- Post History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
4 hours ago
Kubernetes Discovery with ServiceNow - Complete Setup Guide
Watch the Full Video Tutorial Soon!
This article accompanies the NowDivas video tutorial on Kubernetes Discovery and will be uploaded soon.
Subscribe to NowDivas for the complete walkthrough!
This article will be updated with the video link once available.
Purpose
This knowledge article provides a comprehensive guide to setting up Kubernetes discovery in ServiceNow using Google Kubernetes Engine (GKE). While this guide uses GKE as an example, the same principles apply to AWS EKS, Azure AKS, and on-premises Kubernetes clusters.
Prerequisites
ServiceNow Instance Requirements
- ServiceNow instance (PDI, Dev, or Production)
- Discovery and Service Mapping Patterns plugin (latest version from ServiceNow Store)
- Visit ServiceNow Store
- Install: "Discovery and Service Mapping Patterns"
- Active MID Server with network connectivity to Kubernetes API endpoint
Kubernetes Cluster Requirements
- Running Kubernetes cluster (version 1.21 or later)
- Kubernetes API server accessible from MID Server
- Service account with appropriate RBAC permissions
- Bearer token for authentication
Required Permissions
The ServiceNow service account must have GET permissions for the following API endpoints:
/api/v1/namespaces
/api/v1/pods
/api/v1/services
/api/v1/nodes
/apis/apps/v1/deployments
/apis/apps/v1/replicasets
/apis/apps/v1/daemonsets
/apis/apps/v1/statefulsets
Step 1: Set Up Google Kubernetes Engine (GKE)
1.1 Create GKE Cluster
Open Google Cloud Shell and run:
# Enable Kubernetes Engine API
gcloud services enable container.googleapis.com
# Create cluster
gcloud container clusters create nowdivas-k8s \
--zone us-central1-a \
--num-nodes 1 \
--machine-type e2-small \
--disk-size 20 \
--enable-autoscaling --min-nodes 1 --max-nodes 1
1.2 Deploy Demo Applications
# Get cluster credentials
gcloud container clusters get-credentials nowdivas-k8s --zone us-central1-a
# Create namespace
kubectl create namespace nowdivas-demo
# Deploy web application
kubectl create deployment webapp --image=nginx --replicas=2 -n nowdivas-demo
kubectl expose deployment webapp --port=80 --type=LoadBalancer -n nowdivas-demo
# Deploy API service
kubectl create deployment api-service --image=httpd --replicas=2 -n nowdivas-demo
kubectl expose deployment api-service --port=80 --type=ClusterIP -n nowdivas-demo
# Verify pods are running
kubectl get pods -n nowdivas-demo
Step 2: Create ServiceNow Service Account in Kubernetes
2.1 Create Service Account
# Create service account
kubectl create serviceaccount sn-discovery -n kube-system
# Create cluster role binding with view permissions
kubectl create clusterrolebinding sn-discovery-binding \
--clusterrole=view \
--serviceaccount=kube-system:sn-discovery
# Grant additional permissions for nodes
kubectl create clusterrolebinding sn-discovery-admin \
--clusterrole=cluster-admin \
--serviceaccount=kube-system:sn-discovery
cluster-admin
role is used here for comprehensive discovery. In production, create a custom role with only the necessary permissions listed in the prerequisites section.2.2 Generate Bearer Token
# Generate token (valid for 48 hours by default)
kubectl create token sn-discovery -n kube-system --duration=87600h
Save the entire token output (starts with eyJ...
