Skip to content

Kubeturbo Cluster Roles

Jump to bottom
Jason Shaw edited this page Nov 9, 2023 · 32 revisions

Kubeturbo Operator Cluster Roles

If you are deploying Kubeturbo with the Operator, the Operator itself can run with either cluster role:

  • cluster-admin
  • minimum privilege cluster role that is default in the OpenShift Operator Hub Deployment. For manually deploying the Operator, the cluster role is here

Mediation Probe: Kubeturbo Cluster Roles

Kubeturbo mediation probe can run with 3 different cluster role options that can control the ability to execute actions.

  • cluster-admin Role.

Note this is the default role assigned to the Kubeturbo service account.

Mediation Probe and Execute Actions Role

You can choose to run with a custom role that provides the minimum privileges with the ability to execute actions. The yaml to use for this is here and has a Cluster Role name of turbo-cluster-admin

YAML Method

Steps to use this custom Execute Actions Cluster Role

  1. Create the new Cluster Role turbo-cluster-admin yaml here
  2. Update the Cluster Role Binding yaml here to use the new custom role named turbo-cluster-admin under the roleRef section as shown in the yaml example below
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1    
metadata:
  name: turbo-all-binding-kubeturbo-turbo
subjects:
- kind: ServiceAccount
  name: turbo-user
  namespace: turbo
roleRef:
  kind: ClusterRole
  name: turbo-cluster-admin
  apiGroup: rbac.authorization.k8s.io

  1. Create the Cluster Role Binding (default name is turbo-all-binding-kubeturbo-turbo)

  2. Continue with the rest of the deployment of kubeturbo using the custom Cluster Role defined

Operator and OperatorHub Method

Steps to use this custom Execute Actions Cluster Role

  1. Update your kubeturbo deployment yaml with the additional parameter name called roleName: as shown below with the value of turbo-cluster-admin 
apiVersion: charts.helm.k8s.io/v1
kind: Kubeturbo
metadata:
  name: kubeturbo-release
  namespace: turbo
spec:
  serverMeta:
    turboServer: 'https://MY_TURBO_SERVER_URL'
  targetConfig:
    targetName: MY_CLUSTER_NAME
  roleName: turbo-cluster-admin
  1. Continue with the rest of the deployment of kubeturbo using the custom Cluster Role defined

HELM Method

Steps to use this custom Execute Actions Cluster Role

  1. Add the following parameter your helm install command:

    • --set roleName=turbo-cluster-admin

  2. Optionally, specify the roleName: parameter with a value of turbo-cluster-admin in the values.yaml file.

Mediation Probe and Read-Only Role (discovery and metrics only)

You can choose to run with a custom role that provides the read-only privileges with the ability to discover your environment and collect metrics only. The yaml to use for this is here and has a Cluster Role name of turbo-cluster-reader

YAML Method

Steps to use this custom Read-Only Cluster Role

  1. Create the new Cluster Role turbo-cluster-reader yaml here
  2. Update the Cluster Role Binding yaml here to use the new custom role named turbo-cluster-reader under the roleRef section as shown in the yaml example below
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1    
metadata:
  name: turbo-all-binding-kubeturbo-turbo
subjects:
- kind: ServiceAccount
  name: turbo-user
  namespace: turbo
roleRef:
  kind: ClusterRole
  name: turbo-cluster-reader
  apiGroup: rbac.authorization.k8s.io

  1. Create the Cluster Role Binding (default name is turbo-all-binding-kubeturbo-turbo)

  2. Continue with the rest of the deployment of kubeturbo using the custom Cluster Role defined

Operator and OperatorHub Method

Steps to use this custom Read-Only Cluster Role

  1. Update your kubeturbo deployment yaml with the additional parameter name called roleName: as shown below with the value of turbo-cluster-reader 
apiVersion: charts.helm.k8s.io/v1
kind: Kubeturbo
metadata:
  name: kubeturbo-release
  namespace: turbo
spec:
  serverMeta:
    turboServer: 'https://MY_TURBO_SERVER_URL'
  targetConfig:
    targetName: MY_CLUSTER_NAME
  roleName: turbo-cluster-reader
  1. Continue with the rest of the deployment of kubeturbo using the custom Cluster Role defined

