This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

K8S Cluster

Users can register a K8S cluster in the DevOps Console and deploy various applications through the DevOps Console.

Users can add, modify, and delete K8S clusters and namespaces. The added K8S cluster and namespace can be used by selecting them in various menus such as project creation (Getting Started with Project Creation), Helm Install (Getting Started with Helm Install), etc.

Note
To use the K8S cluster in menus such as project creation, Helm Install, etc., you must have permission for the namespace.

Getting Started with K8S Cluster

To start managing K8S clusters, follow these steps:

  1. Click the Manage icon at the top right of the Main page. You will be moved to the Tenant Dashboard page.
  2. Click the Deployment Target > K8S Cluster menu on the left. You will be moved to the K8S Cluster page.

Adding a K8S Cluster

To add a K8S cluster, follow these steps:

  1. Click the Manage icon at the top right of the Main page. You will be moved to the Tenant Dashboard page.
  2. Click the Deployment Target > K8S Cluster menu on the left. You will be moved to the K8S Cluster page.
  3. Click the Add button on the K8S Cluster page. You will be moved to the Add K8S Cluster page.
  4. Enter basic information and connection information on the Add K8S Cluster page, and then click the Connection Test button.
  5. Select the Helm version and click the Save button.
ItemDescription
K8S Cluster NameEnter the cluster name.
K8S Cluster IDEnter the cluster ID.
The cluster ID is a unique ID value for distinguishing clusters, and you can enter it directly.
CA CertificateEnter the server certificate information used in the kubeconfig file configuration.
  • Enter the contents of clusters[0].cluster.certificate-authority-data in the kubeconfig file being used.
  • Ask the cluster provider (administrator) and enter it.
  • If it cannot be confirmed, enter a temporary value (e.g., temp) and modify it to the correct value when confirmed.
Authentication MethodSelect the administrator token method.
API Server URLEnter the Kubernetes API Server address.
Administrator TokenEnter the Admin-privileged Token used in the kubeconfig file configuration.
Refer to Checking the Cluster Admin Token.
Helm VersionSelect the Helm version.
  • A list of Helm versions available in the K8S cluster version will be displayed.
Table. Add K8S Cluster - Items for Adding with Administrator Token Authentication
ItemDescription
Authentication MethodSelect the client certificate method.
API Server URLEnter the Kubernetes API Server address.
Client CertificateEnter the client certificate information.
Client KeyEnter the client key information.
Table. Add K8S Cluster - Items for Adding with Client Certificate Authentication
ItemDescription
Authentication MethodSelect the kubeconfig file upload method.
Kubeconfig FileClick the Browse button to select the kubeconfig file.
  • Only files with .yml or .yaml extensions can be uploaded.
  • If the file is uploaded normally, the CA Certificate, API Server URL, User, and Administrator Token or Client Certificate will be automatically entered.
API Server URLSelect the Kubernetes API Server address.
UserSelect the user to authenticate.
  • Depending on the selected user, the administrator token or client certificate information will be displayed below.
Table. Add K8S Cluster - Items for Adding by Uploading Kubeconfig File

Managing K8S Clusters

Modifying a K8S Cluster

To modify a K8S cluster, follow these steps:

  1. Click the Manage icon at the top right of the Main page. You will be moved to the Tenant Dashboard page.
  2. Click the Deployment Target > K8S Cluster menu on the left. You will be moved to the K8S Cluster page.
  3. Click the K8S cluster on the K8S Cluster page list. You will be moved to the K8S Cluster Details page of the selected K8S cluster.
  4. Click the Modify button on the K8S Cluster Details page.
  5. Modify the information and click the Connection Test button.
  6. Select the Helm version and click the Save button.

Deleting a K8S Cluster

To delete a K8S cluster, follow these steps:

  1. Click the Manage icon at the top right of the Main page. You will be moved to the Tenant Dashboard page.
  2. Click the Deployment Target > K8S Cluster menu on the left. You will be moved to the K8S Cluster page.
  3. Click the K8S cluster on the K8S Cluster page list. You will be moved to the K8S Cluster Details page of the selected K8S cluster.
  4. Click the Delete button on the K8S Cluster Details page.
  5. Click the Confirm button in the confirmation pop-up window to complete the deletion.

