Creating a static configuration file
Static configuration files allow you to access a Managed Service for Kubernetes cluster without using the CLI, e.g., from continuous integration systems.
You can also use a static configuration file to configure access to multiple Managed Service for Kubernetes clusters. You can quickly switch between Managed Service for Kubernetes clusters described in configuration files using the kubectl config use-context
command. For more information about how to configure access to multiple Managed Service for Kubernetes clusters, see the Kubernetes
To create a configuration file:
- Get a unique cluster ID.
- Prepare a Managed Service for Kubernetes cluster certificate.
- Create a ServiceAccount object.
- Prepare a ServiceAccount token.
- Create and populate a configuration file.
- Check the result.
To run bash commands, you will need a JSON parser: jq
Getting started
- Create a service account.
- Create a Managed Service for Kubernetes cluster with any suitable configuration.
- Create a node group of any suitable configuration.
- Install kubect
and set it up to work with the created cluster. Add the credentials to thetest.kubeconfig
configuratioin file using the--kubeconfig=test.kubeconfig
flag.
Get a unique cluster ID
To access a Managed Service for Kubernetes cluster, use its unique ID. Save it to a variable and use it in other commands.
-
Find the unique ID of the Managed Service for Kubernetes cluster:
Management consoleCLI- Go to the folder page and select Managed Service for Kubernetes.
- Click the name of the Managed Service for Kubernetes cluster.
The unique ID of the Managed Service for Kubernetes cluster will appear in the ID field.
yc managed-kubernetes cluster list
Result:
+----------------------+--------+---------------------+---------+---------+------------------------+--------------------+ | ID | NAME | CREATED AT | HEALTH | STATUS | EXTERNAL ENDPOINT | INTERNAL ENDPOINT | +----------------------+--------+---------------------+---------+---------+------------------------+--------------------+ | catb3ppsdsh7******** | my-k8s | 2019-09-04 15:17:11 | HEALTHY | RUNNING | https://84.201.148.31/ | https://10.0.0.24/ | +----------------------+--------+---------------------+---------+---------+------------------------+--------------------+
-
Save the unique ID of the Managed Service for Kubernetes cluster to a variable.
BashPowerShellCLUSTER_ID=catb3ppsdsh7********
$CLUSTER_ID = "catb3ppsdsh7********"
Prepare a cluster certificate
Save the Managed Service for Kubernetes cluster certificate to the ca.pem
file. This certificate confirms the authenticity of the Managed Service for Kubernetes cluster.
Run a command that:
- Retrieves Managed Service for Kubernetes cluster information in JSON format.
- Retains certificate information only and removes excessive quotation marks from the certificate contents.
- Removes unnecessary characters from the certificate contents.
- Saves the certificate to the
ca.pem
file.
yc managed-kubernetes cluster get --id $CLUSTER_ID --format json | \
jq -r .master.master_auth.cluster_ca_certificate | \
awk '{gsub(/\\n/,"\n")}1' > ca.pem
-
Get detailed information about the Managed Service for Kubernetes cluster in JSON format and save it to the
$CLUSTER
variable:$CLUSTER = yc managed-kubernetes cluster get --id $CLUSTER_ID --format json | ConvertFrom-Json
-
Get the Managed Service for Kubernetes cluster certificate and save it to the
ca.pem
file:$CLUSTER.master.master_auth.cluster_ca_certificate | Set-Content ca.pem
Create a ServiceAccount object
Create an object named ServiceAccount
to interact with the Kubernetes API inside the Managed Service for Kubernetes cluster.
-
Save the following specification for creating the
ServiceAccount
object and its secret to a YAML file namedsa.yaml
.For more information about the
ServiceAccount
object, see the Kubernetes documentation .Kubernetes version: 1.24 or higherKubernetes version: 1.23 or lowerapiVersion: v1 kind: ServiceAccount metadata: name: admin-user namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: admin-user roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: admin-user namespace: kube-system --- apiVersion: v1 kind: Secret type: kubernetes.io/service-account-token metadata: name: admin-user-token namespace: kube-system annotations: kubernetes.io/service-account.name: "admin-user"
apiVersion: v1 kind: ServiceAccount metadata: name: admin-user namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: admin-user roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: admin-user namespace: kube-system
-
Create the
ServiceAccount
object and a secret for it:kubectl create -f sa.yaml
Prepare the ServiceAccount token
This token is used to authenticate the ServiceAccount
object in the Managed Service for Kubernetes cluster.
