You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/manual/plugins/kubernetes-plugins-overview.md
+56-8Lines changed: 56 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,20 +9,18 @@ Runbook Automation integrates with Kubernetes through a variety of plugins. By i
9
9
This document covers the plugins available in the commercial Runbook Automation products. For a list of Kubernetes plugins available for Rundeck Community (open-source), see documentation for the [**Open Source Kubernetes plugins**](/manual/plugins/kubernetes-open-source.md).
10
10
:::
11
11
12
-
## Kubernetes Plugins in Runbook Automation
12
+
## Adding Clusters & Authenticating with Kubernetes API
13
+
There are multiple methods for adding Kubernetes clusters to Runbook Automation:
13
14
14
-
### Cluster Discovery & Authentication Options
15
-
There are multiple methods for adding Kubernetes clusters to Runbook Automation and authenticating with the Kubernetes API:
16
-
17
-
1.[**Pod-based Service Account**](#pod-based-service-account): Install a Runner in each cluster (or namespace), and target the Runner as the cluster or particular namespace. The Runner uses the Service Account of the pod that it is hosted in to authenticate with the Kubernetes API.
15
+
1.[**Runners with Pod-based Service Account**](#runners-with-pod-based-service-account): Install a Runner in each cluster (or namespace), and target the Runner as the cluster or particular namespace. The Runner uses the Service Account of the pod that it is hosted in to authenticate with the Kubernetes API.
18
16
2.[**Cloud Provider Integration**](#cloud-provider-integration): Use the cloud provider's API to dynamically retrieve all clusters and add them as nodes to the inventory. The cloud provider's API can also optionally be used to retrieve the necessary Kubernetes authentication to communicate with the clusters.
19
17
3.[**Manual Authentication Configuration**](#manual-authentication-configuration): Clusters are added to the inventory either manually or through method 1 or 2. The Kubernetes API Token or Kube Config file is manually added to Key Storage and configured as node-attributes.
20
18
21
19
:::tip Prerequisite Configuration
22
20
Note that all of these methods require the use of the **Automatic** mode for the Project's use of Runners. See [this documentation](/administration/runner/runner-management/project-dispatch-configuration.md) to confirm that your project is configured correctly.
23
21
:::
24
22
25
-
### Pod-based Service Account
23
+
### Runners with Pod-based Service Account
26
24
27
25
With this method, clusters are added to the inventory by installing a Runner in the cluster and adding the Runner as a node to the inventory. The Runner uses the Service Account of the pod that it is hosted in to authenticate with the Kubernetes API.
28
26
@@ -109,8 +107,58 @@ Note that a Runner does _not_ need to be installed to configure these Node Sourc
109
107
110
108
#### Cloud Provider for Kubernetes Authentication
111
109
112
-
The Cloud Provider Integration method can also be used to retrieve the necessary Kubernetes authentication to communicate with the clusters.
113
-
This is useful when there are multiple clusters and you wish to have a single Runner that can communicate with all of them.
110
+
Runbook Automation can use its integration with the public cloud providers to retrieve credentials to authenticate with the Kubernetes clusters.
111
+
112
+
This method of authentication is useful when:
113
+
1. Installing a Runner inside the clusters is not an option
114
+
2. There are numerous clusters and it is preferred to have a one-to-many relationship between the Runner and the clusters
115
+
116
+
With this approach, a single Runner is installed in either a VM or a container that has a path to communicate with the clusters. The Runner uses the cloud provider's API to retrieve the necessary Kubernetes authentication to communicate with the clusters:
117
+
118
+
119
+
120
+
##### AWS EKS Authentication
121
+
122
+
To authenticate with EKS clusters using the AWS APIs:
123
+
124
+
1. Install a Runner in an EC2 instance or a container that has access to the EKS clusters.<br>
125
+
126
+
2. Assign permissions to the IAM role of this EC2 or container to allow the Runner to retrieve the necessary EKS cluster credentials:
127
+
- **`eks:DescribeCluster`**
128
+
3. Add the **EKS API** as an authentication mode and the IAM Role of the Runner's host (EC2 or container) to the target clusters:
129
+
130
+
:::info Repeat for each target cluster
131
+
This process must be repeated for each target cluster so that the Runner can authenticate with each cluster.
132
+
:::
133
+
:::tabs
134
+
@tab AWS Console
135
+
1. Navigate to the **EKS Console**.
136
+
2. Select the target cluster and click on the **Access** tab and click **Manage Access**.
137
+
138
+
3. Select either **EKS API** or **EKS API and ConfigMap**.
139
+
4. Click **Save Changes**.
140
+
5. Now in the **IAM access entries** section, click on **Create access entry**:
3. Create an access entry for the IAM Role of the Runner's host (EC2 or container). Here is an example command, but additional examples can be found in the [official AWS documentation](https://docs.aws.amazon.com/eks/latest/userguide/creating-access-entries.html):
154
+
```
155
+
aws eks create-access-entry --cluster-name my-cluster --principal-arn arn:aws:iam::111122223333:role/EKS-my-cluster-self-managed-ng-1 --type STANDARD
156
+
```
157
+
:::tabs
158
+
159
+
##### Azure AKS Authentication
160
+
161
+
##### Google Cloud GKE Authentication
114
162
115
163
Follow the instructions in the **Node Source Plugins** linked in the prior sections to use the Cloud Provider Integration method.
0 commit comments