Skip to content
vScope Support Page

OpenShift

By connecting vScope to OpenShift, you gain full visibility into your containerized workloads. This includes inventory of clusters, nodes, namespaces, deployments and certificates, helping you track resources, health, and maintain compliance.

The connection requires a Service Account with specific permissions and an authentication token.

Certificate inventory requires a certificate manager, such as cert-manager, to be installed and configured in the cluster.

Creating an OpenShift Token

Section titled “Creating an OpenShift Token”

You can create the necessary credentials using either the command-line interface (CLI) or the web console (UI).

Method 1: Command Line (CLI)

Section titled “Method 1: Command Line (CLI)”

Follow these steps using the oc command-line tool connected to your OpenShift cluster.

1. Create Service Account

Terminal window
# Replace 'your-project' with the desired project name
oc create sa vscope-sa -n your-project

2. Open Your Project

Terminal window
# Switch to your project
oc project your-project

3. Create Cluster Role

Create a file named eg. vscope-role.yaml with the following content and apply it.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: vscope-inventory-role
rules:
- apiGroups: [""]
  resources: ["nodes", "namespaces", "secrets"]
  verbs: ["get", "list"]
- apiGroups: ["config.openshift.io"]
  resources: ["clusterversions"]
  verbs: ["get", "list"]
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "list"]
- apiGroups: ["cert-manager.io"]
  resources: ["certificates"]
  verbs: ["get", "list"]
Terminal window
oc apply -f vscope-role.yaml

3. Create Cluster Role Binding

Terminal window
# Replace 'your-project' with the project name from step 1
oc create clusterrolebinding vscope-inventory-binding --clusterrole=vscope-inventory-role --serviceaccount=your-project:vscope-sa

4. Get the Authentication Token

Terminal window
# Replace 'your-project' with the project name from step 1. Duration in this exampel is set to one year.
oc create token vscope-sa -n your-project --duration=8760h

Copy the long string of characters this command outputs. This is your token.

Method 2: Web Console (UI)

Section titled “Method 2: Web Console (UI)”

Follow these steps if you prefer to use the OpenShift web interface.

1. Create Service Account

  1. From the Administrator perspective, navigate to User Management > Service Accounts.

  2. Select the desired Project from the dropdown menu (e.g., your-project).

  3. Click Create Service Account.

  4. Enter the Name as vscope-sa and click Create.

2. Create Cluster Role

  1. Navigate to User Management > Roles.

  2. Ensure the Cluster Roles tab is selected.

  3. Click Create Role.

  4. Switch to the YAML view.

  5. Delete the default content and paste the following YAML:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: vscope-inventory-role
    rules:
    - apiGroups: [""]
      resources: ["nodes", "namespaces", "secrets"]
      verbs: ["get", "list"]
    - apiGroups: ["config.openshift.io"]
      resources: ["clusterversions"]
      verbs: ["get", "list"]
    - apiGroups: ["apps"]
      resources: ["deployments"]
      verbs: ["get", "list"]
    - apiGroups: ["cert-manager.io"]
      resources: ["certificates"]
      verbs: ["get", "list"]

  6. Click Create.

3. Create Cluster Role Binding

  1. Navigate to User Management > Role Bindings.

  2. Ensure the Cluster-wide Role Bindings tab is selected.

  3. Click Create Binding.

  4. Set the Binding Type to Cluster-wide role binding (ClusterRoleBinding).

  5. Enter a Name for the binding, like vscope-inventory-binding.

  6. For Role Name, select the vscope-inventory-role you just created.

  7. Under Subject, select Service Account.

  8. Choose the Subject Namespace where you created the service account (e.g., your-project).

  9. For Subject Name, select vscope-sa.

  10. Click Create.

  11. Get the Authentication Token

Getting the token from the UI can be tricky. The easiest method is to use the one-line CLI command from the first section. Duration for the token in our exampel is set to one year.

Terminal window
# Quickest Way: Use the CLI to get the token
oc create token vscope-sa -n your-project --duration=8760h

Add OpenShift Credential to vScope

Section titled “Add OpenShift Credential to vScope”

Once you have your token, the final steps are the same regardless of which method you used.

  1. Navigate to Discovery > Credentials.

  2. Click Create credential and choose OpenShift.

  3. In the Base URL field, enter the address to your OpenShift instance’s API (e.g., https://api.your-cluster.com:6443).

  4. In the Authorization Header field, you must format the token as a Bearer token. Type Bearer (with a space) and then paste the token you copied.

    • Correct format: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6I...
    • Incorrect format: eyJhbGciOiJSUzI1NiIsImtpZCI6I...

  5. Click Test Credential to verify the connection.

Common Errors

Section titled “Common Errors”
ErrorWhat happened?Suggested action
Failed to get assets from asset source…The request failed because authentication was missing or invalid, 401 UnauthorizedThe issue is resolved by renewing the bearer token, as the existing token is expired or invalid.