Both the Kubernetes credentials and Docker Registry accounts must exist before Halyard will allow you to add a Kubernetes account. The sections below will help you create these resources if you do not already have them.
You need to have a running Kubernetes cluster with corresponding credentials in
a kubeconfig file.
If you do have a running cluster and credentials, you can verify that your
credentials work using
kubectl to run the
kubectl get namespaces
If you do not have a Kubernetes cluster, you could try one of the following hosted solutions:
Or, you can read more on the Kubernetes setup page to pick a solution that works for you.
Kubernetes Role (RBAC)
If you are using Kubernetes RBAC for access control, you may want to create a minimal for Role and Service Account for Spinnaker. This will ensure that Spinnaker has only the permissions it needs to operate within your cluster.
The following YAML can be used to create the correct
ServiceAccount. If you are limiting
Spinnaker to an explicit list of namespaces (using the
namespaces option), you will need to use
RoleBinding instead of
ClusterRoleBinding and create one in each namespace Spinnaker will manage. You can read about the difference
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: spinnaker-role rules: - apiGroups: [""] resources: ["namespaces", "configmaps", "events", "replicationcontrollers", "serviceaccounts", "pods/logs"] verbs: ["get", "list"] - apiGroups: [""] resources: ["pods", "services", "secrets"] verbs: ["*"] - apiGroups: ["autoscaling"] resources: ["horizontalpodautoscalers"] verbs: ["list", "get"] - apiGroups: [“apps”] resources: [“controllerrevisions”, "statefulsets"] verbs: [“list”] - apiGroups: ["extensions", "app"] resources: ["deployments", "replicasets", "ingresses", "daemonsets"] verbs: ["*"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: spinnaker-role-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: spinnaker-role subjects: - namespace: default kind: ServiceAccount name: spinnaker-service-account --- apiVersion: v1 kind: ServiceAccount metadata: name: spinnaker-service-account namespace: default
Follow the steps under the Docker Registry provider to add any registries containing images you want to deploy. If you have already done so, you can verify that these accounts exist by running:
hal config provider docker-registry account list
Adding an Account
First, make sure that the provider is enabled:
hal config provider kubernetes enable
Now, assuming you have a Docker Registry account named
run the following
hal command to add an account named
your list of Kubernetes accounts:
hal config provider kubernetes account add my-k8s-account \ --docker-registries my-docker-registry
Advanced Account Settings
If you are looking for more configurability, please see the other options listed in the Halyard Reference.