Turbonomic

How does the IBM Turbonomic Kubeturbo Agent work and what data does it create and discover in a Kubernetes and Red Hat OpenShift cluster?

If you didn't know that IBM Turbonomic can help to optimize your Kubernetes and Red Hat OpenShift cluster resources and workloads, see my previous blog here: https://community.ibm.com/community/user/aiops/blogs/jason-shaw/2024/02/05/ibm-turbonomic-containers

The first step in optimizing your Kubernetes and Red Hat OpenShift clusters and workloads is by having an IBM Turbonomic instance available that the Kubeturbo agent can communicate with over port https 443. 

• If you do not currently have an instance you can sign-up for our free 30-day SaaS Trial here: https://www.ibm.com/products/turbonomic

Once that communication is confirmed the next step is to deploy the Kubeturbo agent into each cluster.

What type of communication does Kubeturbo use to communicate with the Turbonomic server?

Kubeturbo uses https port 443 to communicate and establish a connection with the Turbonomic server.  Further to that it uses the WebSocket Secure or WSS protocol over https using TLS 1.2+

WebSockets are a protocol that establishes a full-duplex communication channel over a single TCP connection. This allows real-time data exchange between a client and a server without repeatedly closing and reopening connections.  The protocol begins with a handshake phase that utilizes the HTTP upgrade system to switch from an initial HTTP connection to a WebSocket connection. Once established, this persistent connection enables data to flow freely in both directions, significantly reducing latency and overhead compared to traditional HTTP requests.

What access does Kubeturbo have to my cluster resources?

We follow the principle of least privilege but give you 3 options from read-only to full cluster admin based on the actions you want to execute in your environment to increase the value and ROI you want to receive from Turbonomic.

We have the least privilege custom "turbo-cluster-reader" role. 

• This is the minimum required role with permissions to discover your resources and workload utilization metrics in your cluster for observability.
• It will not have access to perform any changes to your cluster resources.
• This will create the required role, service account and cluster role binding.
• To see which permissions are included in this role, see the source YAML here: https://raw.githubusercontent.com/turbonomic/kubeturbo/master/deploy/kubeturbo_yamls/turbo-reader.yaml

We have the least privilege custom "turbo-cluster-admin" role. 

• This is the minimum required role with permissions in addition to the reader role above to also make changes to the resources in your cluster based on the actions generated in your Turbonomic instance.
• This will create the required role, service account and cluster role binding.
• To see which permissions are included in this role, see the source YAML here: https://raw.githubusercontent.com/turbonomic/kubeturbo/master/deploy/kubeturbo_yamls/turbo-admin.yaml

We also have the option of using the built-in "cluster-admin" role.

• This is using the built-in role with full elevated permissions in the cluster for discovery and making changes to the resources in your cluster without the need of using a custom role.
• This will create the required service account and cluster role binging only as the built-in role already exists in the cluster.

What resources are created in your cluster by the Kubeturbo agent?

When you deploy Kubeturbo for the first time the following resources are created in your cluster depending on the deployment method and configuration used:

• namespace/turbo
• serviceaccount/turbo-user
• serviceaccount/kubeturbo-operator (if deploying via operator)
• serviceaccount/kubeturbo-scc (for each SCC required)
• clusterrole/turbo-cluster-reader (if using turbo-cluster-reader role above)
• clusterrole/turbo-cluster-admin (if using turbo-cluster-admin role above)
• clusterrole/kubeturbo-scc (for each SCC required)
• clusterrole/kubeturbo-operator (if deploying via operator)
• clusterrolebinding/turbo-all-binding-kubeturbo-turbo
• clusterrolebinding/kubeturbo-scc (for each SCC required)
• clusterrolebinding/kubeturbo-operator (if deploying via operator)
• configmap/turbo-config (starts with turbo-config, will be specific to your deployment type)
• customresourcedefinition/Kubeturbo (if deploying via operator)
• customresource/kubeturbo-release (if deploying via operator)
• deployment/kubeturbo-operator (if deploying via operator method)
• deployment/kubeturbo-release (if deploying via operator method)
• deployment/kubeturbo (if deploying via YAML or HELM methods)
• secret/turbonomic-credentials (if using a secret to store credentials)

Where can I find more information on Kubeturbo?

See our official IBM Turbonomic documentation here: https://www.ibm.com/docs/en/tarm/latest?topic=configuration-container-platform-targets that has details on how to deploy Kubeturbo in your Kubernetes and Red Hat OpenShift cluster.

As always, see our IBM Turbonomic product page for more information and to get started on your Kubernetes and Red Hat OpenShift optimization journey: https://www.ibm.com/products/turbonomic

________________

Jason Shaw

Product Manager

IBM Turbonomic

https://www.linkedin.com/in/shawsers