Connecting Kubernetes Visibility Agent (formerly CNO for Visibility) using the OAuth Protocol<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Kubernetes Visibiity Agent deployment includes a pod that is running in the Kubernetes cluster and reports to the ServiceNow instance. By default, this pod authenticates using basic authentication. However, it is possible to configure it to use the OAuth protocol. OAuth2.0 is considered more secure than basic authentication since the user’s credentials are not sent on every call. Instead, the instance issues an access token with expiry time. We can use OAuth2.0 in one of the following ways: Internal provider: Credentials are validated using the ServiceNow instanceExternal OIDC Provider - Credentials are validated using an external provider The OAuth Flow using Internal Provider The flow is described in the diagram below. The CNO pod (a.k.a informer) is first sending a request with user, password, client_id and client_secret. The instance responds with access token and refresh token. From now on only the access token is being sent, until it is about to expire. At that point the refresh token is sent and we obtain a new access token. When the refresh token expires, we send the full credentials again and obtain new tokens. Setting Up the Instance In order to connect to the instance using OAuth, you need to navigate to “Application Registries”, add a record and get the “Client ID” and “Client Secret”. For more details refer to ServiceNow Official documentation. More details here. Installing the Informer When creating the instance credentials secret, in addition to the user and password, you need to pass the client ID and client secret obtained on the instance. In the following command replace INSTANCE_NAME, NAMESPACE, USERNAME, PASSWORD, CLIENT_ID, CLIENT_SECRET kubectl create secret generic k8s-informer-cred-INSTANCE_NAME --from-literal=.user=USERNAME --from-literal=.password=PASSWORD --from-literal=.client_id=CLIENT_ID --from-literal=.client_secret=CLIENT_SECRET -n NAMESPACE Alternatively, you can provide the credentials in the Helm command: helm install -n NAMESPACE --set acceptEula=Y --set instance.name=INSTANCE_NAME --set clusterName="CLUSTER_NAME" --set instanceCredentials.username=USERNAME --set instanceCredentials.password=PASSWORD --set instanceCredentials.clientId=CLIENT_ID --set instanceCredentials.clientSecret=CLIENT_SECRET k8s-informer HELM_CHART_URL The OAuth Flow using External OIDC Provider Create a User Create a user with at least mid_server role. No need to define a password. In the following screenshots, the user_id would be k8s_user. Create an OIDC Provider Configuration Navigate to oidc_provider_configuration.list and create a new record.OIDC Provider: <Your choice of name>OIDC Metadata URL: http://<Public IP>/.well-known/openid-configurationUser Claim: user_nameUser Field: User IDOIDC Configuration Cache Life Span: 120 Create an Application Registry Entity Navigate to System OAuth -> Application Registry Create a new record with type: “Configure an OIDC provider to verify ID tokens” The Client ID should be the user_id created in the previous steps The Client Secret is a value of your choice. Record this value as it will be used in the informer configuration The OIDC provider configuration is the record created in the previous steps. Installing the Informer When creating the instance credentials secret, you need to pass the client ID and the client secret. No need to provide username and password. kubectl create secret generic k8s-informer-cred-INSTANCE_NAME --from-literal=.client_id=CLIENT_ID --from-literal=.client_secret=CLIENT_SECRET -n NAMESPACE In addition, we need to provide the OIDC provider URL: When using Helm chart, add the parameter --set oauth.tokenUrl=http://oidc_provider_address/token When using k8s_informer.yaml, set the URL in the environment variable OAUTH_TOKEN_URL