The CreatorCon Call for Content is officially open! Get started here.

Selva Arun
Mega Sage
Mega Sage

 

Kubernetes Discovery with ServiceNow - Complete Setup Guide

Watch the Full Video Tutorial Soon!

This article accompanies the NowDivas video tutorial on Kubernetes Discovery and will be uploaded soon.
Subscribe to NowDivas for the complete walkthrough!
This article will be updated with the video link once available.

Purpose

This knowledge article provides a comprehensive guide to setting up Kubernetes discovery in ServiceNow using Google Kubernetes Engine (GKE). While this guide uses GKE as an example, the same principles apply to AWS EKS, Azure AKS, and on-premises Kubernetes clusters.

Note: This article is not a duplicate of existing ServiceNow documentation or anyone's work. It provides a practical, end-to-end implementation guide based on real-world experience, including troubleshooting steps and SSL certificate configuration that are not covered in detail.

Prerequisites

ServiceNow Instance Requirements

  • ServiceNow instance (PDI, Dev, or Production)
  • Discovery and Service Mapping Patterns plugin (latest version from ServiceNow Store)
  • Active MID Server with network connectivity to Kubernetes API endpoint

Kubernetes Cluster Requirements

  • Running Kubernetes cluster (version 1.21 or later)
  • Kubernetes API server accessible from MID Server
  • Service account with appropriate RBAC permissions
  • Bearer token for authentication

Required Permissions

The ServiceNow service account must have GET permissions for the following API endpoints:

  • /api/v1/namespaces
  • /api/v1/pods
  • /api/v1/services
  • /api/v1/nodes
  • /apis/apps/v1/deployments
  • /apis/apps/v1/replicasets
  • /apis/apps/v1/daemonsets
  • /apis/apps/v1/statefulsets

Step 1: Set Up Google Kubernetes Engine (GKE)

Cost Note: GKE offers $300 in free credits for new users. A small cluster for discovery testing costs approximately $0.10-0.30 per hour.

1.1 Create GKE Cluster

Open Google Cloud Shell and run:

# Enable Kubernetes Engine API
gcloud services enable container.googleapis.com

# Create cluster
gcloud container clusters create nowdivas-k8s \
  --zone us-central1-a \
  --num-nodes 1 \
  --machine-type e2-small \
  --disk-size 20 \
  --enable-autoscaling --min-nodes 1 --max-nodes 1

1.2 Deploy Demo Applications

# Get cluster credentials
gcloud container clusters get-credentials nowdivas-k8s --zone us-central1-a

# Create namespace
kubectl create namespace nowdivas-demo

# Deploy web application
kubectl create deployment webapp --image=nginx --replicas=2 -n nowdivas-demo
kubectl expose deployment webapp --port=80 --type=LoadBalancer -n nowdivas-demo

# Deploy API service
kubectl create deployment api-service --image=httpd --replicas=2 -n nowdivas-demo
kubectl expose deployment api-service --port=80 --type=ClusterIP -n nowdivas-demo

# Verify pods are running
kubectl get pods -n nowdivas-demo

Step 2: Create ServiceNow Service Account in Kubernetes

2.1 Create Service Account

# Create service account
kubectl create serviceaccount sn-discovery -n kube-system

# Create cluster role binding with view permissions
kubectl create clusterrolebinding sn-discovery-binding \
  --clusterrole=view \
  --serviceaccount=kube-system:sn-discovery

# Grant additional permissions for nodes
kubectl create clusterrolebinding sn-discovery-admin \
  --clusterrole=cluster-admin \
  --serviceaccount=kube-system:sn-discovery
Important: The cluster-admin role is used here for comprehensive discovery. In production, create a custom role with only the necessary permissions listed in the prerequisites section.

2.2 Generate Bearer Token

# Generate token (valid for 48 hours by default)
kubectl create token sn-discovery -n kube-system --duration=87600h

Save the entire token output (starts with eyJ...)

2.3 Get API Server URL

# Get the API server endpoint
kubectl cluster-info | grep "control plane"

Output example: https://34.170.241.185:443

Step 3: Configure SSL Certificate Trust on MID Server

Why This Step is Necessary: The MID Server must trust the Kubernetes API server's SSL certificate. Without this, discovery will fail with SSL handshake errors.

3.1 Download Kubernetes API Server Certificate

On your MID Server (Windows example), run PowerShell as Administrator:

# Download certificate using PowerShell
$tcpClient = New-Object System.Net.Sockets.TcpClient("34.170.241.185", 443)
$sslStream = New-Object System.Net.Security.SslStream($tcpClient.GetStream(), $false, ({$true}))
$sslStream.AuthenticateAsClient("34.170.241.185")
$cert = $sslStream.RemoteCertificate
[System.IO.File]::WriteAllBytes("C:\temp\gke_cert.cer", $cert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert))
$sslStream.Close()
$tcpClient.Close()

