Skip to content

How to access my EMK cluster?

Estimated time to read: 4 minutes

In this tutorial you learn how to access your Kubernetes cluster for the first time.


  • Fuga Cloud Account
  • An EMK Cluster

There are two ways to access a Kubernetes cluster: dynamic and static. Since Kubernetes v1.27 it is only possible to use a dynamically generated temporary kubeconfig (lasts for 90 days).

The static kubeconfig has always cluster-admin privileges. The dynamic one is based on the roles of the service account role. Based on the role admin or viewer you get cluster-admin privileges or read-only access for all APIs except the core/v1.Secret API.

To get access, it is required to have access to kubectl.

Head over to the service account tab in your EMK overview in the Fuga Dashboard. Here you will find a default service account. You can use the default one or create a new one. To request the kubeconfig for your cluster the service account is required to have the role admin or viewer.

Service account overview

Then click on the “...” and click on show kubeconfig and download the kubeconfig of your service account. You will use this kubeconfig to request a kubeconfig that can access your cluster.

Cluster access form

Currently you have configured it to request a certificate that will expire after 3600 seconds. It is possible to change this to a maximum of 1 day.

We now have the request data to request the kubeconfig. We can use the following command to request it (use the correct information for your environment and cluster):

Expiration time

It is possible to extend the expiration of a dynamic generated temporary kubeconfig to a maximum of 1 day.

Time Seconds
10 min 600
1 hour 3600
8 hours 28800
1 day 86400
export NAMESPACE=<your_emk_project_name>
export SHOOT=<your_shoot_name>
kubectl create \
    -f <(printf '{"spec":{"expirationSeconds":3600}}') \
    --raw /apis/${NAMESPACE}/shoots/${SHOOT}/adminkubeconfig | \
    jq -r ".status.kubeconfig" | \
    base64 -d > emk-cluster-${NAMESPACE}-${SHOOT}.yaml
export NAMESPACE=<your_emk_project_name>
export SHOOT=<your_shoot_name>
kubectl create \
    -f <(printf '{"spec":{"expirationSeconds":3600}}') \
    --raw /apis/${NAMESPACE}/shoots/${SHOOT}/viewerkubeconfig | \
    jq -r ".status.kubeconfig" | \
    base64 -d > emk-cluster-${NAMESPACE}-${SHOOT}.yaml

Now it is possible to access the cluster as admin or viewer based on a service account:

% kubectl top nodes \
NAME              CPU(cores)   CPU%   MEMORY(bytes)   MEMORY%
shoot--xxx--xxx   208m         10%    1796Mi          66%
shoot--yyy--yyy   180m         9%     1903Mi          70%

In Go you can use the controller-runtime client (>= v0.14.3) to create a kubeconfig like this:

expiration := 10 * time.Minute
expirationSeconds := int64(expiration.Seconds())
adminKubeconfigRequest := &authenticationv1alpha1.AdminKubeconfigRequest{
    Spec: authenticationv1alpha1.AdminKubeconfigRequestSpec{
        ExpirationSeconds: &expirationSeconds,
err := client.SubResource("adminkubeconfig").Create(ctx, shoot, adminKubeconfigRequest)
if err != nil {
    return err
config = adminKubeconfigRequest.Status.Kubeconfig

In Python you can use the native kubernetes client to create a kubeconfig like this:

# This script first loads an existing kubeconfig from your system, and then sends a request to the Gardener API to create a new kubeconfig for a shoot cluster. 
# The received kubeconfig is then decoded and a new API client is created for interacting with the shoot cluster.

import base64
import json
from kubernetes import client, config
import yaml

# Set configuration options
shoot_name="my-shoot" # Name of the shoot
project_namespace="garden-my-namespace" # Namespace of the project

# Load kubeconfig from default ~/.kube/config
api = client.ApiClient()

# Create kubeconfig request
kubeconfig_request = {
    'apiVersion': '',
    'kind': 'AdminKubeconfigRequest',
    'spec': {
        'expirationSeconds': 600

response = api.call_api(

decoded_kubeconfig = base64.b64decode(json.loads(["status"]["kubeconfig"]).decode('utf-8')

# Create an API client to interact with the shoot cluster
shoot_api_client = config.new_client_from_config_dict(yaml.safe_load(decoded_kubeconfig))
v1 = client.CoreV1Api(shoot_api_client)

Coming soon.

A static kubeconfig will not expire, the difference is that you only get one kubeconfig for all. By default, a dynamic kubeconfig is enabled. So to use static, disable the dynamic kubeconfig.

To access your EMK Cluster with a static kubeconfig head over to the cluster overview page:

Cluster overview with 1 cluster

Click on the “...” for the cluster you want to access and click on cluster access.

Cluster access form

You will get a popup window where you have the possibility to download, copy or view the static kubeconfig.

If your cluster has dynamic kubeconfig enabled, you can change it back to static kubeconfig (Note this will take some time to reprovision every node).