Adding a K8S Cluster Member

To add a K8S cluster member, follow these steps:

  1. Click the Manage icon at the top right of the Main page. You will be moved to the Tenant Dashboard page.
  2. Click the Deployment Target > K8S Cluster menu on the left. You will be moved to the K8S Cluster page.
  3. Click the K8S cluster on the K8S Cluster page list. You will be moved to the K8S Cluster Details page of the selected K8S cluster.
  4. Click the Members tab on the K8S Cluster Details page.
  5. Click the Add button on the Members tab. The Add Member pop-up window will open.
  6. Enter the email address in the Add Member pop-up window and click the Search icon.
  7. Click the Add button to add the member to the list below.
  8. Select the permission and click the Save button to complete adding the member.

Deleting a K8S Cluster Member

To delete a K8S cluster member, follow these steps:

  1. Click the Manage icon at the top right of the Main page. You will be moved to the Tenant Dashboard page.
  2. Click the Deployment Target > K8S Cluster menu on the left. You will be moved to the K8S Cluster page.
  3. Click the K8S cluster on the K8S Cluster page list. You will be moved to the K8S Cluster Details page of the selected K8S cluster.
  4. Click the Members tab on the K8S Cluster Details page.
  5. Select the checkbox of the user to delete on the Members tab list.
  6. Click the Delete button to delete the selected user from the member list.

Managing K8S Cluster Permission Requests

To approve or reject K8S cluster permission requests, follow these steps:

  1. Click the Manage icon at the top right of the Main page. You will be moved to the Tenant Dashboard page.
  2. Click the Deployment Target > K8S Cluster menu on the left. You will be moved to the K8S Cluster page.
  3. Click the K8S cluster permission request item on the K8S Cluster page list. The number displayed is the number of permission requests.
  4. The K8S Cluster Permission Request Approval pop-up window will open.
  5. Click the permission request item to approve or reject.
  6. Enter your opinion and click the Approve or Reject button.
Note
Rejecting a permission request requires entering an opinion.

Viewing K8S Cluster Permission Request Approval History

To view the K8S cluster permission request approval history, follow these steps:

  1. Click the Manage icon at the top right of the Main page. You will be moved to the Tenant Dashboard page.
  2. Click the Deployment Target > K8S Cluster menu on the left. You will be moved to the K8S Cluster page.
  3. Click the K8S cluster on the K8S Cluster page list. You will be moved to the K8S Cluster Details page of the selected K8S cluster.
  4. Click the Approval History tab. The approval history list will be displayed.
Note
Only users with Administrator permission for the corresponding K8S cluster can view the approval history.

Managing Namespaces

Guide
  • This is reference information managed only in DevOps Console.
  • The registered information will be displayed for users to refer to when creating projects or performing Helm installs, etc., using the cluster.

Importing a Namespace

To import a namespace, follow these steps:

  1. Click the Manage icon at the top right of the Main page. You will be moved to the Tenant Dashboard page.
  2. Click the Deployment Target > K8S Cluster menu on the left. You will be moved to the K8S Cluster page.
  3. Click the K8S cluster on the K8S Cluster page list. You will be moved to the K8S Cluster Details page of the selected K8S cluster.
  4. Click the Namespace tab. The namespace list will be displayed.
  5. Click the Import button on the Namespace tab screen. The Import Namespace pop-up window will open.
  6. Select the namespace on the Import Namespace pop-up window and click the Save button to complete importing the namespace.

Deleting a Namespace

Guide
Only the namespace information managed in DevOps Console will be deleted, and the actual namespace in the cluster will not be deleted.

To delete a namespace, follow these steps:

  1. Click the Manage icon at the top right of the Main page. You will be moved to the Tenant Dashboard page.
  2. Click the Deployment Target > K8S Cluster menu on the left. You will be moved to the K8S Cluster page.
  3. Click the K8S cluster on the K8S Cluster page list. You will be moved to the K8S Cluster Details page of the selected K8S cluster.
  4. Click the Namespace tab. The namespace list will be displayed.
  5. Click the namespace on the Namespace tab screen. You will be moved to the Namespace Details page.
  6. Click the Delete button on the Namespace Details page to delete the namespace.

Adding a Namespace Member

To add a namespace member, follow these steps:

  1. Click the Manage icon at the top right of the Main page. You will be moved to the Tenant Dashboard page.
  2. Click the Deployment Target > K8S Cluster menu on the left. You will be moved to the K8S Cluster page.
  3. Click the K8S cluster on the K8S Cluster page list. You will be moved to the K8S Cluster Details page of the selected K8S cluster.
  4. Click the Namespace tab. The namespace list will be displayed.
  5. Click the namespace on the Namespace tab screen. You will be moved to the Namespace Details page.
  6. Click the Members tab on the Namespace Details page. The namespace member list will be displayed.
  7. Click the Add button. The Add Member pop-up window will open.
  8. Enter the email address in the Add Member pop-up window and click the Search icon.
  9. Click the Add button to add the member to the list below.
  10. Select the permission and click the Save button to complete adding the member.

