{{ t('The plugin requires an API server URL (`--server`) and a **service account token** (`--token` or `--token-file`).') }}
{{ t('The recommended way is to create a **ServiceAccount** with minimal RBAC permissions.') }}

kubectl create namespace monitoring
kubectl create serviceaccount k8s-checker -n monitoring

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: k8s-checker
rules:
- apiGroups: [""]
  resources: ["nodes","pods","endpoints","events"]
  verbs: ["get","list","watch"]
- apiGroups: ["apps"]
  resources: ["deployments","daemonsets"]
  verbs: ["get","list","watch"]

kubectl apply -f k8s-checker-role.yaml

kubectl create clusterrolebinding k8s-checker-binding   --clusterrole=k8s-checker   --serviceaccount=monitoring:k8s-checker

{{ t('Get the token:') }}

{{ t('For Kubernetes v1.24+ (new `service-account-token` secret):') }}

kubectl create token k8s-checker -n monitoring > token.txt

SECRET=$(kubectl get sa k8s-checker -n monitoring -o jsonpath='{.secrets[0].name}')
kubectl get secret $SECRET -n monitoring -o jsonpath='{.data.token}' | base64 -d > token.txt

./check_k8s_oitc.py nodes   --server https://k8s.example.org:6443   --token-file token.txt --insecure

{{ t('Configuration Wizard: Kubernetes') }}

{{ t('Kubernetes Settings') }}

{{ t('Kubernetes Endpoint Services') }}