Escalator is able to be run both inside the cluster and out of the cluster, but it is highly recommended to run it
within the cluster. It is able to be run in the kube-system namespace.
Escalator provides integration for the following cloud providers:
- AWS - see documentation
- Permissions
- AWS Credentials
- ASG Configuration
- Common issues, caveats and gotchas
When running inside the cluster, Escalator will use the following for accessing the Kubernetes API:
config, err := rest.InClusterConfig()rest.InClusterConfig() uses the service account token inside the pod at
/var/run/secrets/kubernetes.io/serviceaccount to gain access to the Kubernetes API. See
Authenticating inside the cluster.
Escalator will need certain permissions to list/patch/get/watch/update pods and nodes. See the section below on RBAC to set up the service account, cluster role and cluster role binding.
To run Escalator outside of the cluster, use the --kubeconfig= flag to specify a path to a Kubernetes config. For
example, --kubeconfig=~/.kube/config.
To be able to function correctly, Escalator needs a service account with the following permissions:
- pods: watch, list, get
- nodes: update, patch, watch, list, get, delete
To create the service account, cluster role and cluster role binding, run the following:
kubectl create -f escalator-rbac.yamlIt is recommended to mount the nodegroups_config.yaml as a ConfigMap inside the pod for the node groups configuration.
To create the ConfigMap with an example nodegroups_config.yaml file, run the following:
kubectl create -f escalator-cm.yamlThis deployment makes use of the RBAC service account and ConfigMap created above.
To create the deployment, run the following:
kubectl create -f escalator-deployment.yamlSee Cloud Provider documentation for deployments specific to a cloud provider.