Skip to content

How to access my EMK cluster?

Estimated time to read: 4 minutes

In this tutorial you learn how to access your Kubernetes cluster for the first time.

Preconditions:

  • Fuga Cloud Account
  • An EMK Cluster

There are three ways to access a Kubernetes cluster:

  • Time-Limited kubeconfig (maximum 1 day)
  • Dynamic access
  • Static access (Available until Kubernetes version 1.26.x)

Requesting a Time-Limited access token is done through the Fuga Dashboard. Note the following:

  • The Time-Limited Access token is valid for 10 or 30 minutes, 1, 3, 6, 12 or 24 hours.
  • The token always has cluster-admin privileges.

Get started:

To get your Time-Limited Access token from the cluster overview page (all clusters from 1.27 or when Dynamic tokens enabled):

Cluster overview with 1 cluster

Click on the “...” for the cluster you want to access and click on cluster access.

Cluster access form

You will get a popup window where you have the possibility to download or view the Time-Limited Access kubeconfig.

Requesting a dynamic access token through your system requires configuration on your end and is based on a service account. Note the following:

  • A service account kubeconfig expires after 90 days.
  • The dynamic access token obtained with a service account expires based on the request, with a maximum validity of 24 hours.
  • Depending on the service account role (admin or viewer), you will receive either:
    • Admin: cluster-admin privileges
    • Viewer: read-only access to all APIs, except for the core/v1.Secret API.

Get started:

To get access, it is required to have access to kubectl.

Head over to the service account tab in your EMK overview in the Fuga Dashboard. Here you will find a default service account. You can use the default one or create a new one. To request the kubeconfig for your cluster the service account is required to have the role admin or viewer.

Service account overview

Then click on the “...” and click on show kubeconfig and download the kubeconfig of your service account. You will use this kubeconfig to request a kubeconfig that can access your cluster.

Cluster access form

Currently you have configured it to request a certificate that will expire after 3600 seconds. It is possible to change this to a maximum of 1 day.

We now have the request data to request the kubeconfig. We can use the following command to request it (use the correct information for your environment and cluster):

Expiration time

It is possible to extend the expiration of a dynamic generated temporary kubeconfig to a maximum of 1 day.

Time Seconds
10 min 600
1 hour 3600
8 hours 28800
1 day 86400
export NAMESPACE=<your_emk_project_name>
export SHOOT=<your_shoot_name>
kubectl create \
    -f <(printf '{"spec":{"expirationSeconds":3600}}') \
    --raw /apis/core.gardener.cloud/v1beta1/namespaces/${NAMESPACE}/shoots/${SHOOT}/adminkubeconfig | \
    jq -r ".status.kubeconfig" | \
    base64 -d > emk-cluster-${NAMESPACE}-${SHOOT}.yaml
export NAMESPACE=<your_emk_project_name>
export SHOOT=<your_shoot_name>
kubectl create \
    -f <(printf '{"spec":{"expirationSeconds":3600}}') \
    --raw /apis/core.gardener.cloud/v1beta1/namespaces/${NAMESPACE}/shoots/${SHOOT}/viewerkubeconfig | \
    jq -r ".status.kubeconfig" | \
    base64 -d > emk-cluster-${NAMESPACE}-${SHOOT}.yaml

Now it is possible to access the cluster as admin or viewer based on a service account:

% kubectl top nodes \
    --kubeconfig=emk-cluster-${NAMESPACE}-${SHOOT}.yaml
NAME              CPU(cores)   CPU%   MEMORY(bytes)   MEMORY%
shoot--xxx--xxx   208m         10%    1796Mi          66%
shoot--yyy--yyy   180m         9%     1903Mi          70%

In Go you can use the controller-runtime client (>= v0.14.3) to create a kubeconfig like this:

expiration := 10 * time.Minute
expirationSeconds := int64(expiration.Seconds())
adminKubeconfigRequest := &authenticationv1alpha1.AdminKubeconfigRequest{
    Spec: authenticationv1alpha1.AdminKubeconfigRequestSpec{
        ExpirationSeconds: &expirationSeconds,
    },
}
err := client.SubResource("adminkubeconfig").Create(ctx, shoot, adminKubeconfigRequest)
if err != nil {
    return err
}
config = adminKubeconfigRequest.Status.Kubeconfig

In Python you can use the native Kubernetes client to create a kubeconfig like this:

# This script first loads an existing kubeconfig from your system, and then sends a request to the Gardener API to create a new kubeconfig for a shoot cluster. 
# The received kubeconfig is then decoded and a new API client is created for interacting with the shoot cluster.

import base64
import json
from kubernetes import client, config
import yaml

# Set configuration options
shoot_name="my-shoot" # Name of the shoot
project_namespace="garden-my-namespace" # Namespace of the project

# Load kubeconfig from default ~/.kube/config
config.load_kube_config()
api = client.ApiClient()

# Create kubeconfig request
kubeconfig_request = {
    'apiVersion': 'authentication.gardener.cloud/v1alpha1',
    'kind': 'AdminKubeconfigRequest',
    'spec': {
        'expirationSeconds': 600
    }
}

response = api.call_api(
    resource_path=f'/apis/core.gardener.cloud/v1beta1/namespaces/{project_namespace}/shoots/{shoot_name}/adminkubeconfig',
    method='POST',
    body=kubeconfig_request,
    auth_settings=['BearerToken'],
    _preload_content=False,
    _return_http_data_only=True,
)

decoded_kubeconfig = base64.b64decode(json.loads(response.data)["status"]["kubeconfig"]).decode('utf-8')
print(decoded_kubeconfig)

# Create an API client to interact with the shoot cluster
shoot_api_client = config.new_client_from_config_dict(yaml.safe_load(decoded_kubeconfig))
v1 = client.CoreV1Api(shoot_api_client)

Coming soon.

Requesting a Static access token is done through the Fuga Dashboard. Note the following:

  • The Static access token is valid till it is rotated.
  • The token always has cluster-admin privileges.

Get started:

To get your static access token from the cluster overview page (when Dynamic tokens disabled):

Cluster overview with 1 cluster

Click on the “...” for the cluster you want to access and click on cluster access.

Cluster access form

You will get a popup window where you have the possibility to download, copy or view the static kubeconfig.

If your cluster has dynamic kubeconfig enabled, you can change it back to static kubeconfig (Note this will take some time to reprovision every node).