Parameter Group | Parameter | Description | Option |
Basic settings | Cluster name | Enter the name of the external cluster, which can contain up to 64 characters. | - |
| Cluster environment | Select the type of the external cluster. | Kubernetes or OpenShift |
| Cluster version | Select the cluster version of the cluster environment. | 1.13 or later for Kubernetes clusters |
Networking | Network type | Select the public network or VPC for accessing the external cluster. | Public network or VPC |
| Region | Select the region of the external cluster. There is no limit on the region for the public network. | - |
| VPC ID | Select the VPC information of the cluster when you set the network type to VPC. | - |
| API server address | Select the backend service type of the cluster API server when you set the network type to VPC. | Server or load balancer |
Scanner | Scanner installation | Select the automatic or manual installation of the scanner. | Select the automatic installation and perform a security check. Select the manual installation and deliver and install the component in the cluster manually after the connection. |
| Automatic check | Set whether to enable the automatic check feature of the cluster. | Enable Disable |
# 1. Create the `tcss` namespace# 2. Create the `tcss-admin` admin role under the `tcss` namespace# 3. Bind the `tcss-admin` role to the `tcss` user# 4. Create the `tcss-agent-secret` key and bind it to the `tcss-agent` service account# 5. Create the `security-clusterrole` read-only cluster role# 6. Bind the `security-clusterrole` role to the `tcss-agent` service account---apiVersion: v1kind: Namespacemetadata:name: tcss---apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:namespace: tcssname: tcss-adminrules:- apiGroups: ["extensions", "apps", ""]resources: ["*"]verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:name: tcss-admin-rbnamespace: tcsssubjects:- kind: Username: tcssapiGroup: rbac.authorization.k8s.ioroleRef:kind: Rolename: tcss-adminapiGroup: rbac.authorization.k8s.io---apiVersion: v1kind: Secretmetadata:name: tcss-agent-secretnamespace: tcssannotations:kubernetes.io/service-account.name: tcss-agenttype: kubernetes.io/service-account-token---apiVersion: v1kind: ServiceAccountmetadata:name: tcss-agentnamespace: tcsssecrets:- name: tcss-agent-secretnamespace: tcss---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:name: security-clusterrolerules:- apiGroups: ["", "v1"]resources: ["namespaces", "pods", "nodes"]verbs: ["get", "list"]- apiGroups: ["apps"]resources: ["replicasets", "daemonsets", "deployments", "statefulsets"]verbs: ["get", "list"]- apiGroups: ["batch"]resources: ["jobs", "cronjobs"]verbs: ["get", "list"]- apiGroups: ["rbac.authorization.k8s.io"]resources: ["clusterroles", "clusterrolebindings"]verbs: ["get"]---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:name: security-clusterrolebindingroleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: security-clusterrolesubjects:- kind: ServiceAccountname: tcss-agentnamespace: tcss- kind: Username: tcssapiGroup: rbac.authorization.k8s.io
# Create the `tcss.key` key for `User`openssl genrsa -out tcss.key 2048# Create the `tcss.csr` certificate signing requestopenssl req -new -key tcss.key -out tcss.csr -subj "/O=K8s/CN=tcss"# Sign the certificate and generate `tcss.crt`openssl x509 -req -in tcss.