Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Creating a static configuration file

Written by
Improved by
Updated at August 11, 2025

Static configuration files allow you to access a Managed Service for Kubernetes cluster without using the CLI, e.g., from continuous integration systems.

Tip

For integration with GitLab, we recommend using the GitLab Runner application installed in the cluster. For more information, see Continuous deployment of containerized applications using GitLab.

You can also use a static configuration file to configure access to multiple Managed Service for Kubernetes clusters. You can quickly switch between Managed Service for Kubernetes clusters described in configuration files using the kubectl config use-context command. For more information about how to configure access to multiple Managed Service for Kubernetes clusters, see the Kubernetes documentation.

To create a configuration file:

To run bash commands, you will need a JSON parser: jq.

Getting started

  1. Create a service account.
  2. Create a Managed Service for Kubernetes cluster in any suitable configuration.
  3. Create a node group of any suitable configuration.
  4. Install kubect and configure it to work with the new cluster. Add the credentials to the test.kubeconfig configuration file using the --kubeconfig=test.kubeconfig parameter.

Get a unique cluster ID

To access a Managed Service for Kubernetes cluster, use its unique ID. Save it to a variable and use it in other commands.

  1. Find the unique ID of the Managed Service for Kubernetes cluster:

    1. Go to the folder page and select Managed Service for Kubernetes.
    2. Click the name of the Managed Service for Kubernetes cluster.

    The unique ID of the Managed Service for Kubernetes cluster will appear in the ID field.

    yc managed-kubernetes cluster list

    Result:

    +----------------------+--------+---------------------+---------+---------+------------------------+--------------------+
|          ID          |  NAME  |     CREATED AT      | HEALTH  | STATUS  |    EXTERNAL ENDPOINT   |  INTERNAL ENDPOINT |
+----------------------+--------+---------------------+---------+---------+------------------------+--------------------+
| catb3ppsdsh7******** | my-k8s | 2019-09-04 15:17:11 | HEALTHY | RUNNING | https://84.201.148.31/ | https://10.0.0.24/ |
+----------------------+--------+---------------------+---------+---------+------------------------+--------------------+

  2. Save the unique ID of the Managed Service for Kubernetes cluster to a variable.

    CLUSTER_ID=catb3ppsdsh7********

    $CLUSTER_ID = "catb3ppsdsh7********"

Prepare a cluster certificate

Save the Managed Service for Kubernetes cluster certificate to the ca.pem file. This certificate confirms the authenticity of the Managed Service for Kubernetes cluster.

Run a command that:

  • Retrieves Managed Service for Kubernetes cluster information in JSON format.
  • Retains certificate information only and removes excessive quotation marks from the certificate contents.
  • Removes unnecessary characters from the certificate contents.
  • Saves the certificate to the ca.pem file.
yc managed-kubernetes cluster get --id $CLUSTER_ID --format json | \
  jq -r .master.master_auth.cluster_ca_certificate | \
  awk '{gsub(/\\n/,"\n")}1' > ca.pem

  1. Get detailed information about the Managed Service for Kubernetes cluster in JSON format and save it to the $CLUSTER variable:

    $CLUSTER = yc managed-kubernetes cluster get --id $CLUSTER_ID --format json | ConvertFrom-Json

  2. Get the Managed Service for Kubernetes cluster certificate and save it to the ca.pem file:

    $CLUSTER.master.master_auth.cluster_ca_certificate | Set-Content ca.pem

Create a ServiceAccount object

Create an object named ServiceAccount to interact with the Kubernetes API inside the Managed Service for Kubernetes cluster.

  1. Save the following specification for creating the ServiceAccount object and its secret to a YAML file named sa.yaml.

    For more information about the ServiceAccount object, see the Kubernetes documentation.

    apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kube-system
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: admin-user-token
  namespace: kube-system
  annotations:
    kubernetes.io/service-account.name: "admin-user"

    apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kube-system

  2. Create the ServiceAccount object and a secret for it:

    kubectl create -f sa.yaml

Prepare the ServiceAccount token

This token is used to authenticate the ServiceAccount object in the Managed Service for Kubernetes cluster.

