- Kubernetes - Used to create resource in your K8S cluster
- Kube Version > 1.10:
- Instuction to install on cluster version < 1.10
- Disk size 50GB per node
- Kube Version > 1.10:
- Codefresh - Used to create resource in Codefresh
- Authenticated context exist under
$HOME/.cfconfig
or authenticate with Codefesh CLI
- Authenticated context exist under
- Download venona's binary
- With homebrew:
brew tap codefresh-io/venona
brew install venona
- With homebrew:
- Create namespace where venona should run
kubectl create namespace codefresh-runtime
- Create new runtime-environment with Venona's agents installed
venona install --kube-namespace codefresh-runtime
- Get the status
venona status
kubectl get pods -n codefresh-runtime
- Make sure the
PersistentLocalVolumes
feature gate is turned on - Venona's agent is trying to load avaliables apis using api
/openapi/v2
endpoint Add this endpoint to ClusterRolesystem:discovery
underrules[0].nonResourceURLs
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: system:discovery
rules:
- nonResourceURLs:
- ...other_resources
- /openapi
- /openapi/*
verbs:
- get
- Make sure your user has
Kubernetes Engine Cluster Admin
role in google console - Bind your user with cluster-admin kubernetes clusterrole
kubectl create clusterrolebinding NAME --clusterrole cluster-admin --user YOUR_USER
Installation of Venona on Kubernetes cluster installing 2 groups of objects, Each one has own RBAC needs and therefore, created roles(and cluster-roles) The resource descriptors are avaliable here List of the resources that will be created
- Agent (grouped by
/.*.venona.yaml/
)service-account.venona.yaml
- The service account that the agent's pod will use at the endcluster-role-binding.venona.yaml
- The agent discovering K8S apis by calling toopenapi/v2
, this ClusterRoleBinding binds bootstraped ClusterRole by Kubernetessystem:discovery
toservice-account.venona.yaml
. This role has only permissions to make a GET calls to non resources urlsrole.venona.yaml
- Allow to GET, CREATE and DELETE pods and persistentvolumeclaimsrole-binding.venona.yaml
- The agent is spinning up pods and pvc, this biniding bindsrole.venona.yaml
toservice-account.venona.yaml
- Runtime-environment (grouped by
/.*.re.yaml/
) Kubernetes controller that spins up all required resources to provide a good caching expirience during pipeline executionservice-account.dind-volume-provisioner.re.yaml
- The service account that the controller will usecluster-role.dind-volume-provisioner.re.yaml
Defines all the permission needed for the controller to operate correctlycluster-role-binding.dind-volume-provisioner.yaml
- Binds the ClusterRole toservice-account.dind-volume-provisioner.re.yaml
After a successfull installation of Venona, you'll be able to run a Codefresh pipeline on the configured cluster.
However, the pipeline itself dosent have any permission to connect to the hosted cluster.
To make it work you need to add the cluster to Codefresh (make sure the service acount has all the permissions you need)
codefresh create cluster --kube-context CONTEXT_NAME --namesapce NAMESPACE --serviceaccount SERVICE_ACCOUNT --behind-firewall
To upgrade existing runtime-environment, a one that was created without Venona's agent, run:
- Find the name of the cluster was linked to that runtime environment
Example:codefresh get cluster
- Install
Example:venona install --cluster-name CLUSTER
- Get the status
Example:venona status RUNTIME-ENVIRONMENT
Example:kubectl get pods -n NAMESPACE