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out tcss.crt -days 365
# Create and set the cluster configuration. Here, the API server address must be a public network address that is accessible.kubectl config set-cluster tcss --server=https://xx.xx.xx.xx:60002 --certificate-authority=/etc/kubernetes/ca.crt --embed-certs=true --kubeconfig=/root/tcss.conf# Create and set the user configurationkubectl config set-credentials tcss --client-certificate=tcss.crt --client-key=tcss.key --embed-certs=true --kubeconfig=/root/tcss.conf# Set the `context` configurationkubectl config set-context tcss@tcss --cluster=tcss --user=tcss --kubeconfig=/root/tcss.conf# Switch the `context` configurationkubectl config use-context tcss@tcss --kubeconfig=/root/tcss.conf
KUBECONFIG=/root/tcss.conf kubectl -n tcss get pod
/root/tcss.conf
.#!/bin/bashset -e;# You need to set `API_SERVER` as the accessible address and port of the public network.# API_SERVER=https://xx.xx.xx.xx:xxxx# Set the following paths as neededKUBECONFIG_TARGET=/root/tcss.confCA_FILE=/etc/kubernetes/ca.crtCAKEY_FILE=/etc/kubernetes/ca.keyTCSS_TMPDIR=/tmp/tcss# In the OpenShift environment, replace it with `oc`KUBECTL_CMD=kubectlif [ ! $API_SERVER ]; thenecho "API_SERVER does not set.";exit 1;fiif ! which kubectl ; thenecho "kubectl does not exist.";exit 1;fiif [ ! -f "$CA_FILE" ]; thenecho "$CA_FILE does not exist.";exit 1;fiif [ ! -f "$CAKEY_FILE" ]; thenecho "$CAKEY_FILE does not exist.";exit 1;fiif [ ! -d $TCSS_TMPDIR ]; thenmkdir -p $TCSS_TMPDIR;ficat <<EOF > $TCSS_TMPDIR/tcss_res.yaml---apiVersion: v1kind: Namespacemetadata:name: tcss---apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:namespace: tcssname: tcss-adminrules:- apiGroups: ["extensions", "apps", ""]resources: ["*"]verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:name: tcss-admin-rbnamespace: tcsssubjects:- kind: Username: tcssapiGroup: rbac.authorization.k8s.ioroleRef:kind: Rolename: tcss-adminapiGroup: rbac.authorization.k8s.io---apiVersion: v1kind: Secretmetadata:name: tcss-agent-secretnamespace: tcssannotations:kubernetes.io/service-account.name: tcss-agenttype: kubernetes.io/service-account-token---apiVersion: v1kind: ServiceAccountmetadata:name: tcss-agentnamespace: tcsssecrets:- name: tcss-agent-secretnamespace: tcss---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:name: security-clusterrolerules:- apiGroups: ["", "v1"]resources: ["namespaces", "pods", "nodes"]verbs: ["get", "list"]- apiGroups: ["apps"]resources: ["replicasets", "daemonsets", "deployments", "statefulsets"]verbs: ["get", "list"]- apiGroups: ["batch"]resources: ["jobs", "cronjobs"]verbs: ["get", "list"]- apiGroups: ["rbac.authorization.k8s.io"]resources: ["clusterroles", "clusterrolebindings"]verbs: ["get"]---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:name: security-clusterrolebindingroleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: security-clusterrolesubjects:- kind: ServiceAccountname: tcss-agentnamespace: tcss- kind: Username: tcssapiGroup: rbac.authorization.k8s.ioEOF# echo "generate tcss resource file ($TCSS_TMPDIR/tcss_res.yaml) success."$KUBECTL_CMD apply -f $TCSS_TMPDIR/tcss_res.yaml;# Create the `tcss.key` key for `User`openssl genrsa -out $TCSS_TMPDIR/tcss.key 2048# Create the `tcss.csr` certificate signing requestopenssl req -new -key $TCSS_TMPDIR/tcss.key -out $TCSS_TMPDIR/tcss.csr -subj "/O=K8s/CN=tcss"# Sign the certificate and generate `tcss.crt`openssl x509 -req -in $TCSS_TMPDIR/tcss.csr -CA $CA_FILE -CAkey $CAKEY_FILE -CAcreateserial -out $TCSS_TMPDIR/tcss.crt -days 365# Create and set the cluster configuration$KUBECTL_CMD config set-cluster tcss --server=$API_SERVER --certificate-authority=$CA_FILE --embed-certs=true --kubeconfig=$KUBECONFIG_TARGET# Create and set the user configuration$KUBECTL_CMD config set-credentials tcss --client-certificate=$TCSS_TMPDIR/tcss.crt --client-key=$TCSS_TMPDIR/tcss.key --embed-certs=true --kubeconfig=$KUBECONFIG_TARGET# Set the `context` configuration$KUBECTL_CMD config set-context tcss@tcss --cluster=tcss --user=tcss --kubeconfig=$KUBECONFIG_TARGET# Switch the `context` configuration$KUBECTL_CMD config use-context tcss@tcss --kubeconfig=$KUBECONFIG_TARGETecho "generate KUBECONFIG file success. $KUBECONFIG_TARGET"
