Kubernetes (legacy provider)

⚠️ Spinnaker’s legacy Kubernetes provider (V1) is scheduled for removal in Spinnaker 1.21. We recommend using the standard provider (V2) instead.

For the Kubernetes provider, a Spinnaker Account maps to a credential that can authenticate against your Kubernetes Cluster. It also includes a set of one or more Docker Registry accounts that are used as a source of images.

When setting up your Kubernetes provider account, you will use halyard to add the account and provide any Docker registries that you’ll use.

Prerequisites

You need a Kubernetes cluster and its credentials

You need a running Kubernetes cluster, with corresponding credentials in a kubeconfig file .

If you have these, and you have kubectl installed on the machine where you have your kubeconfig, you can verify the credentials work by running this command:

  1. kubectl get namespaces

Note: Halyard on Docker comes with kubectl already installed. Halyard on Ubuntu does not.

If you don’t have a Kubernetes cluster, you can try one of these hosted solutions:

Or pick a different solution that works for you .

Consult the documentation for your environment to find out how to get the kubeconfig that you must provide to Halyard.

If your cluster is running on GKE

The simplest way to get credentials is to use legacy authorization.

  1. Enable Legacy authorization.

    Kubernetes (legacy provider) - 图1

  2. Configure gcloud to populate the kubeconfig with legacy credentials :

    1. gcloud config set container/use_client_certificate true

  3. And get your credentials.

    1. gcloud container clusters get-credentials NAME --zone ZONE

However, you can also use RBAC and a service account .

You need a Docker registry

To use the Kubernetes (legacy) provider, you need a Docker registry as a source of images. To enable this, set up a Docker registry as another provider , and add any registries that contain images you want to deploy.

You can verify your Docker registry accounts using this command:

  1. hal config provider docker-registry account list

When you add your Kubernetes provider account , you include your registry (or registries) in the command.

Optional: configure Kubernetes roles (RBAC)

If you use Kubernetes RBAC for access control, you may want to create a minimal Role and Service Account for Spinnaker. This ensures that Spinnaker has only the permissions it needs to operate within your cluster.

The following YAML creates the correct ClusterRole, ClusterRoleBinding, and ServiceAccount. If you’re limiting Spinnaker to an explicit list of namespaces (using the namespaces option), you need to use Role & RoleBinding instead of ClusterRole and ClusterRoleBinding, and create one in each namespace Spinnaker will manage. You can read about the difference between ClusterRole and Role here .

  1. apiVersion: rbac.authorization.k8s.io/v1
  2. kind: ClusterRole
  3. metadata:
  4.  name: spinnaker-role
  5. rules:
  6. - apiGroups: [""]
  7.   resources: ["namespaces", "configmaps", "events", "replicationcontrollers", "serviceaccounts", "pods/logs"]
  8.   verbs: ["get", "list"]
  9. - apiGroups: [""]
  10.   resources: ["pods", "pods/portforward", "services", "services/proxy", "secrets"]
  11.   verbs: ["*"]
  12. - apiGroups: ["autoscaling"]
  13.   resources: ["horizontalpodautoscalers"]
  14.   verbs: ["list", "get"]
  15. - apiGroups: ["apps"]
  16.   resources: ["controllerrevisions"]
  17.   verbs: ["list"]
  18. - apiGroups: ["extensions", "apps"]
  19.   resources: ["daemonsets", "deployments", "deployments/scale", "ingresses", "replicasets", "statefulsets"]
  20.   verbs: ["*"]
  21. ---
  22. apiVersion: rbac.authorization.k8s.io/v1
  23. kind: ClusterRoleBinding
  24. metadata:
  25.  name: spinnaker-role-binding
  26. roleRef:
  27.  apiGroup: rbac.authorization.k8s.io
  28.  kind: ClusterRole
  29.  name: spinnaker-role
  30. subjects:
  31. - namespace: default
  32.   kind: ServiceAccount
  33.   name: spinnaker-service-account
  34. ---
  35. apiVersion: v1
  36. kind: ServiceAccount
  37. metadata:
  38.  name: spinnaker-service-account
  39.  namespace: default

Add a Kubernetes account

  1. Make sure that the provider is enabled:

    1. hal config provider kubernetes enable

  2. Assuming you have a Docker Registry account named my-docker-registry, run the following hal command to add that to your list of Kubernetes accounts:

    1. hal config provider kubernetes account add my-k8s-account \
    2.     --docker-registries my-docker-registry

Advanced account settings

If you are looking for more configurability, see the available options in the Halyard Reference .

Next steps

Optionally, you can set up another cloud provider , but otherwise you’re ready to choose the environment in which to install Spinnaker.

Last modified November 10, 2021: Extend Kubernetes role to cover statefulsets (#153) (f458978)