Overview
This article describes the process for onboarding a Kubernetes cluster into Data Theorem.
Requirements
Admin access to the Kubernetes cluster.
Whitelisting Data Theorem IP’s to allow the analyzer to properly talks to the Kubernetes API.
Step 1: Generate the service account
In order to complete the onboarding process, you will need to execute a script on your machine to generate a new service account.
This service account will have read-only permissions and will allow Data Theorem to connect to the Kubernetes cluster API to analyze its configuration.
The script requires:
cluster-admin access to the Kubernetes cluster.
Python 3.7+.
The script will:
Create a service account for Data Theorem.
Add a security audit role (with read-only access).
Link the security audit role to the service account.
Generate a kube config file for the previously generated service account.
The script calls kubectl
, which must be configured for the cluster you want to onboard.
Onboarding Kubernetes cluster on Amazon (EKS)
First you need to retrieve the role ARN of the Kubernetes cluster:
Go to the AWS Console
Go to EKS
On the left hand side, click on
Clusters
, underAmazon EKS
In the list of clusters, search for the cluster name you want to onboard and click on it
Then click on the
Configuration
tabFinally copy the
Cluster IAM Role ARN
Then run the script as follows:
python3 datatheorem-k8s-onboarding.py -p aws -o datatheorem_k8s_service_account.yaml --rolearn <ROLE_ARN>
Onboarding Kubernetes cluster on Azure (AKS)
In order to onboard the cluster, it must have the RBAC setting enabled. You can make sure of that by going to the Azure Console and:
Kubernetes Services
Search for the name of the cluster you want to onboard and click on it
Under
Settings
, click onCluster configuration
Role-based access control (RBAC)
must beEnabled
python3 datatheorem-k8s-onboarding.py -p azure -o datatheorem_k8s_service_account.yaml
Onboarding Kubernetes cluster on GCP (GKE)
The gcloud
user that runs the script must have the Kubernetes Engine Admin
role or higher.
python3 datatheorem-k8s-onboarding.py -p gcp -o datatheorem_k8s_service_account.yaml
Onboarding on-premise and others Kubernetes cluster
python3 datatheorem-k8s-onboarding.py -p onprem -o datatheorem_k8s_service_account.yaml
Step 2: Whitelisting Data Theorem’s IP Addresses
Data Theorem analyzer will use the following IP addresses to connect to the Kubernetes API:
34.123.118.75/32
35.188.170.247/32
34.123.250.193/32
You can refer to these guides for clusters managed by cloud providers:
https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html
https://cloud.google.com/kubernetes-engine/docs/how-to/authorized-networks#add
Step 3: Send the generated credentials to Data Theorem
To complete the onboarding process, upload the service account file to the Data Theorem portal in the ASM setup section: https://www.securetheorem.com/cloud/asm-setup.
Start the flow using “Add source” and then “Kubernetes cluster”.