HELM Method

Steps to use this custom Read-Only Cluster Role

  1. Add the following parameter your helm install command:

    • --set roleName=turbo-cluster-reader

  2. Optionally, specify the roleName: parameter with a value of turbo-cluster-reader in the values.yaml file.

Changing Roles

Changing Roles with the Operator

If you deployed Kubeturbo with the Operator configured with the turbo-cluster-reader role for example (or any role that you want to change after initial deployment) and now you need to change that to the elevated turbo-cluster-admin role for example you need to do the following get successfully configure Kubeturbo to use the new role:

  1. Update the kubeturbo-release yaml with the new role as detailed here
  2. Delete the Cluster Role Binding (CRB) that will start with the naming convention turbo-all-binding-kubeturbo, as this does not automatically get updated/patched with the new role you want to use and you will see errors in the operator log showing something similar failed upgrade (cannot patch \"turbo-all-binding-kubeturbo-release-turbo3\" with kind ClusterRoleBinding, full log error example below
{"level":"error","ts":1699544663.525695,"logger":"helm.controller","msg":"Release failed","namespace":"turbo3","name":"kubeturbo-release","apiVersion":"charts.helm.k8s.io/v1alpha1","kind":"Kubeturbo","release":"kubeturbo-release","error":"failed upgrade (cannot patch \"turbo-all-binding-kubeturbo-release-turbo3\" with kind ClusterRoleBinding: ClusterRoleBinding.rbac.authorization.k8s.io \"turbo-all-binding-kubeturbo-release-turbo3\" is invalid: roleRef: Invalid value: rbac.RoleRef{APIGroup:\"rbac.authorization.k8s.io\", Kind:\"ClusterRole\", Name:\"turbo-cluster-reader-kubeturbo-release-turbo3\"}: cannot change roleRef) and failed rollback: no ClusterRole with the name \"turbo-cluster-admin-kubeturbo-release-turbo3\" found"
  1. Once the CRB is deleted the error above will be gone and Kubeturbo will now be using the elevated role.

Changing Roles with out the Operator

If you deployed Kubeturbo without an Operator configured with the turbo-cluster-reader role for example (or any role that you want to change after initial deployment) and now you need to change that to the elevated turbo-cluster-admin role for example you need to do the following get successfully configure Kubeturbo to use the new role:

  1. Delete the Cluster Role Binding (CRB) that will start with the naming convention turbo-all-binding-kubeturbo
  2. Update the Kubeturbo deployment as per the steps above for yaml or for helm with the new role you want to use.

Kubeturbo Home
Kubeturbo Deployment Options

Kubeturbo

Introduction
  1. What's new
  2. Supported Platforms
Kubeturbo Use Cases
  1. Overview
  2. Getting Started
  3. Full Stack Management
  4. Optimized Vertical Scaling
  5. Effective Cluster Management
  6. Intelligent SLO Scaling
  7. Proactive Rescheduling
  8. Better Cost Management
  9. GitOps Integration
  10. Observability and Reporting
Kubeturbo Deployment
  1. Deployment Options Overview
  2. Prerequisites
  3. Turbonomic Server Credentials
  4. Deployment by Helm Chart
    a. Updating Kubeturbo image
  5. Deployment by Yaml
    a. Updating Kubeturbo image
  6. Deployment by Operator
    a. Updating Kubeturbo image
  7. Deployment by Red Hat OpenShift OperatorHub
    a. Updating Kubeturbo image
Kubeturbo Config Details and Custom Configurations
  1. Turbonomic Server Credentials
  2. Working with a Private Repo
  3. Node Roles: Control Suspend and HA Placement
  4. CPU Frequency Getter Job Details
  5. Logging
  6. Actions and Special Cases
Actions and how to leverage them
  1. Overview
  2. Resizing or Vertical Scaling of Containerized Workloads
    a. DeploymentConfigs with manual triggers in OpenShift Environments
  3. Node Provision and Suspend (Cluster Scaling)
  4. SLO Horizontal Scaling
  5. Turbonomic Pod Moves (continuous rescheduling)
  6. Pod move action technical details
    a. Red Hat Openshift Environments
    b. Pods with PVs
IBM Cloud Pak for Data & Kubeturbo:Evaluation Edition
Troubleshooting
  1. Startup and Connectivity Issues
  2. KubeTurbo Health Notification
  3. Logging: kubeturbo log collection and configuration options
  4. Startup or Validation Issues
  5. Stitching Issues
  6. Data Collection Issues
  7. Collect data for investigating Kubernetes deployment issue
  8. Changes to Cluster Role Names and Cluster Role Binding Names
Kubeturbo and Server version mapping
  1. Turbonomic - Kubeturbo version mappings
Clone this wiki locally