)
2.3 Get API Server URL
# Get the API server endpoint
kubectl cluster-info | grep "control plane"
Output example: https://34.170.241.185:443
Step 3: Configure SSL Certificate Trust on MID Server
3.1 Download Kubernetes API Server Certificate
On your MID Server (Windows example), run PowerShell as Administrator:
# Download certificate using PowerShell
$tcpClient = New-Object System.Net.Sockets.TcpClient("34.170.241.185", 443)
$sslStream = New-Object System.Net.Security.SslStream($tcpClient.GetStream(), $false, ({$true}))
$sslStream.AuthenticateAsClient("34.170.241.185")
$cert = $sslStream.RemoteCertificate
[System.IO.File]::WriteAllBytes("C:\temp\gke_cert.cer", $cert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert))
$sslStream.Close()
$tcpClient.Close()
3.2 Import Certificate into MID Server Java Keystore
# Navigate to MID Server JRE directory
cd "C:\ServiceNow\MIDServer\agent\jre\bin"
# Import certificate (replace path with your actual MID Server location)
.\keytool.exe -import -alias gke-cluster ^
-file C:\temp\gke_cert.cer ^
-keystore ..\lib\security\cacerts ^
-storepass changeit
When prompted "Trust this certificate? [no]:", type yes
3.3 Restart MID Server
# Windows
net stop snc_mid
net start snc_mid
# Linux
sudo systemctl restart mid
# or
./mid.sh restart
Step 4: Configure ServiceNow Discovery
4.1 Create Kubernetes Credentials
First, create the Credential Alias:
- Navigate to Connection & Credential Aliases
- In the Credential Aliases related list (or navigate to Discovery > Credential Aliases), click New
- Fill in:
- Name:
gke_nowdivas_alias
- Type: Credential
- Name:
- Click Submit and note the alias name
Then, create the Kubernetes Credential:
- Navigate to Discovery > Credentials > New > Kubernetes Credentials
- Fill in the following fields:
Field Value Name GKE NowDivas Demo User name (leave empty) Password Paste the entire Bearer token Bearer Token Authentication Check this box (if available) Bearer Token Paste token here (if checkbox available) Credential alias Select gke_nowdivas_alias
from dropdown - Click Submit
4.2 Create Discovery Schedule
- Navigate to Discovery > Discovery Schedules > New
- Fill in:
- Name:
GKE Kubernetes Discovery
- Type: Serverless
- MID Server: Select your MID Server
- Name:
- Click Submit
4.3 Configure Serverless Execution Pattern
- In the Serverless Execution Patterns related list, click New
- Configure the following parameters:
Parameter Value Description Pattern Kubernetes Select from dropdown url https://34.170.241.185 Your API server endpoint namespace nowdivas-demo,kube-system Comma-separated namespaces credentials_alias gke_nowdivas_alias Alias created in step 4.1 cluster_name gke-nowdivas-k8s Your cluster name provider GCP Cloud provider (optional) - Click Submit
Step 5: Run Discovery
- Navigate to your discovery schedule
- Click Discovery Now
- Monitor progress:
- Discovery > ECC Queue - View message flow
- Discovery > Discovery Log - View detailed logs
Step 6: Verify Discovery Results
6.1 Check Discovered CIs
Navigate to the following tables to verify discovery:
- Configuration > Servers > Kubernetes > Clusters
- Should show: gke-nowdivas-k8s
- Configuration > Servers > Kubernetes > Nodes
- Should show: gke-nowdivas-k8s-default-pool-...
- Configuration > Servers > Kubernetes > Pods
- Should show: webapp pods, api-service pods, and system pods
- Configuration > Servers > Kubernetes > Services
- Should show: webapp, api-service, and system services
6.2 View Dependency Map
- Open the Kubernetes Cluster CI
- Click Related Links > Kubernetes Dependencies
- Verify the complete relationship chain:
- Cluster → Nodes → Pods → Containers → Images
- Services → Deployments → ReplicaSets → Pods
Troubleshooting
Issue: SSL Certificate Error
Symptom: Discovery fails with "SSL handshake" or "certificate" errors
Solution: Follow Step 3 to import the Kubernetes API server certificate into the MID Server's Java keystore.
Issue: Permission Denied (403 Forbidden)
Symptom: Discovery log shows "User cannot list resource 'nodes'"
Solution: Grant additional permissions to the service account as shown in Step 2.1
Issue: Invalid Credentials Alias
Symptom: "credsAlias configured in Discovery schedule is not valid"
Solution: Verify the credential alias was created correctly and is referenced exactly in the serverless pattern parameters
Issue: No Pods Discovered
Symptom: Only cluster CI is created, no pods or services
Solution:
- Verify pods are actually running:
kubectl get pods -n nowdivas-demo
- Check namespace parameter matches your actual namespaces
- Review pattern execution log for API call failures
Additional Resources
- ServiceNow Official Documentation - Kubernetes Discovery
- ServiceNow Discovery and Service Mapping Documentation
- ServiceNow Store - Discovery Patterns
- Kubernetes RBAC Documentation
- Google Kubernetes Engine Documentation
Cleanup (Important)
After completing your discovery testing, delete the GKE cluster to avoid ongoing charges:
# Delete the cluster
gcloud container clusters delete nowdivas-k8s --zone us-central1-a
# Confirm deletion when prompted
See This in Action
Watch the complete video tutorial on the NowDivas YouTube channel!
The video will be uploaded soon, and this article will be updated with the link.
Subscribe for more ServiceNow ITOM and Discovery content.
Article prepared for the ServiceNow Community by NowDivas
This article provides practical implementation guidance based on real-world experience.
For official documentation, always refer to docs.servicenow.com
If you found this article helpful, please mark it as 'Helpful' to help other community members find it.