Multiple Clusters

Multiple clusters are supported by either passing a static list of API server URLs, using an existing kubeconfig file or pointing to a Cluster Registry HTTP endpoint.

Static List of API Server URLs

Set the CLUSTERS environment variable to a comma separated list of Kubernetes API server URLs.

These can either be unprotected localhost URLs or OAuth 2 protected API endpoints.

The needed OAuth credentials (Bearer access token) must be provided via a file ${CREDENTIALS_DIR}/read-only-token-secret.

Kubeconfig File

The kubeconfig file allows defining multiple cluster contexts with potential different authentication mechanisms.

Kubernetes Operational View will try to reach all defined contexts when given the --kubeconfig-path command line option (or KUBECONFIG_PATH environment variable).

Example:

Assuming ~/.kube/config as the following contents with two defined contexts:

apiVersion: v1
kind: Config
clusters:
- cluster: {server: 'https://kube.foo.example.org'}
  name: kube_foo_example_org
- cluster: {server: 'https://kube.bar.example.org'}
  name: kube_bar_example_org
contexts:
- context: {cluster: kube_foo_example_org, user: kube_foo_example_org}
  name: foo
- context: {cluster: kube_bar_example_org, user: kube_bar_example_org}
  name: bar
current-context: kube_foo_example_org
users:
- name: kube_foo_example_org
  user: {token: myfootoken123}
- name: kube_bar_example_org
  user: {token: mybartoken456}

Kubernetes Operational View would try to reach both endpoints with the respective token for authentication:

$ # note that we need to mount the local ~/.kube/config file into the Docker container
$ docker run -it --net=host -v ~/.kube:/kube hjacobs/kube-ops-view --kubeconfig-path=/kube/config

Note

You need to make sure that the Docker container has access to any required SSL certificate files. Minikube by default will use certificates in ~/.minikube. You can copy them to ~/.kube and make the paths in ~/.kube/config relative.

The following command should work out of the box with Minikube:

$ docker run -it --net=host -v ~/.kube:/kube -v ~/.minikube:$HOME/.minikube hjacobs/kube-ops-view --kubeconfig-path=/kube/config

You can select which clusters should be queried by specifying a list of kubeconfig contexts with the --kubeconfig-contexts option:

$ docker run -it --net=host -v ~/.kube:/kube hjacobs/kube-ops-view --kubeconfig-path=/kube/config --kubeconfig-contexts=bar

This would only query the Kubernetes cluster defined by the bar context.

Cluster Registry

Clusters can be dynamically discovered by providing one HTTP endpoint as the cluster registry. Set either the CLUSTER_REGISTRY_URL environment variable or the --cluster-registry-url option to an URL conforming to:

$ curl -H 'Authorization: Bearer mytoken' $CLUSTER_REGISTRY_URL/kubernetes-clusters
{
    "items": [
        {
            "id": "my-cluster-id",
            "api_server_url": "https://my-cluster.example.org"
        }
    ]
}

The cluster registry will be queried with an OAuth Bearer token, the token can be statically set via the OAUTH2_ACCESS_TOKENS environment variable. Example:

$ token=mysecrettoken
$ docker run -it -p 8080:8080 -e OAUTH2_ACCESS_TOKENS=read-only=$token hjacobs/kube-ops-view --cluster-registry-url=https://cluster-registry.example.org

Otherwise the needed OAuth credentials (Bearer access token) must be provided via a file ${CREDENTIALS_DIR}/read-only-token-secret. You can pass this file by mounting a secret like:

apiVersion: v1
kind: Secret
metadata:
  name: kube-ops-view-credentials
type: Opaque
data:
  read-only-token-type: Bearer
  read-only-token-secret: dXNlcjpwYXNzCg== # base64 encoded token

The deployment manifest to mount the above secret:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: kube-ops-view
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: kube-ops-view
    spec:
      containers:
      - name: kube-ops-view
        image: hjacobs/kube-ops-view:latest
        env:
        - name: CLUSTER_REGISTRY_URL
          value: "https://cluster-registry.example.org"
        - name: CREDENTIALS_DIR
          value: "/meta/credentials"
        ports:
        - containerPort: 8080
          protocol: TCP
        volumeMounts:
        - name: credentials
          mountPath: /meta/credentials
          readOnly: true
      volumes:
      - name: credentials
        secret:
          secretName: kube-ops-view-credentials