Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Creating a static configuration file

Written by
Improved by
Updated at January 26, 2026

Static configuration files allow you to access a Managed Service for Kubernetes cluster without using the CLI, e.g., from continuous integration systems.

Tip

For integration with GitLab, we recommend using the GitLab Runner application installed in the cluster. Learn more in Continuous deployment of containerized applications using GitLab.

You can also use a static configuration file to configure access to multiple Managed Service for Kubernetes clusters. You can quickly switch between Managed Service for Kubernetes clusters described in configuration files using the kubectl config use-context command. Learn more about configuring access to multiple Managed Service for Kubernetes clusters in this Kubernetes guide.

To create a configuration file:

To run bash commands, you will need a JSON parser, jq.

Getting started

  1. Create a service account.
  2. Create a Managed Service for Kubernetes cluster with any suitable configuration.
  3. Create a node group with any suitable configuration.
  4. Install kubect and set it up to work with the new cluster. Add the credentials to the test.kubeconfig configuration file using the --kubeconfig=test.kubeconfig parameter.

Get a unique cluster ID

To access a Managed Service for Kubernetes cluster, use its unique ID. Save it to a variable and use it in other commands.

  1. Get the unique ID of the Managed Service for Kubernetes cluster:

    1. Go to the folder page and select Managed Service for Kubernetes.
    2. Click the name of the Managed Service for Kubernetes cluster.

    The unique ID of the Managed Service for Kubernetes cluster will appear in the ID field.

    yc managed-kubernetes cluster list

    Result:

    +----------------------+--------+---------------------+---------+---------+------------------------+--------------------+
|          ID          |  NAME  |     CREATED AT      | HEALTH  | STATUS  |    EXTERNAL ENDPOINT   |  INTERNAL ENDPOINT |
+----------------------+--------+---------------------+---------+---------+------------------------+--------------------+
| catb3ppsdsh7******** | my-k8s | 2019-09-04 15:17:11 | HEALTHY | RUNNING | https://84.201.148.31/ | https://10.0.0.24/ |
+----------------------+--------+---------------------+---------+---------+------------------------+--------------------+

  2. Save the unique ID of the Managed Service for Kubernetes cluster to a variable:

    CLUSTER_ID=catb3ppsdsh7********

    $CLUSTER_ID = "catb3ppsdsh7********"

Prepare a cluster certificate

Save the Managed Service for Kubernetes cluster certificate to the ca.pem file. This certificate confirms the authenticity of the Managed Service for Kubernetes cluster.

Run a command that:

  • Retrieves the Managed Service for Kubernetes cluster information in JSON format.
  • Only retains the certificate information and removes excessive quotation marks from the certificate contents.
  • Removes excessive characters from the certificate contents.
  • Saves the certificate to the ca.pem file.
yc managed-kubernetes cluster get --id $CLUSTER_ID --format json | \
  jq -r .master.master_auth.cluster_ca_certificate | \
  awk '{gsub(/\\n/,"\n")}1' > ca.pem

  1. Get the Managed Service for Kubernetes cluster details in JSON format and save it to the $CLUSTER variable:

    $CLUSTER = yc managed-kubernetes cluster get --id $CLUSTER_ID --format json | ConvertFrom-Json

  2. Get the Managed Service for Kubernetes cluster certificate and save it to the ca.pem file:

    $CLUSTER.master.master_auth.cluster_ca_certificate | Set-Content ca.pem

Create a ServiceAccount object

Create a ServiceAccount object to interact with the Kubernetes API inside the Managed Service for Kubernetes cluster.

  1. Save the following specification for creating the ServiceAccount object and its secret to a YAML file named sa.yaml.

    For more information about the ServiceAccount object, see this Kubernetes guide.

    apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kube-system
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: admin-user-token
  namespace: kube-system
  annotations:
    kubernetes.io/service-account.name: "admin-user"

    apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kube-system

  2. Create a ServiceAccount object and a secret for it:

    kubectl create -f sa.yaml

Prepare a ServiceAccount token

This token is used to authenticate the ServiceAccount object in the Managed Service for Kubernetes cluster.

