Creating a static configuration file
Static configuration files allow you to access a Managed Service for Kubernetes cluster without using the CLI, e.g., from continuous integration systems.
You can also use a static configuration file to configure access to multiple Managed Service for Kubernetes clusters. You can quickly switch between Managed Service for Kubernetes clusters described in configuration files using the kubectl config use-context
command. For more information about how to configure access to multiple Managed Service for Kubernetes clusters, see the Kubernetes documentation
To create a configuration file:
- Get a unique cluster ID.
- Prepare a Managed Service for Kubernetes cluster certificate.
- Create a ServiceAccount object.
- Prepare a ServiceAccount token.
- Create and populate a configuration file.
- Check the result.
To run bash commands, you will need a JSON parser: jq
Getting started
- Create a service account.
- Create a Managed Service for Kubernetes cluster with any suitable configuration.
- Create a node group of any suitable configuration.
- Install kubectl
and configure it to work with the created cluster. Add the credentials to thetest.kubeconfig
file using the--kubeconfig=test.kubeconfig
flag.
Get a unique cluster ID
To access a Managed Service for Kubernetes cluster, use its unique ID. Save it to a variable and use it in other commands.
-
Find the unique ID of the Managed Service for Kubernetes cluster:
Management consoleCLI- Go to the folder page and select Managed Service for Kubernetes.
- Click the name of the Managed Service for Kubernetes cluster.
The unique ID of the Managed Service for Kubernetes cluster will appear in the ID field.
yc managed-kubernetes cluster list
Result:
+----------------------+--------+---------------------+---------+---------+------------------------+--------------------+ | ID | NAME | CREATED AT | HEALTH | STATUS | EXTERNAL ENDPOINT | INTERNAL ENDPOINT | +----------------------+--------+---------------------+---------+---------+------------------------+--------------------+ | catb3ppsdsh7******** | my-k8s | 2019-09-04 15:17:11 | HEALTHY | RUNNING | https://84.201.148.31/ | https://10.0.0.24/ | +----------------------+--------+---------------------+---------+---------+------------------------+--------------------+
-
Save the unique ID of the Managed Service for Kubernetes cluster to a variable.
BashPowerShellCLUSTER_ID=catb3ppsdsh7********
$CLUSTER_ID = "catb3ppsdsh7********"
Prepare a cluster certificate
Save the Managed Service for Kubernetes cluster certificate to a file named ca.pem
. This certificate confirms the authenticity of the Managed Service for Kubernetes cluster.
Run a command that:
- Retrieves Managed Service for Kubernetes cluster information in JSON format.
- Leaves only certificate information and removes extra quotes from the certificate contents.
- Removes unnecessary characters from the certificate contents.
- Saves the certificate to the
ca.pem
file.
yc managed-kubernetes cluster get --id $CLUSTER_ID --format json | \
jq -r .master.master_auth.cluster_ca_certificate | \
awk '{gsub(/\\n/,"\n")}1' > ca.pem
-
Get detailed information about the Managed Service for Kubernetes cluster in JSON format and save it to the
$CLUSTER
variable:$CLUSTER = yc managed-kubernetes cluster get --id $CLUSTER_ID --format json | ConvertFrom-Json
-
Get the Managed Service for Kubernetes cluster certificate and save it to the
ca.pem
file:$CLUSTER.master.master_auth.cluster_ca_certificate | Set-Content ca.pem
Create a ServiceAccount object
Create a ServiceAccount
object to interact with the Kubernetes API inside the Managed Service for Kubernetes cluster.
-
Save the following specification for creating a
ServiceAccount
object and its secret in a YAML file namedsa.yaml
.See the detailed specification of the
ServiceAccount
object in the Kubernetes documentation .Kubernetes version: 1.24 or higherKubernetes version: 1.23 or lowerapiVersion: v1 kind: ServiceAccount metadata: name: admin-user namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: admin-user roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: admin-user namespace: kube-system --- apiVersion: v1 kind: Secret type: kubernetes.io/service-account-token metadata: name: admin-user-token namespace: kube-system annotations: kubernetes.io/service-account.name: "admin-user"
apiVersion: v1 kind: ServiceAccount metadata: name: admin-user namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: admin-user roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: admin-user namespace: kube-system
-
Create a
ServiceAccount
object and a secret for it:kubectl create -f sa.yaml
Prepare a ServiceAccount token
The token is required for ServiceAccount
authentication in the Managed Service for Kubernetes cluster.
