Cloud provider service keys can be used in various aspects of the Kubecost installation. This includes configuring integrating your cloud provider billing data with Kubecost, setting up multi-cluster environments, and backing up ETL data. While automated IAM authentication via a Kubernetes service account like AWS IRSA is recommended, there are some scenarios where key-based authentication is preferred. When this method is used, rotating the keys at a pre-defined interval is a security best practice. Combinations of these features can be used, and therefore you may need to follow one or more of the below steps.
There are multiple methods for adding cloud provider keys to Kubecost when configuring a cloud integration. This article will cover all three procedures. Be sure to use the same method that was used during the initial installation of Kubecost when rotating keys. See the Cloud Integrations doc for additional details.
The preferred and most common is via the multi-cloud cloud-integration.json Kubernetes secret.
The second method is to define the appropriate secret in Kubecost's values.yaml.
The final method to configure keys is via the Kubecost Settings page.
The primary sequence for setting up your key is:
Modify the appropriate Kubernetes secret, Helm value, or update via the Settings page.
Restart the Kubecost cost-analyzer
pod.
Verify the new key is working correctly. Any authentication errors should be present early in the cost-model
container logs from the cost-analyzer
pod. Additionally, you can check the status of the cloud integration in the Kubecost UI via Settings > View Full Diagnostics.
There are two methods for enabling multi-clustering in Kubecost:
Depending on which method you are using, the key rotation process differs.
With Federated ETL objects, storage keys can be provided in two ways. The preferred method is using the secret defined by the Helm value .Values.kubecostModel.federatedStorageConfigSecret
. The alternate method is to re-use the ETL backup secret defined with the .Values.kubecostModel.etlBucketConfigSecret
Helm value.
Update the appropriate Kubernetes secret with the new key on each cluster.
Restart the Kubecost cost-analyzer
pod.
Restart the Kubecost federator
pod.
Verify the new key is working correctly by checking the cost-model
container logs from the cost-analyzer
pod for any object storage authentication errors. Additionally, verify there are no object storage errors in the federator
pod logs.
Thanos federation makes use of the kubecost-thanos
Kubernetes secret as described here.
Update the kubecost-thanos
Kubernetes secret with the new key on each cluster.
Restart the prometheus
server pod installed with Kubecost on all clusters (including the primary cluster) that write data to the Thanos object store. This will ensure the Thanos sidecar has the new key.
On the primary Kubecost cluster, restart the thanos-store
pod.
Verify the new key is working correctly by checking the thanos-sidecar
logs in the prometheus
server pods for authentication errors to ensure they are able to write new block data to the object storage.
Verify the new key is working correctly by checking thanos-store
pod logs on the primary cluster for authentication errors to ensure it is able to read block data from the object storage.
ETL backups rely on the secret defined by the Helm value .Values.kubecostModel.etlBucketConfigSecret
. More details can be found on the ETL backup page.
Modify the appropriate Kubernetes secret.
Restart the Kubecost cost-analyzer
pod.
Verify the backups are still being written to the object storage.