ManageIQ Kubernetes Container Provider

Deploying Kubernetes locally with hack/local-up-cluster.sh

Clone the core kubernetes repo:

mkdir -p ${GOPATH}/src/k8s.io/
cd ${GOPATH}/src/k8s.io/
git clone https://github.com/kubernetes/kubernetes/

Build binaries & launch a single node cluster running on localhost, with privileged containers enabled (required for running SSA scans):

cd kubernetes
sudo env ALLOW_PRIVILEGED=true hack/local-up-cluster.sh

Note, to skip re-building binaries in the future, run like so:

sudo env ALLOW_PRIVILEGED=true hack/local-up-cluster.sh -o _output/bin/

Deploying Kubernetes Manually

When deploying Kubernetes manually, there are a few extra steps necessary to get it working with ManageIQ.

Based on instructions for deploying Kubernetes manually from here: https://kubernetes.io/docs/getting-started-guides/fedora/flannel_multi_node_cluster/

Ensure the following conditions are met:

  1. In /etc/kubernetes/kubelet, ensure KUBELET_ARGS contains --allow-privileged
  2. On the master node, generate a default serviceaccount key with openssl genrsa -out /tmp/serviceaccount.key 2048
  3. In /etc/kubernetes/apiserver, ensure KUBE_API_ARGS contains --service_account_key_file=/tmp/serviceaccount.key (or the correct path to your default serviceaccount key).
  4. In /etc/kubernetes/apiserver, ensure KUBE_API_ARGS contains --allow-privileged

Prepare cluster for use with ManageIQ:

  1. Create management-infra namespace:
     kubectl create ns management-infra
    
  2. Create required serviceaccounts:
     kubectl create sa -n management-infra management-admin   
     kubectl create sa -n management-infra inspector-admin   
    
  3. Grant cluster-reader cluster role to management-admin SA:
     kubectl create clusterrolebinding management-infra-cluster-reader --clusterrole=cluster-reader --user=system:serviceaccount:management-infra:management-admin
    
  4. Retrieve the serviceaccount token for management-admin (this will be the auth token ManageIQ uses):
     kubectl describe secret -n management-infra $(kubectl get secrets -n management-infra | grep management-admin | cut -f1 -d ' ') | grep -E '^token' | cut -f2 -d':' | tr -d '\t'
    

The local kubernetes cluster should now be ready for use with ManageIQ (simply use localhost as the hostname and the management-admin token to authenticate).