Run a command that:

  • Retrieves information about the previously created admin-user service account in JSON format.
  • Retains token information only and removes excessive quotation marks from the token contents.
  • Decodes the token from Base64.
  • Saves the token contents to the SA_TOKEN variable.
SA_TOKEN=$(kubectl -n kube-system get secret $(kubectl -n kube-system get secret | \
  grep admin-user-token | \
  awk '{print $1}') -o json | \
  jq -r .data.token | \
  base64 -d)

  1. Get a token for the ServiceAccount object. Quotation marks in its contents will be removed automatically:

    $SECRET = kubectl -n kube-system get secret -o json | `
  ConvertFrom-Json | `
  Select-Object -ExpandProperty items | `
  Where-Object { $_.metadata.name -like "*admin-user*" }

  2. Decode the token from Base64:

    $SA_TOKEN = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($SECRET.data.token))

Get the cluster IP

Get the Managed Service for Kubernetes cluster IP address and add it to the MASTER_ENDPOINT variable for future use.

Run a command that:

  • Retrieves Managed Service for Kubernetes cluster details in JSON format based on its unique ID.
  • Leaves only the Managed Service for Kubernetes cluster IP address.
  • Removes excessive quotation marks from its contents.
  • Writes the IP address to the MASTER_ENDPOINT variable.

To connect to the Managed Service for Kubernetes cluster API from the internet (outside Yandex Cloud).

MASTER_ENDPOINT=$(yc managed-kubernetes cluster get --id $CLUSTER_ID \
  --format json | \
  jq -r .master.endpoints.external_v4_endpoint)

To use the Managed Service for Kubernetes cluster API for connecting to the master from cloud networks.

MASTER_ENDPOINT=$(yc managed-kubernetes cluster get --id $CLUSTER_ID \
  --format json | \
  jq -r .master.endpoints.internal_v4_endpoint)

Run the command below to connect to the Managed Service for Kubernetes cluster API from the internet (outside Yandex Cloud):

$MASTER_ENDPOINT = $CLUSTER.master.endpoints.external_v4_endpoint

Run the command below to connect to the Managed Service for Kubernetes cluster API from cloud networks:

$MASTER_ENDPOINT = $CLUSTER.master.endpoints.internal_v4_endpoint

Add data to the configuration file

  1. Add information about the Managed Service for Kubernetes cluster to the configuration file.

    Run this command:

    kubectl config set-cluster sa-test2 \
  --certificate-authority=ca.pem \
  --embed-certs \
  --server=$MASTER_ENDPOINT \
  --kubeconfig=test.kubeconfig

    Run this command:

    kubectl config set-cluster sa-test2 `
  --certificate-authority=ca.pem `
  --embed-certs `
  --server=$MASTER_ENDPOINT `
  --kubeconfig=test.kubeconfig

  2. Add information about the token for admin-user to the configuration file.

    Run this command:

    kubectl config set-credentials admin-user \
  --token=$SA_TOKEN \
  --kubeconfig=test.kubeconfig

    Run this command:

    kubectl config set-credentials admin-user `
  --token=$SA_TOKEN `
  --kubeconfig=test.kubeconfig

  3. Add context information to the configuration file.

    Run this command:

    kubectl config set-context default \
  --cluster=sa-test2 \
  --user=admin-user \
  --kubeconfig=test.kubeconfig

    Run this command:

    kubectl config set-context default `
  --cluster=sa-test2 `
  --user=admin-user `
  --kubeconfig=test.kubeconfig

  4. Use the created configuration for further work.

    Run this command:

    kubectl config use-context default \
  --kubeconfig=test.kubeconfig

    Run this command:

    kubectl config use-context default `
  --kubeconfig=test.kubeconfig

Check the result

Make sure that the configuration is correct by running the following command:

kubectl get namespace --kubeconfig=test.kubeconfig

Result:

NAME     STATUS  AGE
default  Active  9d

The test.kubeconfig file enables you to connect to the cluster without the CLI, e.g., from continuous integration systems, and also use the kubectl config use-context command to switch between clusters.

Warning

To store the static configuration file, use a storage for secrets or encryption.

Previous
Configuring security groups
Next
Getting started with Cloud Marketplace