Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
  • Blog
  • Pricing
  • Documentation
Yandex project
© 2025 Yandex.Cloud LLC
Yandex Managed Service for Kubernetes
  • Comparison with other Yandex Cloud services
  • Getting started
    • All guides
    • Connecting to a node over SSH
    • Connecting to a node via OS Login
    • Updating Kubernetes
    • Configuring autoscaling
      • Connection method overview
      • Configuring security groups
      • Creating a static configuration file
    • Connecting external nodes to the cluster
  • Access management
  • Pricing policy
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Release notes

In this article:

  • Getting started
  • Get a unique cluster ID
  • Prepare a cluster certificate
  • Create a ServiceAccount object
  • Prepare the ServiceAccount token
  • Get the cluster IP
  • Add data to the configuration file
  • Check the result
  1. Step-by-step guides
  2. Connecting to a cluster
  3. Creating a static configuration file

Creating a static configuration file

Written by
Yandex Cloud
Improved by
humass
Updated at November 22, 2024
  • Getting started
  • Get a unique cluster ID
  • Prepare a cluster certificate
  • Create a ServiceAccount object
  • Prepare the ServiceAccount token
  • Get the cluster IP
  • Add data to the configuration file
  • Check the result

Static configuration files allow you to access a Managed Service for Kubernetes cluster without using the CLI, e.g., from continuous integration systems.

You can also use a static configuration file to configure access to multiple Managed Service for Kubernetes clusters. You can quickly switch between Managed Service for Kubernetes clusters described in configuration files using the kubectl config use-context command. For more information about how to configure access to multiple Managed Service for Kubernetes clusters, see the Kubernetes documentation.

To create a configuration file:

  • Get a unique cluster ID.
  • Prepare a Managed Service for Kubernetes cluster certificate.
  • Create a ServiceAccount object.
  • Prepare a ServiceAccount token.
  • Create and populate a configuration file.
  • Check the result.

To run bash commands, you will need a JSON parser: jq.

Getting startedGetting started

  1. Create a service account.
  2. Create a Managed Service for Kubernetes cluster with any suitable configuration.
  3. Create a node group of any suitable configuration.
  4. Install kubect and set it up to work with the created cluster. Add the credentials to the test.kubeconfig configuratioin file using the --kubeconfig=test.kubeconfig flag.

Get a unique cluster IDGet a unique cluster ID

To access a Managed Service for Kubernetes cluster, use its unique ID. Save it to a variable and use it in other commands.

  1. Find the unique ID of the Managed Service for Kubernetes cluster:

    Management console
    CLI
    1. Go to the folder page and select Managed Service for Kubernetes.
    2. Click the name of the Managed Service for Kubernetes cluster.

    The unique ID of the Managed Service for Kubernetes cluster will appear in the ID field.

    yc managed-kubernetes cluster list
    

    Result:

    +----------------------+--------+---------------------+---------+---------+------------------------+--------------------+
    |          ID          |  NAME  |     CREATED AT      | HEALTH  | STATUS  |    EXTERNAL ENDPOINT   |  INTERNAL ENDPOINT |
    +----------------------+--------+---------------------+---------+---------+------------------------+--------------------+
    | catb3ppsdsh7******** | my-k8s | 2019-09-04 15:17:11 | HEALTHY | RUNNING | https://84.201.148.31/ | https://10.0.0.24/ |
    +----------------------+--------+---------------------+---------+---------+------------------------+--------------------+
    
  2. Save the unique ID of the Managed Service for Kubernetes cluster to a variable.

    Bash
    PowerShell
    CLUSTER_ID=catb3ppsdsh7********
    
    $CLUSTER_ID = "catb3ppsdsh7********"
    

Prepare a cluster certificatePrepare a cluster certificate

Save the Managed Service for Kubernetes cluster certificate to the ca.pem file. This certificate confirms the authenticity of the Managed Service for Kubernetes cluster.

Bash
PowerShell

Run a command that:

  • Retrieves Managed Service for Kubernetes cluster information in JSON format.
  • Retains certificate information only and removes excessive quotation marks from the certificate contents.
  • Removes unnecessary characters from the certificate contents.
  • Saves the certificate to the ca.pem file.
yc managed-kubernetes cluster get --id $CLUSTER_ID --format json | \
  jq -r .master.master_auth.cluster_ca_certificate | \
  awk '{gsub(/\\n/,"\n")}1' > ca.pem
  1. Get detailed information about the Managed Service for Kubernetes cluster in JSON format and save it to the $CLUSTER variable:

    $CLUSTER = yc managed-kubernetes cluster get --id $CLUSTER_ID --format json | ConvertFrom-Json
    
  2. Get the Managed Service for Kubernetes cluster certificate and save it to the ca.pem file:

    $CLUSTER.master.master_auth.cluster_ca_certificate | Set-Content ca.pem
    

Create a ServiceAccount objectCreate a ServiceAccount object

Create an object named ServiceAccount to interact with the Kubernetes API inside the Managed Service for Kubernetes cluster.

  1. Save the following specification for creating the ServiceAccount object and its secret to a YAML file named sa.yaml.

    For more information about the ServiceAccount object, see the Kubernetes documentation.

