to get a connection into a k8s cluster without deploying a delegate, we need to create a service account with the correct permissions and generate a token for it.
first, we create the service account:
apiVersion: v1
kind: ServiceAccount
metadata:
name: harness
namespace: default
next, we create a harness-ccm-visibility ClusterRole with exactly the permissions neeeded for CCM k8s visibility:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: harness-ccm-visibility
rules:
- apiGroups:
- ""
resources:
- pods
- nodes
- nodes/proxy
- events
- namespaces
- persistentvolumes
- persistentvolumeclaims
verbs:
- get
- list
- watch
- apiGroups:
- apps
- extensions
resources:
- statefulsets
- deployments
- daemonsets
- replicasets
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- jobs
- cronjobs
verbs:
- get
- list
- watch
- apiGroups:
- metrics.k8s.io
resources:
- pods
- nodes
verbs:
- get
- list
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
and we grant that role to our service account:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: harness-ccm-visibility-roleBinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: harness-ccm-visibility
subjects:
- kind: ServiceAccount
name: harness
namespace: default
finally we need to generate a token for the service account:
kind: Secret
metadata:
name: harness
namespace: default
annotations:
kubernetes.io/service-account.name: harness
type: kubernetes.io/service-account-token
then we can extract the secret:
kubectl get secret harness -o jsonpath='{.data.token}' | base64 -d
once you have the service account token, you just need the cluster URL for your cluster to create the kubernetes connector at the account level. you will need at least one delegate running in your account that can reach this URL:
once you have the kubernetes connector created, you can create a ccm kuberentes connector that references this kubernetes connector