Kubernetes

Integrating Kubernetes with Escape's Inventory enables discovery of services (including those managed by Istio) running on your Kubernetes clusters.

Discovered resources¶

Escape discovers and monitors the following Kubernetes and Istio resources:

Kubernetes:

• Services
• Ingresses

Istio (optional):

• VirtualServices
• Gateways
• DestinationRules

These resources are analyzed to identify APIs, routes, and service dependencies, then displayed in the Services section of the inventory.

Installation with Helm¶

1. Create a Private Location on Escape¶

See Private Location as a Kubernetes deployment to learn how to create a Private Location on Escape and get the repeater-id.

2. Download the Helm Chart¶

helm repo add escape https://escape-technologies.github.io/repeater/
helm repo update

3. Deploy the Helm Chart¶

helm install escape-test-helm escape/escape-repeater --set ESCAPE_REPEATER_ID=<your-repeater-id>

Installation with Kubernetes Manifest¶

1. Enable the Kubernetes integration¶

Enable the Kubernetes integration by setting up a Private Location as a Kubernetes deployment. This provides connectivity to your cluster resources from within your environment.

2. Create a Service Account and ClusterRoleBinding¶

Create a Service Account and corresponding RBAC rules that grant Escape access to the cluster resources you want to monitor, including Istio objects if needed. Here is a sample YAML (replace default with the namespace where you deploy Escape):

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: escape-repeater
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: escape-repeater
rules:
  # Allow listing and getting namespaces
  - apiGroups: [""]
    resources: ["namespaces"]
    verbs: ["get", "list"]
  # Allow listing and getting services
  - apiGroups: [""]
    resources: ["services"]
    verbs: ["get", "list"]
  # Allow listing and getting ingresses
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses"]
    verbs: ["get", "list"]
  # Allow listing and getting Istio resources (optional)
  - apiGroups: ["networking.istio.io"]
    resources: ["virtualservices", "gateways", "destinationrules"]
    verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: escape-repeater
subjects:
  - kind: ServiceAccount
    name: escape-repeater
    namespace: default # the namespace where the ServiceAccount is created
roleRef:
  kind: ClusterRole
  name: escape-repeater
  apiGroup: rbac.authorization.k8s.io

Finally, add serviceAccountName: escape-repeater to the spec section of your deployment to bind the Service Account to the pod.

3. Bind the Service Account to Your Deployment¶

Finally, configure your Deployment (or DaemonSet) to use the escape-repeater Service Account. In your .spec section, add:

serviceAccountName: escape-repeater

This ensures that your Escape Repeater pod is granted the appropriate permissions to discover and monitor both native Kubernetes and Istio resources.