DKP Insights Setup and Configuration

This section describes how to enable DKP insights in DKP Essential or DKP Enterprise, and grant user permissions.

Enable DKP Insights Engine in a Non-Air-Gapped Environment

Follow these steps:

Set the DKP version:
CODE
```
export DKP_VERSION=v2.5.0
```

Add DKP Insights Engine Addon by applying the following YAML from the CLI:

CODE

kubectl apply -f - <<EOF
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: GitRepository
metadata:
  name: insights-catalog-applications
  namespace: kommander
  labels:
    kommander.d2iq.io/gitapps-gitrepository-type: dkp
    kommander.d2iq.io/workspace-default-catalog-repository: "true"
spec:
  interval: 1m0s
  ref:
    tag: ${DKP_VERSION} 
  timeout: 20s
  url: https://github.com/mesosphere/insights-catalog-applications
EOF

This grants all Attached clusters the ability to enable the Insights Engine, and to display DKP Insights under Applications.

See Deployment of Catalog Applications in Workspaces to deploy Insights Engine.

Ensure the Insights Engine version you deploy is compatible with the DKP version.

Enable DKP Insights Engine in an Air-gapped Environment

Follow these steps:

Complete Install Air-gapped Kommander with DKP Insights and DKP Catalog Applications .
Complete Deployment of Catalog Applications in Workspaces to deploy Insights Engine.

Disable DKP Insights Management

The DKP Insights Management component can be disabled using the instructions for configuring a Kommander installation.

Initialize a default configuration file:

CODE

dkp install kommander --init > kommander.yaml

Delete or comment out the line containing dkp-insights-management:null:

CODE

apiVersion: config.kommander.mesosphere.io/v1alpha1
kind: Installation
apps:
  # Sections omitted...
  dkp-insights-management: null # Delete or comment out this line.
  # Sections omitted...
--

Install Kommander using the updated configuration file:
CODE
```
dkp install kommander --installer-config kommander.yaml
```

Grant View Rights to Users

Only admin users have access to the Insights section of the DKP UI and to the detailed alert view by default.

To allow additional users and user groups to view these Insights resources, create roles that include rights to view them. Then, assign these roles to users or user groups.

Access control to both Insights summary cards and Insights Alert Details is performed via Kubernetes RBAC on a basis of the namespace to which the Insight Alert is tied.

Workspace-based Access Control

Create a Role with View Rights to Summary Cards - Workspace-based Access Control

Create a Role with View Rights to Summary Cards

When assigned, this role allows users and user groups to view the summary table of all DKP Insights alerts for all workspaces and projects.

Select the Management Cluster Workspace. The workspace selector is located at the top navigation bar. (Option available for Enterprise customers only)
Select Administration > Access Control in the sidebar menu.
Select Create Role, and add a Role Name.
Select DKP Role, as you are providing access to DKP UI resources.
Select + Add Rule in the Rules section.
Enter the following information:

Field	Value
Resources	`insights`
Resource Names	[Leave this field empty]
API Groups	`dkp-insights.d2iq.io`
Verbs	`get`, `list` and `watch`

Select Save to exit the rule configuration window and Save again to create the new role.

Now, assign the role you created to a user group.

Assign the roles you created to a user group as explained in Workspace Role Bindings.

It will take a few minutes for the resource to be created.

Create a Role with View Rights to Insights Alert Details - Workspace-based Access Control

Create a Role with View Rights to Insights Alert Details

This role, when assigned to a user or user group, allows them to view alert details for an alert generated in a specific workspace.

Select the workspace for which you want to grant view rights. The workspace selector is located at the top navigation bar. (Option available for Enterprise customers only)
Select Administration > Access Control in the sidebar menu.
Select the Cluster Roles tab, and Create Role.
Provide a name for the role.
Select Cluster Role, as you are providing access to Insights resources across clusters.
Select + Add Rule in the Rules section.
Enter the following information:

Field	Value
Select Rule Type	Resources
Resources	`insights`, `rca`, `solutions`
Resource Names	[Leave this field empty]
API Groups	`virtual.backend.dkp-insights.d2iq.io`
Verbs	`get`

Select Save to exit the rule configuration window and Save again to create the new role.

Now, assign the role you created to a user group.

Assign the role you created to a user group as explained in Workspace Role Bindings.
If you want to grant view rights to the alert details for clusters in another Workspace, repeat the same procedure on a per-Workspace basis.

It will take a few minutes for the resource to be created.
insights, rca, solutions are virtual resources and are not listed as a Kubernetes API resource.

Project-based Access Control

Create a Role with View Rights to Summary Cards - Project-based Access Control

Create a Role with View Rights to Summary Cards

When assigned, this role allows users and user groups to view the summary table of all DKP Insights alerts for all workspaces and projects.

Select the Management Cluster Workspace. The workspace selector is located at the top navigation bar. (Option available for Enterprise customers only)
Select Projects in the sidebar menu. Select or create a Project for which you want to create a role.
Select the Roles tab > Create Role.
Select DKP Role, as you are providing access to DKP UI resources, and add a Role Name.
Select + Add Rule in the Rules section.
Enter the following information:

Field	Value
Resources	`insights`
Resource Names	[Leave this field empty]
API Groups	`dkp-insights.d2iq.io`
Verbs	`get`, `list` and `watch`

Select Save to exit the rule configuration window and Save again to create the new role.

Now, assign the role you created to a user group.

Assign the roles you created to a user group as explained in Project Role Bindings.

It will take a few minutes for the resource to be created.

Create a Role with View Rights to Insights Alert Details - Project-based Access Control

Create a Role with View Rights to Insights Alert Details

This role, when assigned to a user or user group, allows them to view alert details for an alert generated in a specific project.

Select the workspace for which you want to grant view rights. The workspace selector is located at the top navigation bar. (Option available for Enterprise customers only)
Select Projects in the sidebar menu. Select or create a Project for which you want to create a role.
Select the Roles tab > Create Role, and assign a name to the role.
Select Role, as you are providing access to Insights resources across clusters.
Select + Add Rule in the Rules section.
Enter the following information:

Field	Value

Field	Value
Select Rule Type	Resources
Resources	`insights`, `rca`, `solutions`
Resource Names	[Leave this field empty]
API Groups	`virtual.backend.dkp-insights.d2iq.io`
Verbs	`get`

Select Save to exit the rule configuration window and Save again to create the new role.

Now, assign the role you created to a user group.

Assign the role you created to a user group as explained in Project Role Bindings.
If you want to grant view rights to the alert details for clusters in another Workspace, repeat the same procedure on a per-Workspace basis.

It will take a few minutes for the resource to be created.
insights, rca, solutions are virtual resources and are not listed as a Kubernetes API resource.