finished successfully.
Please copy the token and ca cert below and paste them into the credential input box on the querypie clusters page.

>>> Service Account token
${SA_TOKEN}

--------------

>>> CA Cert
${CA_CERT}"
  • After downloading the script, navigate to the downloaded directory and execute the following commands to grant execution permissions and run it:

    CODE
    chmod +x generate_kubepie_sa.sh
    ./generate_kubepie_sa.sh
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.