Kubernetes Discovery with ServiceNow - Complete Setup Guide
Watch the Full Video Tutorial Soon!
This article accompanies the NowDivas video tutorial on Kubernetes Discovery and will be uploaded soon.
Subscribe to NowDivas for the complete walkthrough!
This article will be updated with the video link once available.
Purpose
This knowledge article provides a comprehensive guide to setting up Kubernetes discovery in ServiceNow using Google Kubernetes Engine (GKE). While this guide uses GKE as an example, the same principles apply to AWS EKS, Azure AKS, and on-premises Kubernetes clusters.
Note: This article is not a duplicate of existing ServiceNow documentation or anyone's work. It provides a practical, end-to-end implementation guide based on real-world experience, including troubleshooting steps and SSL certificate configuration that are not covered in detail.
Prerequisites
ServiceNow Instance Requirements
- ServiceNow instance (PDI, Dev, or Production)
- Discovery and Service Mapping Patterns plugin (latest version from ServiceNow Store)
- Visit ServiceNow Store
- Install: "Discovery and Service Mapping Patterns"
- Active MID Server with network connectivity to Kubernetes API endpoint
Kubernetes Cluster Requirements
- Running Kubernetes cluster (version 1.21 or later)
- Kubernetes API server accessible from MID Server
- Service account with appropriate RBAC permissions
- Bearer token for authentication
Required Permissions
The ServiceNow service account must have GET permissions for the following API endpoints:
/api/v1/namespaces/api/v1/pods/api/v1/services/api/v1/nodes/apis/apps/v1/deployments/apis/apps/v1/replicasets/apis/apps/v1/daemonsets/apis/apps/v1/statefulsets
Step 1: Set Up Google Kubernetes Engine (GKE)
Cost Note: GKE offers $300 in free credits for new users. A small cluster for discovery testing costs approximately $0.10-0.30 per hour.
1.1 Create GKE Cluster
Open Google Cloud Shell and run:
# Enable Kubernetes Engine API
gcloud services enable container.googleapis.com
# Create cluster
gcloud container clusters create nowdivas-k8s \
--zone us-central1-a \
--num-nodes 1 \
--machine-type e2-small \
--disk-size 20 \
--enable-autoscaling --min-nodes 1 --max-nodes 11.2 Deploy Demo Applications
# Get cluster credentials
gcloud container clusters get-credentials nowdivas-k8s --zone us-central1-a
# Create namespace
kubectl create namespace nowdivas-demo
# Deploy web application
kubectl create deployment webapp --image=nginx --replicas=2 -n nowdivas-demo
kubectl expose deployment webapp --port=80 --type=LoadBalancer -n nowdivas-demo
# Deploy API service
kubectl create deployment api-service --image=httpd --replicas=2 -n nowdivas-demo
kubectl expose deployment api-service --port=80 --type=ClusterIP -n nowdivas-demo
# Verify pods are running
kubectl get pods -n nowdivas-demoStep 2: Create ServiceNow Service Account in Kubernetes
2.1 Create Service Account
# Create service account
kubectl create serviceaccount sn-discovery -n kube-system
# Create cluster role binding with view permissions
kubectl create clusterrolebinding sn-discovery-binding \
--clusterrole=view \
--serviceaccount=kube-system:sn-discovery
# Grant additional permissions for nodes
kubectl create clusterrolebinding sn-discovery-admin \
--clusterrole=cluster-admin \
--serviceaccount=kube-system:sn-discoveryImportant: The
cluster-admin role is used here for comprehensive discovery. In production, create a custom role with only the necessary permissions listed in the prerequisites section.2.2 Generate Bearer Token
# Generate token (valid for 48 hours by default)
kubectl create token sn-discovery -n kube-system --duration=87600hSave the entire token output (starts with eyJ...)
2.3 Get API Server URL
# Get the API server endpoint
kubectl cluster-info | grep "control plane"Output example: https://34.170.241.185:443
Step 3: Configure SSL Certificate Trust on MID Server
Why This Step is Necessary: The MID Server must trust the Kubernetes API server's SSL certificate. Without this, discovery will fail with SSL handshake errors.
