Hi Eugen,
we created a service account with admin rights for the instana-agent namespace, but the execution of the test script from instana didn't work.
Maybe it would be the best to discuss this topic in a call.
best regards Karen
------------------------------
Karen Schuster
Technology Advocate IT Automation & Observability
SVA System Vertrieb Alexander GmbH
Wiesbaden
------------------------------
Original Message:
Sent: Thu August 29, 2024 11:49 AM
From: Eugen Postea
Subject: Automation Action script with Kubernetes/Openshift Nodes
Hello Karen, thanks for your reply.
I think you have two options for your use case:
1. have a dedicated agent with action script sensor enabled that can run kubectl commands against your cluster. It can run on a separate VM that has access to your cluster.
2. enable the action script sensor for the agents running in your k8s nodes
In both cases you need to create an operation system user that will be used to run the automation scripts on the agent. We don't allow running the scripts as root due to security reasons.
There are few considerations to keep in mind when you setup the user:
- the user has to have the permissions to execute the commands that are part of your action script (i.e. kubectl, etc)
- the user requires read, write, and execute permissions to the `scriptExecutionHome` directory (scriptExecutionHome is part of your action script sensor configuration)
https://www.ibm.com/docs/en/instana-observability/current?topic=technologies-automation-action-script#configuration)
- also the user has to be in the agent user sudo list. Agent user is the user that starts the agent on your VM, usually root.
Let me know if it works for you or we can jump on a call to discuss this in more details. Thank you!
Eugen Postea
Senior Software Developer
IBM Instana
------------------------------
Eugen Postea
Original Message:
Sent: Thu August 29, 2024 02:26 AM
From: Karen Schuster
Subject: Automation Action script with Kubernetes/Openshift Nodes
Hi Eugen,
yes I mean the user, which is used for the action script sensor. Do you have an example how to configure it? We also can discuss and test it on a call.
best regards Karen
------------------------------
Karen Schuster
Technology Advocate IT Automation & Observability
SVA System Vertrieb Alexander GmbH
Wiesbaden
Original Message:
Sent: Wed August 28, 2024 09:25 AM
From: Eugen Postea
Subject: Automation Action script with Kubernetes/Openshift Nodes
Hello Karen,
Do you mean the operating system user you have to configure for the action script sensor? or the login user for the kubernetes cluster?
We are happy to jump on a call to further discuss your use case and share with your our recommendations. Thanks!
Eugen Postea
Senior Software Developer
IBM Instana
------------------------------
Eugen Postea
Original Message:
Sent: Mon August 26, 2024 03:25 AM
From: Karen Schuster
Subject: Automation Action script with Kubernetes/Openshift Nodes
Hello,
I'm currently testing the possibility to execute an predefined action script from the action catalog on a Kubernetes/Openshift node. In this context I have a question about the user, who have to be configured. Which user should be used? Can I can use an existing user and when yes, which user is usable for this usecase? Or should I define a new user on all nodes inside of the cluster and how should this user be created and with which user rights?
Maybe someone of you have best practises or good examples of how to implement such a usecase.
best regards Karen
------------------------------
Karen Schuster
Technology Advocate IT-Automation & Observability
SVA System Vertrieb Alexander GmbH
Wiesbaden
------------------------------