Deleting a Namespace Member

To delete a namespace member, follow these steps:

  1. Click the Manage icon at the top right of the Main page. You will be moved to the Tenant Dashboard page.
  2. Click the Deployment Target > K8S Cluster menu on the left. You will be moved to the K8S Cluster page.
  3. Click the K8S cluster on the K8S Cluster page list. You will be moved to the K8S Cluster Details page of the selected K8S cluster.
  4. Click the Namespace tab. The namespace list will be displayed.
  5. Click the namespace on the Namespace tab screen. You will be moved to the Namespace Details page.
  6. Click the Members tab on the Namespace Details page. The namespace member list will be displayed.
  7. Select the checkbox of the user to delete on the list.
  8. Click the Delete button to delete the selected user from the member list.

Managing Namespace Permission Requests

To approve or reject namespace permission requests, follow these steps:

  1. Click the Manage icon at the top right of the Main page. You will be moved to the Tenant Dashboard page.
  2. Click the Deployment Target > K8S Cluster menu on the left. You will be moved to the K8S Cluster page.
  3. Click the namespace permission request item on the K8S Cluster page list. The number displayed is the number of permission requests.
  4. The Namespace Permission Request Approval pop-up window will open.
  5. Select the checkbox of the permission request item to approve or reject.
  6. Enter your opinion and click the Approve or Reject button.
Note
Rejecting a permission request requires entering an opinion.

Viewing Namespace Permission Request Approval History

To view the namespace permission request approval history, follow these steps:

  1. Click the Manage icon at the top right of the Main page. You will be moved to the Tenant Dashboard page.
  2. Click the Deployment Target > K8S Cluster menu on the left. You will be moved to the K8S Cluster page.
  3. Click the K8S cluster on the K8S Cluster page list. You will be moved to the K8S Cluster Details page of the selected K8S cluster.
  4. Click the Namespace tab. The namespace list will be displayed.
  5. Click the namespace on the Namespace tab screen. You will be moved to the Namespace Details page.
  6. Click the Approval History tab. The approval history list will be displayed.

Managing Ingress Domains

Guide
  • This is reference information managed only in DevOps Console.
  • The registered information will be displayed for users to refer to when creating projects or performing Helm installs, etc., using the cluster.

Adding an Ingress Domain

To add an ingress domain, follow these steps:

  1. Click the Manage icon at the top right of the Main page. You will be moved to the Tenant Dashboard page.
  2. Click the Deployment Target > K8S Cluster menu on the left. You will be moved to the K8S Cluster page.
  3. Click the K8S cluster on the K8S Cluster page list. You will be moved to the K8S Cluster Details page of the selected K8S cluster.
  4. Click the Ingress Domain tab. The ingress domain list will be displayed.
  5. Click the Add button on the Ingress Domain tab screen. The Add Ingress Domain Information pop-up window will open.
  6. Enter the information on the Add Ingress Domain Information pop-up window and click the Save button to complete adding the ingress domain.
ItemDescription
Node SelectorEnter the node selector.
The input value is divided into a prefix and a key-value pair by the first slash (/).
The prefix is optional.
ex) kubernetes.io/nodetype: app
Proxy IPEnter the Proxy Server IP or Proxy Server LoadBalancer IP.
Ingress DomainEnter the domain that the application will use by default.
Ingress ClassEnter the ingress controller class.
Table. Add Ingress Domain - Input Items

Modifying Ingress Domain

To modify an ingress domain, follow these steps:

  1. Main page, click the Management icon at the top right. Move to the Tenant Dashboard page.
  2. Click the Deployment Target > K8S Cluster menu on the left menu. Move to the K8S Cluster page.
  3. On the K8S Cluster page, click the K8S cluster in the list. Move to the K8S Cluster Details page of the selected K8S cluster.
  4. Click the Ingress Domain tab. The ingress domain list appears.
  5. On the Ingress Domain tab screen, click the ingress domain you want to modify, and the Modify Ingress Domain Information popup window opens.
  6. In the Modify Ingress Domain Information popup window, modify the information and click the Save button to complete the ingress domain modification.