# 1. Create the `tcss` namespace# 2. Create the `tcss-admin` admin role under the `tcss` namespace# 3. Bind the `tcss-admin` role to the `tcss` user# 4. Create the `tcss-agent-secret` key and bind it to the `tcss-agent` service account# 5. Create the `security-clusterrole` read-only cluster role# 6. Bind the `security-clusterrole` role to the `tcss-agent` service account---apiVersion: v1kind: Namespacemetadata:name: tcss---apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:namespace: tcssname: tcss-adminrules:- apiGroups: ["extensions", "apps", ""]resources: ["*"]verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:name: tcss-admin-rbnamespace: tcsssubjects:- kind: Username: tcssapiGroup: rbac.authorization.k8s.ioroleRef:kind: Rolename: tcss-adminapiGroup: rbac.authorization.k8s.io---apiVersion: v1kind: Secretmetadata:name: tcss-agent-secretnamespace: tcssannotations:kubernetes.io/service-account.name: tcss-agenttype: kubernetes.io/service-account-token---apiVersion: v1kind: ServiceAccountmetadata:name: tcss-agentnamespace: tcsssecrets:- name: tcss-agent-secretnamespace: tcss---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:name: security-clusterrolerules:- apiGroups: ["", "v1"]resources: ["namespaces", "pods", "nodes"]verbs: ["get", "list"]- apiGroups: ["apps"]resources: ["replicasets", "daemonsets", "deployments", "statefulsets"]verbs: ["get", "list"]- apiGroups: ["batch"]resources: ["jobs", "cronjobs"]verbs: ["get", "list"]- apiGroups: ["rbac.authorization.k8s.io"]resources: ["clusterroles", "clusterrolebindings"]verbs: ["get"]---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:name: security-clusterrolebindingroleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: security-clusterrolesubjects:- kind: ServiceAccountname: tcss-agentnamespace: tcss- kind: Username: tcssapiGroup: rbac.authorization.k8s.io
# Create the `tcss.key` key for `User`openssl genrsa -out tcss.key 2048# Create the `tcss.csr` certificate signing requestopenssl req -new -key tcss.key -out tcss.csr -subj "/O=K8s/CN=tcss"# Sign the certificate and generate `tcss.crt`openssl x509 -req -in tcss.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out tcss.crt -days 365
# Create and set the cluster configuration. Here, the main server address must be a public network address that is accessible.KUBECONFIG=/root/tcss.conf oc config set-cluster tcss --server=https://xx.xx.xx.xx:60002 --certificate-authority=/etc/origin/master/ca.crt --embed-certs=true --kubeconfig=/root/tcss.conf# Create and set the user configurationKUBECONFIG=/root/tcss.conf oc config set-credentials tcss --client-certificate=tcss.crt --client-key=tcss.key --embed-certs=true --kubeconfig=/root/tcss.conf# Set the `context` configurationKUBECONFIG=/root/tcss.conf oc config set-context tcss@tcss --cluster=tcss --user=tcss --kubeconfig=/root/tcss.conf# Switch the `context` configurationKUBECONFIG=/root/tcss.conf oc config use-context tcss@tcss --kubeconfig=/root/tcss.conf
KUBECONFIG=/root/tcss.conf oc -n tcss get pod
/root/tcss.conf
