Creating a static configuration file
Static configuration files let you access a Kubernetes cluster without using the CLI (for example, from continuous integration systems).
You can also use a static configuration file to configure access to multiple Kubernetes clusters. You can quickly switch between Kubernetes clusters described in configuration files using the kubectl config use-context
command. For more information about how to configure access to multiple Kubernetes clusters, see the Kubernetes documentation
To create a configuration file:
- Prepare the cluster certificate Kubernetes.
- Create a ServiceAccount object.
- Prepare a ServiceAccount token.
- Create and populate a configuration file.
- Check the results.
To run bash commands, you'll need a JSON parser: jq
Get a unique Kubernetes cluster ID
To access a Kubernetes cluster, use its unique ID. Save it to a variable and use it in other commands.
-
Find the unique ID of the Kubernetes cluster:
Management consoleCLI- Go to the folder page and select Managed Service for Kubernetes.
- Click on the name of the Kubernetes cluster.
You can see the unique ID of the Kubernetes cluster under General information.
ncp managed-kubernetes cluster list
Result:
+----------------------+----------+---------------------+---------+---------+-------------------------+----------------------+ | ID | NAME | CREATED AT | HEALTH | STATUS | EXTERNAL ENDPOINT | INTERNAL ENDPOINT | +----------------------+----------+---------------------+---------+---------+-------------------------+----------------------+ | catb3ppsdsh7vajr216f | my-k8s | 2019-09-04 15:17:11 | HEALTHY | RUNNING | https://84.201.148.31/ | https://10.0.0.24/ | +----------------------+----------+---------------------+---------+---------+-------------------------+----------------------+
-
Save the unique ID of the Kubernetes cluster to a variable.
BashPowerShellCLUSTER_ID=catb3ppsdsh7vajr216f
$CLUSTER_ID = "catb3ppsdsh7vajr216f"
Prepare the cluster certificate Kubernetes
Save the Kubernetes cluster certificate to a ca.pem
file. This certificate confirms the authenticity of the Kubernetes cluster.
Run a command that:
- Retrieves cluster information in JSON format.
- Leaves only certificate information and removes extra quotes from the certificate contents.
- Removes unnecessary characters from the certificate contents.
- Saves the certificate to the
ca.pem
file.
ncp managed-kubernetes cluster get --id $CLUSTER_ID --format json | \
jq -r .master.master_auth.cluster_ca_certificate | \
awk '{gsub(/\\n/,"\n")}1' > ca.pem
-
Get detailed information about the Kubernetes cluster in JSON format and save it to the
$CLUSTER
variable:$CLUSTER = ncp managed-kubernetes cluster get --id $CLUSTER_ID --format json | ConvertFrom-Json
-
Get the Kubernetes cluster certificate and save it to the
ca.pem
file:$CLUSTER.master.master_auth.cluster_ca_certificate | Set-Content ca.pem
Create a ServiceAccount object
Create a ServiceAccount
object to interact with the Kubernetes API inside the Kubernetes cluster.
-
Save the following specification for
ServiceAccount
creation in a YAML file namedsa.yaml
.See the detailed specification of the
ServiceAccount
object in the Kubernetes documentation .apiVersion: v1 kind: ServiceAccount metadata: name: admin-user namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: admin-user roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: admin-user namespace: kube-system --- apiVersion: v1 kind: Secret type: kubernetes.io/service-account-token metadata: name: admin-user-token namespace: kube-system annotations: kubernetes.io/service-account.name: "admin-user"
-
Create a
ServiceAccount
object.kubectl create -f sa.yaml
Prepare a ServiceAccount token
The token is required for ServiceAccount
authentication in the Kubernetes cluster.
Run a command that:
- Retrieves information about the
admin-user
service account in JSON format. - Leaves only certificate information and removes extra quotes from the token contents.
- Decodes the token from Base64.
- Saves the token contents to the
SA_TOKEN
variable.
SA_TOKEN=$(kubectl -n kube-system get secret $(kubectl -n kube-system get secret | \
grep admin-user-token | \
awk '{print $1}') -o json | \
jq -r .data.token | \
base64 --d)
-
Get the
ServiceAccount
token. Quotation marks in its contents will be removed automatically:$SECRET = kubectl -n kube-system get secret -o json | ` ConvertFrom-Json | ` Select-Object -ExpandProperty items | ` Where-Object { $_.metadata.name -like "*admin-user*" }
-
Decode the token from Base64:
$SA_TOKEN = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($SECRET.data.token))
Get the cluster's IP address Kubernetes
Get the Kubernetes cluster IP and add it to the MASTER_ENDPOINT
variable for further use.
Run a command that:
- Retrieves information about the Kubernetes cluster with the unique ID
c497ipckbqppifcvrnrk
in JSON format. - Leaves only the Kubernetes cluster IP address.
- Removes extra quotation marks from its contents.
- Saves the IP address to the
MASTER_ENDPOINT
variable.
To connect to the Kubernetes cluster API from the internet (outside Nebius AI).
MASTER_ENDPOINT=$(ncp managed-kubernetes cluster get --id $CLUSTER_ID \
--format json | \
jq -r .master.endpoints.external_v4_endpoint)
To connect to the Kubernetes cluster API for connections to the master from cloud networks.
MASTER_ENDPOINT=$(ncp managed-kubernetes cluster get --id $CLUSTER_ID \
--format json | \
jq -r .master.endpoints.internal_v4_endpoint)
Run the command below to connect to the Kubernetes cluster API from the internet (outside Nebius AI):
$MASTER_ENDPOINT = $CLUSTER.master.endpoints.external_v4_endpoint
Run the command below to connect to the Kubernetes cluster API from cloud networks:
$MASTER_ENDPOINT = $CLUSTER.master.endpoints.internal_v4_endpoint
Create and populate a configuration file
-
Add information about the Kubernetes cluster to the configuration file.
BashPowerShellRun the command:
kubectl config set-cluster sa-test2 \ --certificate-authority=ca.pem \ --server=$MASTER_ENDPOINT \ --kubeconfig=test.kubeconfig
kubectl config set-cluster sa-test2 ` --certificate-authority=ca.pem ` --server=$MASTER_ENDPOINT ` --kubeconfig=test.kubeconfig
-
Add token information for
admin-user
to the configuration file.BashPowerShellRun the command:
kubectl config set-credentials admin-user \ --token=$SA_TOKEN \ --kubeconfig=test.kubeconfig
Run the command:
kubectl config set-credentials admin-user ` --token=$SA_TOKEN ` --kubeconfig=test.kubeconfig
-
Add context information to the configuration file.
BashPowerShellRun the command:
kubectl config set-context default \ --cluster=sa-test2 \ --user=admin-user \ --kubeconfig=test.kubeconfig
Run the command:
kubectl config set-context default ` --cluster=sa-test2 ` --user=admin-user ` --kubeconfig=test.kubeconfig
-
Use the created configuration for further work.
BashPowerShellRun the command:
kubectl config use-context default \ --kubeconfig=test.kubeconfig
Run the command:
kubectl config use-context default ` --kubeconfig=test.kubeconfig
Check the results
Make sure that the configuration is correct by running the command:
kubectl get namespace --kubeconfig=test.kubeconfig
Result:
NAME STATUS AGE
default Active 9d