For the Kubernetes provider, a Spinnaker Account maps to a credential that can authenticate against your Kubernetes Cluster. It also includes a set of one or more Docker Registry accounts that are used as a source of images.
When setting up your Kubernetes provider account, you will use halyard to add the account and provide any Docker registries that you’ll use.
You need a Kubernetes cluster and its credentials
You need a running Kubernetes cluster, with corresponding credentials in a kubeconfig file.
If you have these, and you have
installed on the machine where you have your
kubeconfig, you can verify the
credentials work by running this command:
kubectl get namespaces
Note: Halyard on Docker comes with
kubectlalready installed. Halyard on Ubuntu does not.
If you don’t have a Kubernetes cluster, you can try one of these hosted solutions:
See the note below on getting credentials in GKE.
Or pick a different solution that works for you.
Consult the documentation for your environment to find out how to get the
kubeconfig that you must provide to Halyard.
If your cluster is running on GKE
The simplest way to get credentials is to use legacy authorization.
Enable Legacy authorization.
gcloudto populate the
kubeconfigwith legacy credentials:
gcloud config set container/use_client_certificate true
And get your credentials.
gcloud container clusters get-credentials NAME --zone ZONE
You need a Docker registry
To use the Kubernetes (legacy) provider, you need a Docker registry as a source of images. To enable this, set up a Docker registry as another provider, and add any registries that contain images you want to deploy.
You can verify your Docker registry accounts using this command:
hal config provider docker-registry account list
When you add your Kubernetes provider account, you include your registry (or registries) in the command.
Optional: configure Kubernetes roles (RBAC)
If you use Kubernetes RBAC for access control, you may want to create a minimal Role and Service Account for Spinnaker. This ensures that Spinnaker has only the permissions it needs to operate within your cluster.
The following YAML creates the correct
ServiceAccount. If you’re limiting Spinnaker to an explicit list of
namespaces (using the
namespaces option), you need to use
RoleBinding instead of
ClusterRoleBinding, and create one
in each namespace Spinnaker will manage. You can read about the difference
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: spinnaker-role rules: - apiGroups: [""] resources: ["namespaces", "configmaps", "events", "replicationcontrollers", "serviceaccounts", "pods/logs"] verbs: ["get", "list"] - apiGroups: [""] resources: ["pods", "pods/portforward", "services", "services/proxy", "secrets"] verbs: ["*"] - apiGroups: ["autoscaling"] resources: ["horizontalpodautoscalers"] verbs: ["list", "get"] - apiGroups: ["apps"] resources: ["controllerrevisions", "statefulsets"] verbs: ["list"] - apiGroups: ["extensions", "app"] resources: ["deployments", "replicasets", "ingresses", "daemonsets"] verbs: ["*"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: spinnaker-role-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: spinnaker-role subjects: - namespace: default kind: ServiceAccount name: spinnaker-service-account --- apiVersion: v1 kind: ServiceAccount metadata: name: spinnaker-service-account namespace: default
Add a Kubernetes account
Make sure that the provider is enabled:
hal config provider kubernetes enable
Assuming you have a Docker Registry account named
my-docker-registry, run the following
halcommand to add that to your list of Kubernetes accounts:
hal config provider kubernetes account add my-k8s-account \ --docker-registries my-docker-registry
Advanced account settings
If you are looking for more configurability, see the available options in the Halyard Reference.