Creating a static configuration file

Written by

Improved by

Updated at November 22, 2024

Getting started
Get a unique cluster ID
Prepare a cluster certificate
Create a ServiceAccount object
Prepare the ServiceAccount token
Get the cluster IP
Add data to the configuration file
Check the result

Static configuration files allow you to access a Managed Service for Kubernetes cluster without using the CLI, e.g., from continuous integration systems.

You can also use a static configuration file to configure access to multiple Managed Service for Kubernetes clusters. You can quickly switch between Managed Service for Kubernetes clusters described in configuration files using the kubectl config use-context command. For more information about how to configure access to multiple Managed Service for Kubernetes clusters, see the Kubernetes documentation.

To create a configuration file:

To run bash commands, you will need a JSON parser: jq.

Getting started

Create a service account.
Create a Managed Service for Kubernetes cluster with any suitable configuration.
Create a node group of any suitable configuration.
Install kubect and set it up to work with the created cluster. Add the credentials to the test.kubeconfig configuratioin file using the --kubeconfig=test.kubeconfig flag.

Get a unique cluster ID

To access a Managed Service for Kubernetes cluster, use its unique ID. Save it to a variable and use it in other commands.

Find the unique ID of the Managed Service for Kubernetes cluster:

Management console

CLI

Go to the folder page and select Managed Service for Kubernetes.
Click the name of the Managed Service for Kubernetes cluster.

The unique ID of the Managed Service for Kubernetes cluster will appear in the ID field.

yc managed-kubernetes cluster list

Result:

+----------------------+--------+---------------------+---------+---------+------------------------+--------------------+
|          ID          |  NAME  |     CREATED AT      | HEALTH  | STATUS  |    EXTERNAL ENDPOINT   |  INTERNAL ENDPOINT |
+----------------------+--------+---------------------+---------+---------+------------------------+--------------------+
| catb3ppsdsh7******** | my-k8s | 2019-09-04 15:17:11 | HEALTHY | RUNNING | https://84.201.148.31/ | https://10.0.0.24/ |
+----------------------+--------+---------------------+---------+---------+------------------------+--------------------+

Save the unique ID of the Managed Service for Kubernetes cluster to a variable.
Bash

PowerShell
```
CLUSTER_ID=catb3ppsdsh7********
```
```
$CLUSTER_ID = "catb3ppsdsh7********"
```

Prepare a cluster certificate

Save the Managed Service for Kubernetes cluster certificate to the ca.pem file. This certificate confirms the authenticity of the Managed Service for Kubernetes cluster.

Bash

PowerShell

Run a command that:

Retrieves Managed Service for Kubernetes cluster information in JSON format.
Retains certificate information only and removes excessive quotation marks from the certificate contents.
Removes unnecessary characters from the certificate contents.
Saves the certificate to the ca.pem file.

yc managed-kubernetes cluster get --id $CLUSTER_ID --format json | \
  jq -r .master.master_auth.cluster_ca_certificate | \
  awk '{gsub(/\\n/,"\n")}1' > ca.pem

Get detailed information about the Managed Service for Kubernetes cluster in JSON format and save it to the $CLUSTER variable:
```
$CLUSTER = yc managed-kubernetes cluster get --id $CLUSTER_ID --format json | ConvertFrom-Json
```
Get the Managed Service for Kubernetes cluster certificate and save it to the ca.pem file:
```
$CLUSTER.master.master_auth.cluster_ca_certificate | Set-Content ca.pem
```

Create a ServiceAccount object

Create an object named ServiceAccount to interact with the Kubernetes API inside the Managed Service for Kubernetes cluster.

Save the following specification for creating the ServiceAccount object and its secret to a YAML file named sa.yaml.

For more information about the ServiceAccount object, see the Kubernetes documentation.

Kubernetes version: 1.24 or higher

Kubernetes version: 1.23 or lower

apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kube-system
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: admin-user-token
  namespace: kube-system
  annotations:
    kubernetes.io/service-account.name: "admin-user"

apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kube-system

Create the ServiceAccount object and a secret for it:
```
kubectl create -f sa.yaml
```

Prepare the ServiceAccount token

This token is used to authenticate the ServiceAccount object in the Managed Service for Kubernetes cluster.

Bash

PowerShell

Run a command that:

Retrieves information about the previously created admin-user service account in JSON format.
Retains token information only and removes excessive quotation marks from the token contents.
Decodes the token from Base64.
Saves the token contents to the SA_TOKEN variable.

