We use tracking cookies to understand how you use the product and help us improve it. Please accept cookies to help us improve. You can always opt out later via the link in the footer.
kubectl
works, cloudquery
depends on a Kubernetes configuration file to connect to a Kubernetes cluster and sync
its information.
By default, cloudquery
uses the default Kubernetes configuration file (~/.kube/config
).
You can also specify a different configuration by setting the KUBECONFIG
environment variable before running cloudquery sync
.export KUBECONFIG="<PATH_TO_YOUR_CONFIG_FILE>"
cloudquery
is running in a pod of the Kubernetes cluster, the Kubernetes Service Account can be used for direct authentication. To use the Kubernetes Service Account for direct authentication, a cluster role with all get and list privileges will need to be used.get
and list
privileges.kubectl apply -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cloudquery-cluster-read
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- nonResourceURLs:
- '*'
verbs:
- get
- list
EOF
cloudquery
pod.kubectl apply -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cloudquery-cluster-read-binding
subjects:
- kind: ServiceAccount
name: cloudquery-sa
roleRef:
kind: ClusterRole
name: cloudquery-cluster-read
EOF
kind: source
spec:
# Source spec section
name: k8s
path: cloudquery/k8s
registry: cloudquery
version: "v7.9.7"
tables: ["*"]
destinations: ["postgresql"]
# Learn more about the configuration options at https://cql.ink/k8s_source
spec:
contexts: ["context"]
kind: source
spec:
name: k8s
path: cloudquery/k8s
version: v7.3.8
tables:
- "*"
spec:
providers:
- cluster: eks-cluster-name
aws:
region: us-east-1
role_arn: arn:aws:iam::111111111111:role/cross-account-readonly-role
kind: source
spec:
name: k8s
path: cloudquery/k8s
version: "v7.9.7"
tables:
- "*"
spec:
providers:
- cluster: cluster-name
azure:
# service principal details:
client_id: service-pricipal-app-id
tenant_id: service-pricipal-tenant
client_secret: service-pricipal-password
# k8s cluster details:
subscription_id: subscription-id
resource_group_name: resource-group-name
kind: source
spec:
name: k8s
path: cloudquery/k8s
version: "v7.9.7"
tables:
- "*"
spec:
providers:
- cluster: gcp-cluster-name
gcp:
project_id: project-id
location: us-central1
service_account_key_json: |
${SERVICE_ACCOUNT_JSON_KEY}
authenticate_gcloud: true
contexts
([]string
) (optional) (default: empty. Will use the default context from K8s's config file)*
will connect to all contexts available in the K8s config file (usually ~/.kube/config
).concurrency
(integer
) (optional) (default: 5000
)scheduler
(string
) (optional) (default: dfs
)
The scheduler to use when determining the priority of resources to sync.
Supported values are dfs
(depth-first search), round-robin
, shuffle
and shuffle-queue
.providers
([]Provider
) (optional) (default: empty.)cluster
(string
) (required)aws
(AWSSpec
) (optional)gcp
(GCPSpec
) (optional)azure
(AzureSpec
) (optional)region
(string
) (required)role_arn
(string
) (optional)external_id
(string
) (optional)project_id
(string
) (required)location
(string
) (required)service_account_key_json
(string
) (required)authenticate_gcloud
(bool
) (optional)gcloud auth activate-service-account --key-file=<JSON_FILE>
subscription_id
(string
) (required)resource_group_name
(string
) (required)client_id
(string
) (required)tenant_id
(string
) (required)client_secret
(string
) (optional)oidc_token
(string
) (optional)client_secret
.cloud_name
(string
) (optional)AzureCloud
, AzureChinaCloud
, AzureGovernment
.kind: source
spec:
# Source spec section
name: k8s
path: cloudquery/k8s
registry: cloudquery
version: "v7.9.7"
tables: ["*"]
destinations: ["postgresql"]
# Learn more about the configuration options at https://cql.ink/k8s_source
spec:
contexts: ["context"]
kind: source
spec:
name: k8s
path: cloudquery/k8s
version: v7.3.8
tables:
- "*"
spec:
providers:
- cluster: eks-cluster-name
aws:
region: us-east-1
role_arn: arn:aws:iam::111111111111:role/cross-account-readonly-role
kind: source
spec:
name: k8s
path: cloudquery/k8s
version: "v7.9.7"
tables:
- "*"
spec:
providers:
- cluster: cluster-name
azure:
# service principal details:
client_id: service-pricipal-app-id
tenant_id: service-pricipal-tenant
client_secret: service-pricipal-password
# k8s cluster details:
subscription_id: subscription-id
resource_group_name: resource-group-name
kind: source
spec:
name: k8s
path: cloudquery/k8s
version: "v7.9.7"
tables:
- "*"
spec:
providers:
- cluster: gcp-cluster-name
gcp:
project_id: project-id
location: us-central1
service_account_key_json: |
${SERVICE_ACCOUNT_JSON_KEY}
authenticate_gcloud: true
kind: source
spec:
name: k8s
path: cloudquery/k8s
registry: cloudquery
version: "v7.9.7-fips"
...