OpenShift

By connecting vScope to OpenShift, you gain full visibility into your containerized workloads. This includes inventory of clusters, nodes, namespaces, and deployments, helping you track resources, health, and maintain compliance.

The connection requires a Service Account with specific permissions and an authentication token.

Creating an OpenShift Token

You can create the necessary credentials using either the command-line interface (CLI) or the web console (UI).

Method 1: Command Line (CLI)

Follow these steps using the oc command-line tool connected to your OpenShift cluster.

1. Create Service Account

# Replace 'your-project' with the desired project name
oc create sa vscope-sa -n your-project

2. Create Cluster Role

Create a file named eg. vscope-role.yaml with the following content and apply it.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: vscope-inventory-role
rules:
- apiGroups: [""]
  resources: ["nodes", "namespaces"]
  verbs: ["get", "list"]
- apiGroups: ["config.openshift.io"]
  resources: ["clusterversions"]
  verbs: ["get", "list"]
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "list"]

oc apply -f vscope-role.yaml

3. Create Cluster Role Binding

# Replace 'your-project' with the project name from step 1
oc create clusterrolebinding vscope-inventory-binding --clusterrole=vscope-inventory-role --serviceaccount=your-project:vscope-sa

4. Get the Authentication Token

# Replace 'your-project' with the project name from step 1
oc serviceaccounts get-token vscope-sa -n your-project

Copy the long string of characters this command outputs. This is your token.

Method 2: Web Console (UI)

Follow these steps if you prefer to use the OpenShift web interface.

1. Create Service Account

From the Administrator perspective, navigate to User Management > Service Accounts.
Select the desired Project from the dropdown menu (e.g., your-project).
Click Create Service Account.
Enter the Name as vscope-sa and click Create.

2. Create Cluster Role

Navigate to User Management > Roles.
Ensure the Cluster Roles tab is selected.
Click Create Role.
Switch to the YAML view.

Delete the default content and paste the following YAML:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: vscope-inventory-role
rules:
- apiGroups: [""]
  resources: ["nodes", "namespaces"]
  verbs: ["get", "list"]
- apiGroups: ["config.openshift.io"]
  resources: ["clusterversions"]
  verbs: ["get", "list"]
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "list"]

Click Create.

3. Create Cluster Role Binding

Navigate to User Management > Role Bindings.
Ensure the Cluster-wide Role Bindings tab is selected.
Click Create Binding.
Set the Binding Type to Cluster-wide role binding (ClusterRoleBinding).
Enter a Name for the binding, like vscope-inventory-binding.
For Role Name, select the vscope-inventory-role you just created.
Under Subject, select Service Account.
Choose the Subject Namespace where you created the service account (e.g., your-project).
For Subject Name, select vscope-sa.
Click Create.
Get the Authentication Token

Getting the token from the UI can be tricky. The easiest method is to use the one-line CLI command from the first section.

# Quickest Way: Use the CLI to get the token
oc serviceaccounts get-token vscope-sa -n your-project

Add OpenShift Credential to vScope

Once you have your token, the final steps are the same regardless of which method you used.

Navigate to Discovery > Credentials.
Click Create credential and choose OpenShift.
In the Base URL field, enter the address to your OpenShift instance’s API (e.g., https://api.your-cluster.com:6443).
In the Authorization Header field, you must format the token as a Bearer token. Type Bearer (with a space) and then paste the token you copied.
- Correct format: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6I...
- Incorrect format: eyJhbGciOiJSUzI1NiIsImtpZCI6I...
Click Test Credential to verify the connection.