SA_TOKEN=$(kubectl -n kube-system get secret $(kubectl -n kube-system get secret | \
  grep admin-user-token | \
  awk '{print $1}') -o json | \
  jq -r .data.token | \
  base64 -d)

Get a token for the ServiceAccount object. Quotation marks in its contents will be removed automatically:

$SECRET = kubectl -n kube-system get secret -o json | `
  ConvertFrom-Json | `
  Select-Object -ExpandProperty items | `
  Where-Object { $_.metadata.name -like "*admin-user*" }

Decode the token from Base64:

$SA_TOKEN = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($SECRET.data.token))

Get the cluster IP

Get the Managed Service for Kubernetes cluster IP address and add it to the MASTER_ENDPOINT variable for future use.

Bash

PowerShell

Run a command that:

Retrieves Managed Service for Kubernetes cluster details in JSON format based on its unique ID.
Leaves only the Managed Service for Kubernetes cluster IP address.
Removes excessive quotation marks from its contents.
Writes the IP address to the MASTER_ENDPOINT variable.

To connect to the Managed Service for Kubernetes cluster API from the internet (outside Yandex Cloud).

MASTER_ENDPOINT=$(yc managed-kubernetes cluster get --id $CLUSTER_ID \
  --format json | \
  jq -r .master.endpoints.external_v4_endpoint)

To use the Managed Service for Kubernetes cluster API for connecting to the master from cloud networks.

MASTER_ENDPOINT=$(yc managed-kubernetes cluster get --id $CLUSTER_ID \
  --format json | \
  jq -r .master.endpoints.internal_v4_endpoint)

Run the command below to connect to the Managed Service for Kubernetes cluster API from the internet (outside Yandex Cloud):

$MASTER_ENDPOINT = $CLUSTER.master.endpoints.external_v4_endpoint

Run the command below to connect to the Managed Service for Kubernetes cluster API from cloud networks:

$MASTER_ENDPOINT = $CLUSTER.master.endpoints.internal_v4_endpoint

Add data to the configuration file

Add information about the Managed Service for Kubernetes cluster to the configuration file.

Bash

PowerShell

Run this command:

kubectl config set-cluster sa-test2 \
  --certificate-authority=ca.pem \
  --embed-certs \
  --server=$MASTER_ENDPOINT \
  --kubeconfig=test.kubeconfig

Run this command:

kubectl config set-cluster sa-test2 `
  --certificate-authority=ca.pem `
  --embed-certs `
  --server=$MASTER_ENDPOINT `
  --kubeconfig=test.kubeconfig

Add information about the token for admin-user to the configuration file.

Bash

PowerShell

Run this command:

kubectl config set-credentials admin-user \
  --token=$SA_TOKEN \
  --kubeconfig=test.kubeconfig

Run this command:

kubectl config set-credentials admin-user `
  --token=$SA_TOKEN `
  --kubeconfig=test.kubeconfig

Add context information to the configuration file.

Bash

PowerShell

Run this command:

kubectl config set-context default \
  --cluster=sa-test2 \
  --user=admin-user \
  --kubeconfig=test.kubeconfig

Run this command:

kubectl config set-context default `
  --cluster=sa-test2 `
  --user=admin-user `
  --kubeconfig=test.kubeconfig

Use the created configuration for further work.

Bash

PowerShell

Run this command:

kubectl config use-context default \
  --kubeconfig=test.kubeconfig

Run this command:

kubectl config use-context default `
  --kubeconfig=test.kubeconfig

Check the result

Make sure that the configuration is correct by running the following command:

kubectl get namespace --kubeconfig=test.kubeconfig

Result:

NAME     STATUS  AGE
default  Active  9d

Creating a static configuration file

Getting startedGetting started

Get a unique cluster IDGet a unique cluster ID

Prepare a cluster certificatePrepare a cluster certificate

Create a ServiceAccount objectCreate a ServiceAccount object

Prepare the ServiceAccount tokenPrepare the ServiceAccount token

Get the cluster IPGet the cluster IP

Add data to the configuration fileAdd data to the configuration file

Check the resultCheck the result

Was the article helpful?

Getting started

Get a unique cluster ID

Prepare a cluster certificate

Create a ServiceAccount object

Prepare the ServiceAccount token

Get the cluster IP

Add data to the configuration file

Check the result