Deleting Ingress Domain

To delete an ingress domain, follow these steps:

  1. Main page, click the Management icon at the top right. Move to the Tenant Dashboard page.
  2. Click the Deployment Target > K8S Cluster menu on the left menu. Move to the K8S Cluster page.
  3. On the K8S Cluster page, click the K8S cluster in the list. Move to the K8S Cluster Details page of the selected K8S cluster.
  4. Click the Ingress Domain tab. The ingress domain list appears.
  5. On the Ingress Domain tab screen, select the checkbox of the ingress domain you want to delete.
  6. On the Ingress Domain tab screen, click the Delete button to delete the selected ingress domain.

1 - Checking Cluster Admin Token

To register a K8S cluster, you need to check the cluster’s Admin Token.

The Admin Token refers to the Token value of the ServiceAccount that is ClusterRoleBinding to ClusterRole/cluster-admin.

Preparations before starting

Notice

Before checking the Admin Token, please check and prepare the following:

  • Environment where kubectl CLI can be used
  • Cluster Admin permission check
    • ClusterRole, ClusterRoleBinding inquiry and creation
    • Namespace, ServiceAccount inquiry and creation
  • ClusterRole cluster-admin is queried
Color mode
$ kubectl get clusterrole cluster-admin
NAME            CREATED AT
cluster-admin   2022-12-09T08:21:50Z
$ kubectl get clusterrole cluster-admin
NAME            CREATED AT
cluster-admin   2022-12-09T08:21:50Z
cluster-admin ClusterRole query result

Checking Admin Token

Checking existing Admin Token

  1. Query the ClusterRoleBinding that is bound to ClusterRole/cluster-admin.
  2. Check the ServiceAccount bound to ClusterRoleBinding.
    Color mode
    # Query admin token
$ kubectl get clusterrolebinding | grep ClusterRole/cluster-admin
[crb_name]     ClusterRole/cluster-admin     77d

$ kubectl describe clusterrolebinding [crb_name]
Name:         [crb_name]
Labels:       <none>
Annotations:  <none>
Role:
Kind:  ClusterRole
Name:  cluster-admin
Subjects:
Kind            Name       Namespace
  ----            ----       ---------
ServiceAccount  [sa_name]  [namespace_name]
    # Query admin token
$ kubectl get clusterrolebinding | grep ClusterRole/cluster-admin
[crb_name]     ClusterRole/cluster-admin     77d

$ kubectl describe clusterrolebinding [crb_name]
Name:         [crb_name]
Labels:       <none>
Annotations:  <none>
Role:
Kind:  ClusterRole
Name:  cluster-admin
Subjects:
Kind            Name       Namespace
  ----            ----       ---------
ServiceAccount  [sa_name]  [namespace_name]
    Existing Admin Token query result
  3. Check the Secret connected to the ServiceAccount and query the token (Admin Token).
    Color mode
    # Query Secret
$ kubectl get secret -n [namespace_name] | grep [sa_name]
[sa_name]-token-xxxxx                            kubernetes.io/service-account-token   3      77d

# Query token
$ kubectl describe secret [sa_name]-token-xxxxx -n [namespace_name]
Name:         [sa_name]-token-xxxxx
...<omitted>...
Data
====
ca.crt:     1070 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiI...
    # Query Secret
$ kubectl get secret -n [namespace_name] | grep [sa_name]
[sa_name]-token-xxxxx                            kubernetes.io/service-account-token   3      77d

# Query token
$ kubectl describe secret [sa_name]-token-xxxxx -n [namespace_name]
Name:         [sa_name]-token-xxxxx
...<omitted>...
Data
====
ca.crt:     1070 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiI...
    ServiceAccount connected Secret, token query result

Creating Admin Token

  1. Create a Namespace to create a ServiceAccount. If it already exists, proceed to the next step.
    Color mode
    $ kubectl create namespace [namespace_name]

# ex) kubectl create namespace my-app
    $ kubectl create namespace [namespace_name]

# ex) kubectl create namespace my-app
    Admin Token creation command
  2. Create a [namespace_name]-additional-cluster-admin-sa.yaml file and execute it.
    Color mode
    apiVersion: v1
kind: ServiceAccount
metadata:
name: [namespace_name]-additional-cluster-admin
namespace: [namespace_name]
    apiVersion: v1
kind: ServiceAccount
metadata:
name: [namespace_name]-additional-cluster-admin
namespace: [namespace_name]
    ServiceAccount creation example
    Color mode
    # Create ServiceAccount
$ kubectl apply -f [namespace_name]-additional-cluster-admin-sa.yaml -n [namespace_name]

