VHM and Kubernetes

You can use a SUSE Manager VHM to manage Kubernetes clusters.

The VHM allows SUSE Manager to obtain and report information about your clusters. For more information on VHMs, see client-configuration:vhm.adoc.

To use SUSE Manager with Kubernetes, you will need to have your SUSE Manager Server configured for container management, with all required channels present, and a registered container build host available.

You will also require:

  • At least one Kubernetes or SUSE CaaS Platform cluster available on your network.

  • The virtual-host-gatherer-Kubernetes package installed on the SUSE Manager Server.

  • Kubernetes version 1.5.0 or higher, or SUSE CaaS Platform.

  • Docker version 1.12 or higher on the container build host.

Create a Kubernetes VHM

Kubernetes clusters are registered with SUSE Manager as a VHM.

You will need a kubeconfig file to register and authorize your Kubernetes cluster. You can get a kubeconfig file using the Kubernetes command line tool kubectl. If you are using SUSE CaaS Platform, you can download the file from the Velum interface.

Procedure: Creating a Kubernetes VHM
  1. In the SUSE Manager Web UI, navigate to Systems  Virtual Host Managers.

  2. Click Create and select Kubernetes Cluster.

  3. In the Add a Kubernetes Virtual Host Manager section, use these parameters:

    • In the Label field, type a custom name for your VHM.

    • Select the kubeconfig file that contains the required data for the Kubernetes cluster.

  4. In the context field, select the appropriate context for the cluister. This is specified in the kubeconfig file.

  5. Click Create.

Procedure: Viewing the Nodes in a Cluster
  1. In the SUSE Manager Web UI, navigate to Systems  Virtual Host Managers.

  2. Select the Kubernetes cluster.

  3. Refresh the node data by clicking Schedule refresh data.

The node data can take a few moments to update. You might need to refresh your browser window to see the updated information.

Any connection or authentication problems are logged to gatherer.log.

Node data is not refreshed during registration. You will need to manually refresh the data to see it.

Retrieve Image Runtime Data

You can view runtime data about Kubernetes images in the SUSE Manager Web UI, by navigating to Images  Image List.

The image list table contains three columns:

  • Revision:

    A sequence number that increments on every rebuild for images built by SUSE Manager, or on every import for externally built images.

  • Runtime:

    Overall status of the running instances for each image in registered clusters.

  • Instances:

    Number of instances running this image across all the clusters registered in SUSE Manager. You can see a breakdown of numbers by clicking the pop-up icon next to the number.

The Runtime column displays one of these status messages:

  • All instances are consistent with SUSE Manager:

    All the running instances are running the same build of the image as tracked by SUSE Manager.

  • Outdated instances found:

    Some of the instances are running an older build of the image. You might need to redeploy the image.

  • No information:

    The checksum of the instance image does not match the image data contained in SUSE Manager. You might need to redeploy the image.

Procedure: Building an Image
  1. In the SUSE Manager Web UI, navigate to Images  Stores.

  2. Click Create to create an image store.

  3. Navigate to Images  Profiles.

  4. Click Create to create an image profile. You will need to use a dockerfile that is suitable to deploy to Kubernetes.

  5. Navigate to Images  Build to build an image with the new profile.

  6. Deploy the image into one of the registered Kubernetes clusters. You can do this with the kubectl tool.

The updated data should now be available in the image list at Images  Image List.

Procedure: Importing a Previously Deployed Image
  1. In the SUSE Manager Web UI, navigate to Images  Image Stores.

  2. Add the registry that owns the image you want to import, if it is not already there.

  3. Navigate to Images  Image List and click Import.

  4. Complete the fields, select the image store you created, and click Import.

The imported image should now be available in the image list at Images  Image List.

Procedure: Rebuilding a Previously Deployed Image
  1. In the SUSE Manager Web UI, navigate to Images  Image List, locate the row that contains the image you want to rebuild, and click Details.

  2. Navigate to the Build Status section, and click Rebuild. The rebuild can take some time to complete.

When the rebuild has successfully completed, the runtime status of the image is updated in the image list at Images  Image List. This shows that the instances are running a previous build of the image.

You can only rebuild images if they were originally built with SUSE Manager. You cannot rebuild imported images.

Procedure: Retrieving Additional Runtime Data
  1. In the SUSE Manager Web UI, navigate to Images  Image List, locate the row that contains the running instance, and click Details.

  2. Navigate to the Overview tab. In the Image Info section, there is data in the Runtime and Instances fields.

  3. Navigate to the Runtime tab. This section contains a information about the Kubernetes pods running this image in all the registered clusters. The information in this section includes:

    • Pod name.

    • Namespace which the pod resides in.

    • The runtime status of the container in the specific pod.

Permissions and Certificates

You can only use kubeconfig files with SUSE Manager if they contain all embedded certificate data.

The API calls from SUSE Manager are:

  • GET /api/v1/pods

  • GET /api/v1/nodes

The minimum recommended permissions for SUSE Manager are:

  • A ClusterRole to list all the nodes:

    resources: ["nodes"]
    verbs: ["list"]
  • A ClusterRole to list pods in all namespaces (role binding must not restrict the namespace):

    resources: ["pods"]
    verbs: ["list"]

If /pods returns a 403 reponse, the entire cluster will be ignored by SUSE Manager.

For more information on working with RBAC Authorization, see https://kubernetes.io/docs/admin/authorization/rbac/.