Run a command that:
- Retrieves information about the previously created
admin-user
service account in JSON format. - Retains token information only and removes excessive quotation marks from the token contents.
- Decodes the token from Base64.
- Saves the token contents to the
SA_TOKEN
variable.
SA_TOKEN=$(kubectl -n kube-system get secret $(kubectl -n kube-system get secret | \
grep admin-user-token | \
awk '{print $1}') -o json | \
jq -r .data.token | \
base64 -d)
-
Get a token for the
ServiceAccount
object. Quotation marks in its contents will be removed automatically:$SECRET = kubectl -n kube-system get secret -o json | ` ConvertFrom-Json | ` Select-Object -ExpandProperty items | ` Where-Object { $_.metadata.name -like "*admin-user*" }
-
Decode the token from Base64:
$SA_TOKEN = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($SECRET.data.token))
Get the cluster IP
Get the Managed Service for Kubernetes cluster IP address and add it to the MASTER_ENDPOINT
variable for future use.
Run a command that:
- Retrieves Managed Service for Kubernetes cluster details in JSON format based on its unique ID.
- Leaves only the Managed Service for Kubernetes cluster IP address.
- Removes excessive quotation marks from its contents.
- Writes the IP address to the
MASTER_ENDPOINT
variable.
To connect to the Managed Service for Kubernetes cluster API from the internet (outside Yandex Cloud).
MASTER_ENDPOINT=$(yc managed-kubernetes cluster get --id $CLUSTER_ID \
--format json | \
jq -r .master.endpoints.external_v4_endpoint)
To use the Managed Service for Kubernetes cluster API for connecting to the master from cloud networks.
MASTER_ENDPOINT=$(yc managed-kubernetes cluster get --id $CLUSTER_ID \
--format json | \
jq -r .master.endpoints.internal_v4_endpoint)
Run the command below to connect to the Managed Service for Kubernetes cluster API from the internet (outside Yandex Cloud):
$MASTER_ENDPOINT = $CLUSTER.master.endpoints.external_v4_endpoint
Run the command below to connect to the Managed Service for Kubernetes cluster API from cloud networks:
$MASTER_ENDPOINT = $CLUSTER.master.endpoints.internal_v4_endpoint
Add data to the configuration file
-
Add information about the Managed Service for Kubernetes cluster to the configuration file.
BashPowerShellRun this command:
kubectl config set-cluster sa-test2 \ --certificate-authority=ca.pem \ --embed-certs \ --server=$MASTER_ENDPOINT \ --kubeconfig=test.kubeconfig
Run this command:
kubectl config set-cluster sa-test2 ` --certificate-authority=ca.pem ` --embed-certs ` --server=$MASTER_ENDPOINT ` --kubeconfig=test.kubeconfig
-
Add information about the token for
admin-user
to the configuration file.BashPowerShellRun this command:
kubectl config set-credentials admin-user \ --token=$SA_TOKEN \ --kubeconfig=test.kubeconfig
Run this command:
kubectl config set-credentials admin-user ` --token=$SA_TOKEN ` --kubeconfig=test.kubeconfig
-
Add context information to the configuration file.
BashPowerShellRun this command:
kubectl config set-context default \ --cluster=sa-test2 \ --user=admin-user \ --kubeconfig=test.kubeconfig
Run this command:
kubectl config set-context default ` --cluster=sa-test2 ` --user=admin-user ` --kubeconfig=test.kubeconfig
-
Use the created configuration for further work.
BashPowerShellRun this command:
kubectl config use-context default \ --kubeconfig=test.kubeconfig
Run this command:
kubectl config use-context default ` --kubeconfig=test.kubeconfig
Check the result
Make sure that the configuration is correct by running the following command:
kubectl get namespace --kubeconfig=test.kubeconfig
Result:
NAME STATUS AGE
default Active 9d