Run a command that:
- Retrieves information about the previously created
admin-user
service account in JSON format. - Leaves only token information and removes extra quotes from the token contents.
- Decodes the token from Base64.
- Saves the token contents to the
SA_TOKEN
variable.
SA_TOKEN=$(kubectl -n kube-system get secret $(kubectl -n kube-system get secret | \
grep admin-user-token | \
awk '{print $1}') -o json | \
jq -r .data.token | \
base64 -d)
-
Get the
ServiceAccount
token. Quotation marks in its contents will be removed automatically:$SECRET = kubectl -n kube-system get secret -o json | ` ConvertFrom-Json | ` Select-Object -ExpandProperty items | ` Where-Object { $_.metadata.name -like "*admin-user*" }
-
Decode the token from Base64:
$SA_TOKEN = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($SECRET.data.token))
Get the cluster IP
Get the Managed Service for Kubernetes cluster IP and add it to the MASTER_ENDPOINT
variable for further use.
Run a command that:
- Retrieves Managed Service for Kubernetes cluster details in JSON format based on its unique ID.
- Leaves only the Managed Service for Kubernetes cluster IP address.
- Removes extra quotation marks from its contents.
- Saves the IP address to the
MASTER_ENDPOINT
variable.
To connect to the Managed Service for Kubernetes cluster API from the internet (outside Yandex Cloud).
MASTER_ENDPOINT=$(yc managed-kubernetes cluster get --id $CLUSTER_ID \
--format json | \
jq -r .master.endpoints.external_v4_endpoint)
To use the Managed Service for Kubernetes cluster API for connecting to the master from cloud networks.
MASTER_ENDPOINT=$(yc managed-kubernetes cluster get --id $CLUSTER_ID \
--format json | \
jq -r .master.endpoints.internal_v4_endpoint)
Run the command below to connect to the Managed Service for Kubernetes cluster API from the internet (outside Yandex Cloud):
$MASTER_ENDPOINT = $CLUSTER.master.endpoints.external_v4_endpoint
Run the command below to connect to the Managed Service for Kubernetes cluster API from cloud networks:
$MASTER_ENDPOINT = $CLUSTER.master.endpoints.internal_v4_endpoint
Add data to the configuration file
-
Add information about the Managed Service for Kubernetes cluster to the configuration file.
BashPowerShellRun this command:
kubectl config set-cluster sa-test2 \ --certificate-authority=ca.pem \ --server=$MASTER_ENDPOINT \ --kubeconfig=test.kubeconfig
Run this command:
kubectl config set-cluster sa-test2 ` --certificate-authority=ca.pem ` --server=$MASTER_ENDPOINT ` --kubeconfig=test.kubeconfig
-
Add token information for
admin-user
to the configuration file.BashPowerShellRun this command:
kubectl config set-credentials admin-user \ --token=$SA_TOKEN \ --kubeconfig=test.kubeconfig
Run this command:
kubectl config set-credentials admin-user ` --token=$SA_TOKEN ` --kubeconfig=test.kubeconfig
-
Add context information to the configuration file.
BashPowerShellRun this command:
kubectl config set-context default \ --cluster=sa-test2 \ --user=admin-user \ --kubeconfig=test.kubeconfig
Run this command:
kubectl config set-context default ` --cluster=sa-test2 ` --user=admin-user ` --kubeconfig=test.kubeconfig
-
Use the created configuration for further work.
BashPowerShellRun this command:
kubectl config use-context default \ --kubeconfig=test.kubeconfig
Run this command:
kubectl config use-context default ` --kubeconfig=test.kubeconfig
Check the result
Make sure that the configuration is correct by running the following command:
kubectl get namespace --kubeconfig=test.kubeconfig
Result:
NAME STATUS AGE
default Active 9d