.#!/bin/bashset -e;# You need to set `API_SERVER` as the accessible address and port of the public network.# API_SERVER=https://xx.xx.xx.xx:xxxx# Set the following paths as neededKUBECONFIG_TARGET=/root/tcss.confCA_FILE=/etc/kubernetes/ca.crtCAKEY_FILE=/etc/kubernetes/ca.keyTCSS_TMPDIR=/tmp/tcssKUBECTL_CMD=ocif [ ! $API_SERVER ]; thenecho "API_SERVER does not set.";exit 1;fiif ! which $KUBECTL_CMD ; thenecho "$KUBECTL_CMD does not exist.";exit 1;fiif [ ! -f "$CA_FILE" ]; thenecho "$CA_FILE does not exist.";exit 1;fiif [ ! -f "$CAKEY_FILE" ]; thenecho "$CAKEY_FILE does not exist.";exit 1;fiif [ ! -d $TCSS_TMPDIR ]; thenmkdir -p $TCSS_TMPDIR;ficat <<EOF > $TCSS_TMPDIR/tcss_res.yaml---apiVersion: v1kind: Namespacemetadata:name: tcss---apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:namespace: tcssname: tcss-adminrules:- apiGroups: ["extensions", "apps", ""]resources: ["*"]verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:name: tcss-admin-rbnamespace: tcsssubjects:- kind: Username: tcssapiGroup: rbac.authorization.k8s.ioroleRef:kind: Rolename: tcss-adminapiGroup: rbac.authorization.k8s.io---apiVersion: v1kind: Secretmetadata:name: tcss-agent-secretnamespace: tcssannotations:kubernetes.io/service-account.name: tcss-agenttype: kubernetes.io/service-account-token---apiVersion: v1kind: ServiceAccountmetadata:name: tcss-agentnamespace: tcsssecrets:- name: tcss-agent-secretnamespace: tcss---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:name: security-clusterrolerules:- apiGroups: ["", "v1"]resources: ["namespaces", "pods", "nodes"]verbs: ["get", "list"]- apiGroups: ["apps"]resources: ["replicasets", "daemonsets", "deployments", "statefulsets"]verbs: ["get", "list"]- apiGroups: ["batch"]resources: ["jobs", "cronjobs"]verbs: ["get", "list"]- apiGroups: ["rbac.authorization.k8s.io"]resources: ["clusterroles", "clusterrolebindings"]verbs: ["get"]---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:name: security-clusterrolebindingroleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: security-clusterrolesubjects:- kind: ServiceAccountname: tcss-agentnamespace: tcss- kind: Username: tcssapiGroup: rbac.authorization.k8s.ioEOF# echo "generate tcss resource file ($TCSS_TMPDIR/tcss_res.yaml) success."$KUBECTL_CMD apply -f $TCSS_TMPDIR/tcss_res.yaml;$KUBECTL_CMD adm policy add-scc-to-user privileged -n tcss -z tcss-agent;$KUBECTL_CMD adm policy add-scc-to-user hostaccess -n tcss -z tcss-agent;$KUBECTL_CMD adm policy add-scc-to-user privileged tcss;$KUBECTL_CMD adm policy add-scc-to-user hostaccess tcss;oc adm policy add-cluster-role-to-user cluster-reader tcss;# Create the `tcss.key` key for `User`openssl genrsa -out $TCSS_TMPDIR/tcss.key 2048# Create the `tcss.csr` certificate signing requestopenssl req -new -key $TCSS_TMPDIR/tcss.key -out $TCSS_TMPDIR/tcss.csr -subj "/O=K8s/CN=tcss"# Sign the certificate and generate `tcss.crt`openssl x509 -req -in $TCSS_TMPDIR/tcss.csr -CA $CA_FILE -CAkey $CAKEY_FILE -CAcreateserial -out $TCSS_TMPDIR/tcss.crt -days 365# Create and set the cluster configurationKUBECONFIG=$KUBECONFIG_TARGET $KUBECTL_CMD config set-cluster tcss --server=$API_SERVER --certificate-authority=$CA_FILE --embed-certs=true --kubeconfig=$KUBECONFIG_TARGET# Create and set the user configurationKUBECONFIG=$KUBECONFIG_TARGET $KUBECTL_CMD config set-credentials tcss --client-certificate=$TCSS_TMPDIR/tcss.crt --client-key=$TCSS_TMPDIR/tcss.key --embed-certs=true --kubeconfig=$KUBECONFIG_TARGET# Set the `context` configurationKUBECONFIG=$KUBECONFIG_TARGET $KUBECTL_CMD config set-context tcss@tcss --cluster=tcss --user=tcss --kubeconfig=$KUBECONFIG_TARGET# Switch the `context` configurationKUBECONFIG=$KUBECONFIG_TARGET $KUBECTL_CMD config use-context tcss@tcss --kubeconfig=$KUBECONFIG_TARGETecho "generate KUBECONFIG file success. $KUBECONFIG_TARGET"
Was this page helpful?