# ex) kubectl apply -f my-app-additional-cluster-admin-sa.yaml -n my-app
    # Create ServiceAccount
$ kubectl apply -f [namespace_name]-additional-cluster-admin-sa.yaml -n [namespace_name]

# ex) kubectl apply -f my-app-additional-cluster-admin-sa.yaml -n my-app
    ServiceAccount creation command
  3. Create a [namespace_name]-additional-cluster-admin-crb.yaml file and execute it.
    Color mode
    kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
   name: [namespace_name]-additional-cluster-admin
subjects:
- kind: ServiceAccount
  name: [namespace_name]-additional-cluster-admin
  namespace: [namespace_name]
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: ""
    kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
   name: [namespace_name]-additional-cluster-admin
subjects:
- kind: ServiceAccount
  name: [namespace_name]-additional-cluster-admin
  namespace: [namespace_name]
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: ""
    ClusterRoleBinding creation example
    Color mode
    # Create ClusterRoleBinding
$ kubectl apply -f [namespace_name]-additional-cluster-admin-crb.yaml

# ex) kubectl apply -f my-app-additional-cluster-admin-crb.yaml
    # Create ClusterRoleBinding
$ kubectl apply -f [namespace_name]-additional-cluster-admin-crb.yaml

# ex) kubectl apply -f my-app-additional-cluster-admin-crb.yaml
    ClusterRoleBinding creation command
  4. Check the Secret connected to the ServiceAccount and query the token (Admin Token).
    Color mode
    # Query Secret
$ kubectl get secret -n [namespace_name] | grep [namespace_name]-additional-cluster-admin
[namespace_name]-additional-cluster-admin-token-xxxxx   kubernetes.io/service-account-token   3      4m53s

# Query token
$ kubectl describe secret [namespace_name]-additional-cluster-admin-token-xxxxx -n [namespace_name]
Name:         [namespace_name]-additional-cluster-admin-token-xxxxx
...<omitted>...
Data
====
ca.crt:     1111 bytes
namespace:  6 bytes
token:      eyJhbGciOiJSUzI1Ni...
    # Query Secret
$ kubectl get secret -n [namespace_name] | grep [namespace_name]-additional-cluster-admin
[namespace_name]-additional-cluster-admin-token-xxxxx   kubernetes.io/service-account-token   3      4m53s

# Query token
$ kubectl describe secret [namespace_name]-additional-cluster-admin-token-xxxxx -n [namespace_name]
Name:         [namespace_name]-additional-cluster-admin-token-xxxxx
...<omitted>...
Data
====
ca.crt:     1111 bytes
namespace:  6 bytes
token:      eyJhbGciOiJSUzI1Ni...
    ServiceAccount connected Secret, token query result
    Note
    If the created Secret does not exist (in Kubernetes version 1.24 or later), create it manually and query the token.
    Color mode
    apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: [namespace_name]-additional-cluster-admin-token
namespace: [namespace_name]
annotations:
kubernetes.io/service-account.name: "[namespace_name]-additional-cluster-admin"
    apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: [namespace_name]-additional-cluster-admin-token
namespace: [namespace_name]
annotations:
kubernetes.io/service-account.name: "[namespace_name]-additional-cluster-admin"
    Secret creation example

Checking Admin Token validity

You can check the validity of the queried Admin Token value by modifying the ~/.kube/config file.

  1. Modify the ~/.kube/config file to use the token for user authentication.
    ex) users[0].user.token Modify to input the Admin Token value.
    Color mode
    apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0...
    server: https://devopscluster-12345.sk...
  name: devopscluster-12345
contexts:
- context:
    cluster: devopscluster-12345
    user: user
  name: user@devopscluster-12345
current-context: user@devopscluster-12345
kind: Config
users:
- name: user
  user:
    token: [admin_token]
    apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0...
    server: https://devopscluster-12345.sk...
  name: devopscluster-12345
contexts:
- context:
    cluster: devopscluster-12345
    user: user
  name: user@devopscluster-12345
current-context: user@devopscluster-12345
kind: Config
users:
- name: user
  user:
    token: [admin_token]
    ~/.kube/config modification example
  2. Execute the kubectl command to check if you have cluster-admin permissions.
    Color mode
    $ kubectl get nodes
$ kubectl get namespace
$ kubectl get all -n kube-system
$ kubectl create namespace admin-test
$ kubectl delete namespace admin-test

# Execute other commands
    $ kubectl get nodes
$ kubectl get namespace
$ kubectl get all -n kube-system
$ kubectl create namespace admin-test
$ kubectl delete namespace admin-test

# Execute other commands
    cluster-admin permission check command