View Source

This is a work in progress. Do not publish it publicly yet.

Prerequisite

In order to complete the onboarding process, you will need to execute a script on your machine. This script requires:

cluster-admin access to the Kubernetes cluster
kubectl
Python 3.7+

Instructions

Download the onboarding script

TODO: provide static link to script

The script is written in Python. It works with Python 3.7+ on macOS and Linux.

The script will:

create a service account for Data Theorem
add a security audit role (with read-only access)
link the security audit role to the service account
generate a kube config file which contains a token which never expires

The script calls kubectl, which must be set on the cluster you want to onboard.

Onboarding Kubernetes cluster on Amazon (EKS)

First we need to retrieve the role ARN of the Kubernetes cluster:

Go to the AWS Console
Go to EKS
On the left hand side, click on Clusters, under Amazon EKS
In the list of clusters, search for the cluster name you want to onboard and click on it
Then click on the Configuration tab
Finally copy the Cluster IAM Role ARN

Public Knowledge Base > Cloud Integration: On-board Kubernetes cluster > Screen Shot 2021-10-28 at 15.02.56.png

Public Knowledge Base > Cloud Integration: On-board Kubernetes cluster > Screen Shot 2021-10-28 at 15.03.25.png

Then run the script as follows:

python3 datatheorem-k8s-onboarding.py -p aws -o <CONFIG_OUTPUT_PATH> --rolearn <ROLE_ARN>

Onboarding Kubernetes cluster on Azure (AKS)

In order to onboard the cluster, it must have the RBAC setting enabled. You can make sure of that by going to the Azure Console and:

Kubernetes Services
Search for the name of the cluster you want to onboard and click on it
Under Settings, click on Cluster configuration
Role-based access control (RBAC) must be Enabled

Public Knowledge Base > Cloud Integration: On-board Kubernetes cluster > Screen Shot 2021-10-28 at 15.18.48.png

python3 datatheorem-k8s-onboarding.py -p azure -o <CONFIG_OUTPUT_PATH>

Onboarding Kubernetes cluster on GCP (GKE)

The gcloud user that runs the script must have the Kubernetes Engine Admin role or higher.

python3 datatheorem-k8s-onboarding.py -p gcp -o <CONFIG_OUTPUT_PATH>

Onboarding on-premises Kubernetes cluster

python3 datatheorem-k8s-onboarding.py -p onprem -o <CONFIG_OUTPUT_PATH>

Send the generated credentials to Data Theorem

The script generates a configuration which is located at the path you provided when you executed the script. The filename is kube-config-to-onboard.yaml.

Copy the content of the file into the Data Theorem onboarding step. This will allow us to connect to your Kubernetes cluster with read-only access and scan your cluster.

The content should look similar to this one:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tC[...]
    server: https://ABCD.yl4.eu-west-3.eks.amazonaws.com
  name: arn:aws:eks:eu-west-3:123:cluster/test-to-delete
contexts:
- context:
    cluster: arn:aws:eks:eu-west-3:123:cluster/test-to-delete
    namespace: kube-system
    user: datatheorem-kube-system-arn:aws:eks:eu-west-3:123:cluster/test-to-delete
  name: datatheorem-kube-system-arn:aws:eks:eu-west-3:123:cluster/test-to-delete
current-context: datatheorem-kube-system-arn:aws:eks:eu-west-3:123:cluster/test-to-delete
kind: Config
preferences: {}
users:
- name: datatheorem-kube-system-arn:aws:eks:eu-west-3:123:cluster/test-to-delete
  user:
    token: eyJhbGciOiJSUzI1NiIsImtpZCI6IkQ1LTZ[...]