3.1 Download Kubernetes API Server Certificate
On your MID Server (Windows example), run PowerShell as Administrator:
# Download certificate using PowerShell
$tcpClient = New-Object System.Net.Sockets.TcpClient("34.170.241.185", 443)
$sslStream = New-Object System.Net.Security.SslStream($tcpClient.GetStream(), $false, ({$true}))
$sslStream.AuthenticateAsClient("34.170.241.185")
$cert = $sslStream.RemoteCertificate
[System.IO.File]::WriteAllBytes("C:\temp\gke_cert.cer", $cert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert))
$sslStream.Close()
$tcpClient.Close()3.2 Import Certificate into MID Server Java Keystore
# Navigate to MID Server JRE directory
cd "C:\ServiceNow\MIDServer\agent\jre\bin"
# Import certificate (replace path with your actual MID Server location)
.\keytool.exe -import -alias gke-cluster ^
-file C:\temp\gke_cert.cer ^
-keystore ..\lib\security\cacerts ^
-storepass changeitWhen prompted "Trust this certificate? [no]:", type yes
3.3 Restart MID Server
# Windows
net stop snc_mid
net start snc_mid
# Linux
sudo systemctl restart mid
# or
./mid.sh restartStep 4: Configure ServiceNow Discovery
4.1 Create Kubernetes Credentials
First, create the Credential Alias:
- Navigate to Connection & Credential Aliases
- In the Credential Aliases related list (or navigate to Discovery > Credential Aliases), click New
- Fill in:
- Name:
gke_nowdivas_alias - Type: Credential
- Name:
- Click Submit and note the alias name
Then, create the Kubernetes Credential:
- Navigate to Discovery > Credentials > New > Kubernetes Credentials
- Fill in the following fields:
Field Value Name GKE NowDivas Demo User name (leave empty) Password Paste the entire Bearer token Bearer Token Authentication Check this box (if available) Bearer Token Paste token here (if checkbox available) Credential alias Select gke_nowdivas_aliasfrom dropdown - Click Submit
Note: If the "Bearer Token Authentication" checkbox is not visible, your Discovery and Service Mapping Patterns version may be outdated. Update from the ServiceNow Store or use the Password field as a workaround.
4.2 Create Discovery Schedule
- Navigate to Discovery > Discovery Schedules > New
- Fill in:
- Name:
GKE Kubernetes Discovery - Type: Serverless
- MID Server: Select your MID Server
- Name:
- Click Submit
4.3 Configure Serverless Execution Pattern
- In the Serverless Execution Patterns related list, click New
- Configure the following parameters:
Parameter Value Description Pattern Kubernetes Select from dropdown url https://34.170.241.185 Your API server endpoint namespace nowdivas-demo,kube-system Comma-separated namespaces credentials_alias gke_nowdivas_alias Alias created in step 4.1 cluster_name gke-nowdivas-k8s Your cluster name provider GCP Cloud provider (optional) - Click Submit
Step 5: Run Discovery
- Navigate to your discovery schedule
- Click Discovery Now
- Monitor progress:
- Discovery > ECC Queue - View message flow
- Discovery > Discovery Log - View detailed logs
Expected Results: Discovery should take 3-5 minutes and create approximately 150+ CIs including cluster, nodes, pods, services, deployments, containers, and images.
Step 6: Verify Discovery Results
6.1 Check Discovered CIs
Navigate to the following tables to verify discovery:
- Configuration > Servers > Kubernetes > Clusters
- Should show: gke-nowdivas-k8s
- Configuration > Servers > Kubernetes > Nodes
- Should show: gke-nowdivas-k8s-default-pool-...
- Configuration > Servers > Kubernetes > Pods
- Should show: webapp pods, api-service pods, and system pods
- Configuration > Servers > Kubernetes > Services
- Should show: webapp, api-service, and system services
6.2 View Dependency Map
- Open the Kubernetes Cluster CI
- Click Related Links > Kubernetes Dependencies
- Verify the complete relationship chain:
- Cluster → Nodes → Pods → Containers → Images
- Services → Deployments → ReplicaSets → Pods
Troubleshooting
Issue: SSL Certificate Error
Symptom: Discovery fails with "SSL handshake" or "certificate" errors
Solution: Follow Step 3 to import the Kubernetes API server certificate into the MID Server's Java keystore.
Issue: Permission Denied (403 Forbidden)
Symptom: Discovery log shows "User cannot list resource 'nodes'"
Solution: Grant additional permissions to the service account as shown in Step 2.1
Issue: Invalid Credentials Alias
Symptom: "credsAlias configured in Discovery schedule is not valid"
Solution: Verify the credential alias was created correctly and is referenced exactly in the serverless pattern parameters
Issue: No Pods Discovered
Symptom: Only cluster CI is created, no pods or services
Solution:
- Verify pods are actually running:
kubectl get pods -n nowdivas-demo - Check namespace parameter matches your actual namespaces
- Review pattern execution log for API call failures
Additional Resources
- ServiceNow Official Documentation - Kubernetes Discovery
- ServiceNow Discovery and Service Mapping Documentation
- ServiceNow Store - Discovery Patterns
- Kubernetes RBAC Documentation
- Google Kubernetes Engine Documentation
Cleanup (Important)
After completing your discovery testing, delete the GKE cluster to avoid ongoing charges:
# Delete the cluster
gcloud container clusters delete nowdivas-k8s --zone us-central1-a
# Confirm deletion when promptedCost Warning: Leaving the cluster running will incur charges even if idle. Always delete test clusters when finished.
See This in Action
Watch the complete video tutorial on the NowDivas YouTube channel!
The video will be uploaded soon, and this article will be updated with the link.
Subscribe for more ServiceNow ITOM and Discovery content.
