Skip to content

Kubernetes

Overview

The Tempest Kubernetes App integration can create an Application, which is a collection of Kubernetes components that will expose a container outside the cluster. Your existing supported Kubernetes resources can also be imported into Tempest for better management and visibility.

Authentication

Note: We are improving our Kubernetes integration with support for more authentication options, like private Kubernetes Clusters. Stay tuned for future updates!

Kubeconfig

The Kubernetes app supports accessing a Kubernetes cluster via kubeconfig, with the following prerequisites:

  1. The Cluster API must have a publicly accessible entrypoint. This is the case for most Google Cloud (GKE) and AWS (EKS) clusters.
  2. A dedicated service account must be created and a long-lived token attached to it.

Generating a kubeconfig for use with Tempest

  1. Create service account on the cluster. Copy the below into sa.yaml and apply with kubectl apply -f sa.yaml.
yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: <service_account_name>
  namespace: <your_namespace>
  1. Create a token for the service account. Copy the below into sa_token.yaml and apply with kubectl apply -f sa_token.yaml .
yaml
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: <token_name>
  namespace: <your_namespace>
  annotations:
    kubernetes.io/service-account.name: <service_account_name>
  1. Bind the service account to a cluster role with enough permissions. Copy the below into crb.yaml and apply with kubectl apply -f crb.yaml .
yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: <service_account_name>
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: <service_account_name>
    namespace: <your_namespace>
  1. Grab the token value from the secret created earlier:
kubectl get secret <token_name> -o jsonpath='{.data.token}'
  1. Create a kubeconfig with the user and the token. This configuration may be unique to your cluster’s information. Any existing configs will normally be located in ${HOME}/.kube/config and can be copied and modified to use the new service account.
yaml
apiVersion: v1
clusters:
- cluster: {your_cluster_information}
  name: <your_cluster_name>
contexts:
- context:
    cluster: <your_cluster_name>
    user: <service_account_name>
  name: <your_cluster_name>
current-context: <your_cluster_name>
kind: Config
preferences: {}
users:
- name: <service_account_name>
	user:
    token: <token_data>

Authenticating in Tempest with a generated kubeconfig

Once you’ve generated your kubeconfig, use it to authenticate in Tempest:

  1. Go to Recipes and either click “Create Recipe” or select a pre-existing recipe.
  2. Click an existing Kubernetes resource in your recipe, or add a new resource by selecting “+” next to your preferred environment and selecting an Kubernetes resource.
  3. Select “Add credentials” and then “+Link credentials.”
  4. Select “Kubeconfig.”
  5. Input a name for your credential. This will be used to identify the credential when you authenticate.
  6. Upload the kubeconfig file.
  7. Once completed, you’ll be authenticated and your kubeconfig name will populate in the credentials drop down.

Resources

The Tempest Kubernetes App currently supports the creation of Applications.

Application

Create Input

  • Name (required): The name of the Application to deploy in Kubernetes. Example: "my-service".
  • Image (required): The fully qualified image name to deploy. Example: "gcr.io/my-project/my-image:latest".
  • Gateway Class (required): The Kubernetes Gateway Class to use for the service. This field uses a data source to populate available Gateway Classes.
  • Replicas: The number of replicas to create. Default is 2.
  • CPU: CPU allocation for the container. Options: 100m, 250m, 500m, 1. Default is 250m.
  • Memory: Memory allocation for the container. Options: 256Mi, 512Mi, 1Gi, 2Gi. Default is 512Mi.
  • Storage: Ephemeral storage allocation. Options: 1Gi, 2Gi, 5Gi, 10Gi. Default is 1Gi.
  • Port: The exposed port on the container. Default is 8080.

Properties

NameDescription
NamespaceThe Kubernetes namespace where the resource is located.
RelationshipsThe direct relationships between this resource and other resources within Kubernetes.
Primary AddressThe primary address of the application.

Importable Resources

The Kubernetes App supports importing the following resources, allowing for centralized management and better visibility into service and resource health.

  • ConfigMaps
  • Deployments
  • Gateways
  • Ingresses
  • Pods
  • Replicasets
  • Secrets
  • Services

Properties

Each imported resource will expose the following properties:

NameDescription
NameThe name of the resource.
NamespaceThe namespace of the resource.
ObjectAn object containing the resource configuration rendered as JSON. This field is not rendered for Secrets.
RelationshipsAn array of strings representing the relationships to other resources within Kubernetes.

For more information importing resources, see: Import existing resources.