3.2 Import Certificate into MID Server Java Keystore

# Navigate to MID Server JRE directory
cd "C:\ServiceNow\MIDServer\agent\jre\bin"

# Import certificate (replace path with your actual MID Server location)
.\keytool.exe -import -alias gke-cluster ^
  -file C:\temp\gke_cert.cer ^
  -keystore ..\lib\security\cacerts ^
  -storepass changeit

When prompted "Trust this certificate? [no]:", type yes

3.3 Restart MID Server

# Windows
net stop snc_mid
net start snc_mid

# Linux
sudo systemctl restart mid
# or
./mid.sh restart

Step 4: Configure ServiceNow Discovery

4.1 Create Kubernetes Credentials

First, create the Credential Alias:

  1. Navigate to Connection & Credential Aliases
  2. In the Credential Aliases related list (or navigate to Discovery > Credential Aliases), click New
  3. Fill in:
    • Name: gke_nowdivas_alias
    • Type: Credential
  4. Click Submit and note the alias name

Then, create the Kubernetes Credential:

  1. Navigate to Discovery > Credentials > New > Kubernetes Credentials
  2. Fill in the following fields:
    Field Value
    Name GKE NowDivas Demo
    User name (leave empty)
    Password Paste the entire Bearer token
    Bearer Token Authentication Check this box (if available)
    Bearer Token Paste token here (if checkbox available)
    Credential alias Select gke_nowdivas_alias from dropdown
  3. Click Submit
Note: If the "Bearer Token Authentication" checkbox is not visible, your Discovery and Service Mapping Patterns version may be outdated. Update from the ServiceNow Store or use the Password field as a workaround.
SelvaArun_0-1759759889090.png

 

 

4.2 Create Discovery Schedule

  1. Navigate to Discovery > Discovery Schedules > New
  2. Fill in:
    • Name: GKE Kubernetes Discovery
    • Type: Serverless
    • MID Server: Select your MID Server
  3. Click Submit

4.3 Configure Serverless Execution Pattern

  1. In the Serverless Execution Patterns related list, click New
  2. Configure the following parameters:
    Parameter Value Description
    Pattern Kubernetes Select from dropdown
    url https://34.170.241.185 Your API server endpoint
    namespace nowdivas-demo,kube-system Comma-separated namespaces
    credentials_alias gke_nowdivas_alias Alias created in step 4.1
    cluster_name gke-nowdivas-k8s Your cluster name
    provider GCP Cloud provider (optional)
  3. Click Submit

Step 5: Run Discovery

  1. Navigate to your discovery schedule
  2. Click Discovery Now
  3. Monitor progress:
    • Discovery > ECC Queue - View message flow
    • Discovery > Discovery Log - View detailed logs
Expected Results: Discovery should take 3-5 minutes and create approximately 150+ CIs including cluster, nodes, pods, services, deployments, containers, and images.

Step 6: Verify Discovery Results

6.1 Check Discovered CIs

Navigate to the following tables to verify discovery:

  • Configuration > Servers > Kubernetes > Clusters
    • Should show: gke-nowdivas-k8s
  • Configuration > Servers > Kubernetes > Nodes
    • Should show: gke-nowdivas-k8s-default-pool-...
  • Configuration > Servers > Kubernetes > Pods
    • Should show: webapp pods, api-service pods, and system pods
  • Configuration > Servers > Kubernetes > Services
    • Should show: webapp, api-service, and system services

6.2 View Dependency Map

  1. Open the Kubernetes Cluster CI
  2. Click Related Links > Kubernetes Dependencies
  3. Verify the complete relationship chain:
    • Cluster → Nodes → Pods → Containers → Images
    • Services → Deployments → ReplicaSets → PodsSelvaArun_1-1759759981148.png

       

Troubleshooting

Issue: SSL Certificate Error

Symptom: Discovery fails with "SSL handshake" or "certificate" errors

Solution: Follow Step 3 to import the Kubernetes API server certificate into the MID Server's Java keystore.

Issue: Permission Denied (403 Forbidden)

Symptom: Discovery log shows "User cannot list resource 'nodes'"

Solution: Grant additional permissions to the service account as shown in Step 2.1

Issue: Invalid Credentials Alias

Symptom: "credsAlias configured in Discovery schedule is not valid"

Solution: Verify the credential alias was created correctly and is referenced exactly in the serverless pattern parameters

Issue: No Pods Discovered

Symptom: Only cluster CI is created, no pods or services

Solution:

  • Verify pods are actually running: kubectl get pods -n nowdivas-demo
  • Check namespace parameter matches your actual namespaces
  • Review pattern execution log for API call failures

Additional Resources

Cleanup (Important)

After completing your discovery testing, delete the GKE cluster to avoid ongoing charges:

# Delete the cluster
gcloud container clusters delete nowdivas-k8s --zone us-central1-a

# Confirm deletion when prompted
Cost Warning: Leaving the cluster running will incur charges even if idle. Always delete test clusters when finished.

See This in Action

Watch the complete video tutorial on the NowDivas YouTube channel!
The video will be uploaded soon, and this article will be updated with the link.
Subscribe for more ServiceNow ITOM and Discovery content.

Version history
Last update:
4 hours ago
Updated by:
Contributors