How to access my EMK cluster?
Estimated time to read: 4 minutes
In this tutorial you learn how to access your Kubernetes cluster for the first time.
Preconditions:
- Fuga Cloud Account
- An EMK Cluster
There are three ways to access a Kubernetes cluster:
- Time-Limited kubeconfig (maximum 1 day)
- Dynamic access
- Static access (Available until Kubernetes version 1.26.x)
Requesting a Time-Limited access token is done through the Fuga Dashboard. Note the following:
- The Time-Limited Access token is valid for 10 or 30 minutes, 1, 3, 6, 12 or 24 hours.
- The token always has
cluster-admin
privileges.
Get started:
To get your Time-Limited Access token from the cluster overview page (all clusters from 1.27 or when Dynamic tokens enabled):
Click on the “...” for the cluster you want to access and click on cluster access.
You will get a popup window where you have the possibility to download or view the Time-Limited Access kubeconfig.
Requesting a dynamic access token through your system requires configuration on your end and is based on a service account. Note the following:
- A service account kubeconfig expires after 90 days.
- The dynamic access token obtained with a service account expires based on the request, with a maximum validity of 24 hours.
- Depending on the service account role (
admin
orviewer
), you will receive either:- Admin:
cluster-admin
privileges - Viewer:
read-only
access to all APIs, except for the core/v1.Secret API.
- Admin:
Get started:
To get access, it is required to have access to kubectl.
Head over to the service account tab in your EMK overview in the Fuga Dashboard. Here you will find a default service account. You can use the default one or create a new one. To request the kubeconfig for your cluster the service account is required to have the role admin
or viewer
.
Then click on the “...” and click on show kubeconfig and download the kubeconfig of your service account. You will use this kubeconfig to request a kubeconfig that can access your cluster.
Currently you have configured it to request a certificate that will expire after 3600 seconds. It is possible to change this to a maximum of 1 day.
We now have the request data to request the kubeconfig. We can use the following command to request it (use the correct information for your environment and cluster):
Expiration time
It is possible to extend the expiration of a dynamic generated temporary kubeconfig to a maximum of 1 day.
Time | Seconds |
---|---|
10 min | 600 |
1 hour | 3600 |
8 hours | 28800 |
1 day | 86400 |
export NAMESPACE=<your_emk_project_name>
export SHOOT=<your_shoot_name>
kubectl create \
-f <(printf '{"spec":{"expirationSeconds":3600}}') \
--raw /apis/core.gardener.cloud/v1beta1/namespaces/${NAMESPACE}/shoots/${SHOOT}/adminkubeconfig | \
jq -r ".status.kubeconfig" | \
base64 -d > emk-cluster-${NAMESPACE}-${SHOOT}.yaml
export NAMESPACE=<your_emk_project_name>
export SHOOT=<your_shoot_name>
kubectl create \
-f <(printf '{"spec":{"expirationSeconds":3600}}') \
--raw /apis/core.gardener.cloud/v1beta1/namespaces/${NAMESPACE}/shoots/${SHOOT}/viewerkubeconfig | \
jq -r ".status.kubeconfig" | \
base64 -d > emk-cluster-${NAMESPACE}-${SHOOT}.yaml
Now it is possible to access the cluster as admin
or viewer
based on a service account:
In Go you can use the controller-runtime client (>= v0.14.3) to create a kubeconfig like this:
expiration := 10 * time.Minute
expirationSeconds := int64(expiration.Seconds())
adminKubeconfigRequest := &authenticationv1alpha1.AdminKubeconfigRequest{
Spec: authenticationv1alpha1.AdminKubeconfigRequestSpec{
ExpirationSeconds: &expirationSeconds,
},
}
err := client.SubResource("adminkubeconfig").Create(ctx, shoot, adminKubeconfigRequest)
if err != nil {
return err
}
config = adminKubeconfigRequest.Status.Kubeconfig
In Python you can use the native Kubernetes client to create a kubeconfig like this:
# This script first loads an existing kubeconfig from your system, and then sends a request to the Gardener API to create a new kubeconfig for a shoot cluster.
# The received kubeconfig is then decoded and a new API client is created for interacting with the shoot cluster.
import base64
import json
from kubernetes import client, config
import yaml
# Set configuration options
shoot_name="my-shoot" # Name of the shoot
project_namespace="garden-my-namespace" # Namespace of the project
# Load kubeconfig from default ~/.kube/config
config.load_kube_config()
api = client.ApiClient()
# Create kubeconfig request
kubeconfig_request = {
'apiVersion': 'authentication.gardener.cloud/v1alpha1',
'kind': 'AdminKubeconfigRequest',
'spec': {
'expirationSeconds': 600
}
}
response = api.call_api(
resource_path=f'/apis/core.gardener.cloud/v1beta1/namespaces/{project_namespace}/shoots/{shoot_name}/adminkubeconfig',
method='POST',
body=kubeconfig_request,
auth_settings=['BearerToken'],
_preload_content=False,
_return_http_data_only=True,
)
decoded_kubeconfig = base64.b64decode(json.loads(response.data)["status"]["kubeconfig"]).decode('utf-8')
print(decoded_kubeconfig)
# Create an API client to interact with the shoot cluster
shoot_api_client = config.new_client_from_config_dict(yaml.safe_load(decoded_kubeconfig))
v1 = client.CoreV1Api(shoot_api_client)
Coming soon.
Requesting a Static access token is done through the Fuga Dashboard. Note the following:
- The Static access token is valid till it is rotated.
- The token always has
cluster-admin
privileges.
Get started:
To get your static access token from the cluster overview page (when Dynamic tokens disabled):
Click on the “...” for the cluster you want to access and click on cluster access.
You will get a popup window where you have the possibility to download, copy or view the static kubeconfig.
If your cluster has dynamic kubeconfig enabled, you can change it back to static kubeconfig (Note this will take some time to reprovision every node).