Run a command that:

  • Retrieves information about the previously created admin-user service account in JSON format.
  • Only retains the token information and removes excessive quotation marks from the token contents.
  • Decodes the token from Base64.
  • Saves the token contents to the SA_TOKEN variable.
SA_TOKEN=$(kubectl -n kube-system get secret $(kubectl -n kube-system get secret | \
  grep admin-user-token | \
  awk '{print $1}') -o json | \
  jq -r .data.token | \
  base64 -d)

  1. Get a token for the ServiceAccount object. Quotation marks in its contents will be removed automatically:

    $SECRET = kubectl -n kube-system get secret -o json | `
  ConvertFrom-Json | `
  Select-Object -ExpandProperty items | `
  Where-Object { $_.metadata.name -like "*admin-user*" }

  2. Decode the token from Base64:

    $SA_TOKEN = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($SECRET.data.token))

Get the cluster IP address

Get the Managed Service for Kubernetes cluster IP address and add it to the MASTER_ENDPOINT variable for future use.

Run a command that:

  • Retrieves the Managed Service for Kubernetes cluster details in JSON format based on its unique ID.
  • Retains only the Managed Service for Kubernetes cluster IP address.
  • Removes excessive quotation marks from its contents.
  • Writes the IP address to the MASTER_ENDPOINT variable.

To connect to the Managed Service for Kubernetes cluster API from the internet (outside Yandex Cloud).

MASTER_ENDPOINT=$(yc managed-kubernetes cluster get --id $CLUSTER_ID \
  --format json | \
  jq -r .master.endpoints.external_v4_endpoint)

To use the Managed Service for Kubernetes cluster API for connecting to the master from cloud networks.

MASTER_ENDPOINT=$(yc managed-kubernetes cluster get --id $CLUSTER_ID \
  --format json | \
  jq -r .master.endpoints.internal_v4_endpoint)

Run the command below to connect to the Managed Service for Kubernetes cluster API from the internet (outside Yandex Cloud):

$MASTER_ENDPOINT = $CLUSTER.master.endpoints.external_v4_endpoint

Run the command below to connect to the Managed Service for Kubernetes cluster API from cloud networks:

$MASTER_ENDPOINT = $CLUSTER.master.endpoints.internal_v4_endpoint

Add data to the configuration file

  1. Add information about the Managed Service for Kubernetes cluster to the configuration file.

    Run this command:

    kubectl config set-cluster sa-test2 \
  --certificate-authority=ca.pem \
  --embed-certs \
  --server=$MASTER_ENDPOINT \
  --kubeconfig=test.kubeconfig

    Run this command:

    kubectl config set-cluster sa-test2 `
  --certificate-authority=ca.pem `
  --embed-certs `
  --server=$MASTER_ENDPOINT `
  --kubeconfig=test.kubeconfig

  2. Add information about the token for admin-user to the configuration file.

    Run this command:

    kubectl config set-credentials admin-user \
  --token=$SA_TOKEN \
  --kubeconfig=test.kubeconfig

    Run this command:

    kubectl config set-credentials admin-user `
  --token=$SA_TOKEN `
  --kubeconfig=test.kubeconfig

  3. Add context information to the configuration file.

    Run this command:

    kubectl config set-context default \
  --cluster=sa-test2 \
  --user=admin-user \
  --kubeconfig=test.kubeconfig

    Run this command:

    kubectl config set-context default `
  --cluster=sa-test2 `
  --user=admin-user `
  --kubeconfig=test.kubeconfig

  4. Use the configuration you created for further operations.

    Run this command:

    kubectl config use-context default \
  --kubeconfig=test.kubeconfig

    Run this command:

    kubectl config use-context default `
  --kubeconfig=test.kubeconfig

Check the result

Make sure the configuration is correct by running this command:

kubectl get namespace --kubeconfig=test.kubeconfig

Result:

NAME     STATUS  AGE
default  Active  9d

The test.kubeconfig file enables you to connect to the cluster without the CLI, e.g., from continuous integration systems, as well as use the kubectl config use-context command to switch between clusters.

Warning

To store the static configuration file, use a storage for secrets or encryption.

Previous
Configuring security groups
Next
Getting started with Cloud Marketplace