    Kubernetes version: 1.24 or higher
    Kubernetes version: 1.23 or lower
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: admin-user
      namespace: kube-system
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: admin-user
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cluster-admin
    subjects:
    - kind: ServiceAccount
      name: admin-user
      namespace: kube-system
    ---
    apiVersion: v1
    kind: Secret
    type: kubernetes.io/service-account-token
    metadata:
      name: admin-user-token
      namespace: kube-system
      annotations:
        kubernetes.io/service-account.name: "admin-user"
    
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: admin-user
      namespace: kube-system
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: admin-user
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cluster-admin
    subjects:
    - kind: ServiceAccount
      name: admin-user
      namespace: kube-system
    
  2. Create the ServiceAccount object and a secret for it:

    kubectl create -f sa.yaml
    

Prepare the ServiceAccount tokenPrepare the ServiceAccount token

This token is used to authenticate the ServiceAccount object in the Managed Service for Kubernetes cluster.

Bash
PowerShell

Run a command that:

  • Retrieves information about the previously created admin-user service account in JSON format.
  • Retains token information only and removes excessive quotation marks from the token contents.
  • Decodes the token from Base64.
  • Saves the token contents to the SA_TOKEN variable.
SA_TOKEN=$(kubectl -n kube-system get secret $(kubectl -n kube-system get secret | \
  grep admin-user-token | \
  awk '{print $1}') -o json | \
  jq -r .data.token | \
  base64 -d)
  1. Get a token for the ServiceAccount object. Quotation marks in its contents will be removed automatically:

    $SECRET = kubectl -n kube-system get secret -o json | `
      ConvertFrom-Json | `
      Select-Object -ExpandProperty items | `
      Where-Object { $_.metadata.name -like "*admin-user*" }
    
  2. Decode the token from Base64:

    $SA_TOKEN = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($SECRET.data.token))
    

Get the cluster IPGet the cluster IP

Get the Managed Service for Kubernetes cluster IP address and add it to the MASTER_ENDPOINT variable for future use.

Bash
PowerShell

Run a command that:

  • Retrieves Managed Service for Kubernetes cluster details in JSON format based on its unique ID.
  • Leaves only the Managed Service for Kubernetes cluster IP address.
  • Removes excessive quotation marks from its contents.
  • Writes the IP address to the MASTER_ENDPOINT variable.

To connect to the Managed Service for Kubernetes cluster API from the internet (outside Yandex Cloud).

MASTER_ENDPOINT=$(yc managed-kubernetes cluster get --id $CLUSTER_ID \
  --format json | \
  jq -r .master.endpoints.external_v4_endpoint)

To use the Managed Service for Kubernetes cluster API for connecting to the master from cloud networks.

MASTER_ENDPOINT=$(yc managed-kubernetes cluster get --id $CLUSTER_ID \
  --format json | \
  jq -r .master.endpoints.internal_v4_endpoint)

Run the command below to connect to the Managed Service for Kubernetes cluster API from the internet (outside Yandex Cloud):

$MASTER_ENDPOINT = $CLUSTER.master.endpoints.external_v4_endpoint

Run the command below to connect to the Managed Service for Kubernetes cluster API from cloud networks:

$MASTER_ENDPOINT = $CLUSTER.master.endpoints.internal_v4_endpoint

Add data to the configuration fileAdd data to the configuration file

  1. Add information about the Managed Service for Kubernetes cluster to the configuration file.

    Bash
    PowerShell

    Run this command:

    kubectl config set-cluster sa-test2 \
      --certificate-authority=ca.pem \
      --embed-certs \
      --server=$MASTER_ENDPOINT \
      --kubeconfig=test.kubeconfig
    

    Run this command:

    kubectl config set-cluster sa-test2 `
      --certificate-authority=ca.pem `
      --embed-certs `
      --server=$MASTER_ENDPOINT `
      --kubeconfig=test.kubeconfig
    
  2. Add information about the token for admin-user to the configuration file.

    Bash
    PowerShell

    Run this command:

    kubectl config set-credentials admin-user \
      --token=$SA_TOKEN \
      --kubeconfig=test.kubeconfig
    

    Run this command:

    kubectl config set-credentials admin-user `
      --token=$SA_TOKEN `
      --kubeconfig=test.kubeconfig
    
  3. Add context information to the configuration file.

    Bash
    PowerShell

    Run this command:

    kubectl config set-context default \
      --cluster=sa-test2 \
      --user=admin-user \
      --kubeconfig=test.kubeconfig
    

    Run this command:

    kubectl config set-context default `
      --cluster=sa-test2 `
      --user=admin-user `
      --kubeconfig=test.kubeconfig
    
  4. Use the created configuration for further work.

    Bash
    PowerShell

    Run this command:

    kubectl config use-context default \
      --kubeconfig=test.kubeconfig
    

    Run this command:

    kubectl config use-context default `
      --kubeconfig=test.kubeconfig
    

Check the resultCheck the result

Make sure that the configuration is correct by running the following command:

kubectl get namespace --kubeconfig=test.kubeconfig

Result:

NAME     STATUS  AGE
default  Active  9d

Was the article helpful?

Previous
Configuring security groups
Next
Getting started with Cloud Marketplace
Yandex project
© 2025 Yandex.Cloud LLC