Star Blast News

Home / updates

Discovering Red Hat OpenShift clusters - Documentation for BMC Helix Discovery

Mia Smith |

BMC Helix Discovery has been able to discover OpenShift for some releases. For more information, see Discovering containers. Using the API providers option to discover OpenShift through its API provides an accurate and efficient way of discovering OpenShift, though it can be used to complement the existing IP address-based method.

API provider discovery of OpenShift supports OpenShift 4.1 and later.

The current IP address-based OpenShift discovery (described in Discovering containers) uses an IP scan and a host credential to discover OpenShift software running on a host. BMC Helix Discovery creates or updates an existing OpenShift SI. The OpenShift SI triggers additional patterns to discover the containers that the OpenShift management software controls. Using this approach, you can determine the management software and structure of the containers. However, BMC Helix Discovery can discover hosts only if appropriate credentials are available.

Using the OpenShift API enables you to discover the OpenShift's view of the containers and hosts that it manages. This applies even to those hosts that cannot be reached with an IP scan. 

To discover OpenShift using an API provider

The following table describes the tasks that you must perform in the specified sequence, the description of the action that you must perform, and the reference to the procedure:

Find OpenShift management software using an IP scan 

Ensure that you have scanned your estate to find all instances of OpenShift. Once you have located them, you can target initial API scans to perform deeper discovery using the OpenShift API.

For information on scanning, see Performing a discovery run. After you have scanned the estate, you can search for OpenShift SIs by performing the following steps:

  1. In the search box at the top right of the UI, enter OpenShift.
  2. Click the Software instance row.
    The Software Instance list is displayed.

Check permissions

For any OpenShift system in which you want BMC Discovery to be able to discover all supported resources, you must define a ServiceAccount in the default namespace and bind it to the ClusterRole, where RoleBinding must be of a cluster-wide type. The ClusterRole should grant the read (get/list) permissions on required resources in the appropriate API groups. The required resources are retrieved using Discovery's API queries while scanning the Openshift cluster.

Note

The credential will fail if your default namespace has been changed. Add the changed namespace to ClusterRole and ServiceAccount to avoid the problem.

OpenShift OAuth

OpenShift OAuth authentication obtains an OAuth token from the OpenShift REST API Well Known Endpoint (WKE) using the provided username and password. Once the token is obtained, it is used to access and discover the OpenShift clusters specified in the credential. OpenShift OAuth provides the ability to discover many OpenShift clusters using a single credential. The WKE authorization server must be resolvable.

Bearer token

Bearer token authentication uses a token valid for a single OpenShift cluster to access and discover the cluster.

For instructions on obtaining the URL and non-expiring token to use in the API provider credential, see  Using service accounts in applications Open link.

For information on using OAuth, see  Using a service account as an OAuth client Open link.

Create an API provider credential valid for the OpenShift system 

Use the API URL and token that you have just created and retrieved to create the API provider credential. For information on creating credentials, see Adding credentials.

API provider credentials use the URL to connect to the OpenShift API, though you can also specify IP addresses in Matching criteria, and in Matching exceptions.

 In an IP scan, when, for example container management software is discovered, this might trigger additional discovery using an API provider credential. The IP addresses specified in Matching criteria are those for which an API scan can be triggered using this API provider credential. Similarly, the IP addresses specified in Matching exceptions are those for which an API scan cannot be triggered using this API provider credential.

Perform a snapshot API scan 

  1. On the Manage > Discovery page, click Add New Run.
  2. In the Timing field, select Snapshot.

  3. In the Targeting field, select API.

  4. Enter the information for the snapshot API provider discovery run in the fields.

    Field name

    Details

    Label

    Enter a label for the discovery run. Where the discovery run is referred to in the UI, it is this label that is shown.

    Timing

    Select the run type, one of:

    For this snapshot scan, select Snapshot.

    Targeting

    Select the target for the discovery run. This is one of:

    • IP Address — Enter IP address information.
    • Cloud — Enter cloud provider information.
    • API — Enter API provider information.

    For this API provider scan, select API.

    Provider

    Specify the type of API provider. Currently, BMC Helix Discovery supports the following providers:

    • Kubernetes/OpenShift Cluster
    • MongoDB Atlas
    • Rancher Managed Kubernetes Clusters 

    Restrict by Organization

    This field is available only if you have enabled the Enable Restricted Organizations setting in the Administration > Other Settings UI. For more information, see Configuring discovery settings.

    Select the organization that you want to use for the scan. The organizations available in the list are limited to those organizations of which the logged-in user is a member. The organization you select impacts the Outposts available in the scope via field. For more information, see Outposts restricted by organizations.  

    Credential

    The list is populated with valid credentials for the selected provider. Select the credential or credentials to use for the discovery run.

  5. Click OK to start the run.

 

For information on running all types of discovery runs, see Performing a discovery run.

When you view the Discovery Access page for the OpenShift discovery, the UI shows a script failure for the Openshift.ListClusterVersions method. This is expected.

Viewing the discovered OpenShift cluster

Once you have discovered a cluster, you can view it:

  1. From the Discovery page, select the Recent Runs tab.
  2. Click the snapshot API scan you have just performed. If you have discovered multiple clusters, then a Discovery Access node for each cluster is linked to the Discovery Run.
  3. Click the Cluster icon. 

For more information

For more information on the way that OpenShift clusters are discovered, see Red Hat OpenShift in the BMC Discovery Content Reference documentation.

You Might Also Like