Accessing KubeArchive

This document explains how to access KubeArchive after installing it in your cluster.

This document only covers the basic development scenario, the process may be different for a production cluster.

Port Forward KubeArchive

After installing, KubeArchive creates different services.Use kubectl to forward the port of the KubeArchive API:

kubectl port-forward -n kubearchive svc/kubearchive-api-server 8081:8081

Authentication and Authorization

KubeArchive delegates authentication and authorization to the Kubernetes RBAC service.In order to retrieve resources from KubeArchive, you need to pass an identity when you make a request.The easiest way is to use a service account.Create one and assign it permissions, for example:

kubectl create serviceaccount \
    kubearchive-view --namespace default

kubectl create role kubearchive-view-pods \
    --verb=get,list --resource=pods --namespace default

kubectl create rolebinding kubearchive-view-pods \
    --serviceaccount=default:kubearchive-view \
    --role=kubearchive-view-pods --namespace default

kubectl auth can-i list pods \
    --as=system:serviceaccount:default:kubearchive-view --namespace default

Query KubeArchive

After creating the service account and configuring its access, generate a token and use it to query KubeArchive:

$ export SA_TOKEN=$(kubectl create token kubearchive-view --namespace default)
$ curl --insecure \
    -H "Authorization: Bearer ${SA_TOKEN}" \
    https://localhost:8081/api/v1/namespaces/default/pods

{"apiVersion":"v1","items":null,"kind":"List","metadata":{"continue":"","resourceVersion":""}}

Query KubeArchive with the CLI

Follow the instructions in kubectl-ka Plugin Installation to install and start using the CLI instead of manual querying the KubeArchive API.

Deploy the following ConfigMap, Role and RoleBinding to make the API endpoint discoverable for every authenticated user. The CLI will automatically try to read the information on the ConfigMap to get automatically set up.

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubearchive-configmap-url-reader
  namespace: kubearchive
rules:
  - apiGroups:
      - v1
    resources:
      - configmaps
    resourceNames:
      - kubearchive-api-url
    verbs:
      - get
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubearchive-configmap-url-reader
  namespace: kubearchive
subjects:
- kind: Group
  apiGroup: rbac.authorization.k8s.io
  name: system:authenticated
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubearchive-configmap-url-reader
---
kind: ConfigMap
apiVersion: v1
metadata:
  name: kubearchive-api-url
  namespace: kubearchive
data:
  URL: https://kubearchive-url:443 (1)

1	Update it with the proper URL based on the ingress controller used to expose the `kubearchive-api-server` Service.

Next steps

Continue reading Configuring KubeArchive to learn how to use KubeArchive to archive and delete resources.