This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

K8S Cluster

Users can register a K8S cluster in DevOps Console and deploy various applications through DevOps Console.

Users can add, edit, and delete K8S clusters and namespaces. Added K8S clusters and namespaces can be selected and used in various menus such as project creation (Getting Started with Project Creation), helm install (Getting Started with Helm Install), etc.

Reference
To use the K8S cluster from menus such as project creation and helm install, you must have permissions on the namespace.

Getting Started with a K8S Cluster

To begin managing the K8S cluster, follow these steps.

  1. Click the Admin icon at the top right of the Main page. Navigate to the Tenant Dashboard page.
  2. From the left menu, click the Deploy Target > K8S Cluster menu. You will be taken to the K8S Cluster page.

Add a K8S cluster

To add a K8S cluster, follow the steps below.

  1. Click the Admin icon at the top right of the Main page. You will be taken to the Tenant Dashboard page.
  2. From the left menu, click the Deploy Target > K8S Cluster menu. You will be taken to the K8S Cluster page.
  3. On the K8S Cluster page, click the Add button. You will be taken to the Add K8S Cluster page.
  4. Add K8S Cluster page, after entering the basic information and connection details, click the Connection Test button.
  5. After selecting the Helm version, click the Save button.
    ItemExplanation
    K8S cluster namePlease enter the cluster name.
    K8S Cluster IDEnter the cluster ID.
    The cluster ID is a unique identifier used to distinguish clusters; please determine and enter it yourself.
    CA CertificateEnter the server’s certificate information to be used for configuring the kubeconfig file
    • Enter the contents of clusters[0].cluster.certificate-authority-data from the existing kubeconfig file.
    • Contact the cluster provider (administrator) and then enter it.
    • If verification is not possible, enter a temporary value (e.g., temp) and replace it with the correct value once verification is possible.
    Authentication methodSelect the admin token method.
    API server URLEnter the Kubernetes API Server address.
    admin tokenEnter the Token with Admin privileges to use for configuring the kubeconfig file.
    Please refer to Check Cluster Admin Token.
    Helm versionSelect Helm version
    • A list of Helm versions available for the K8S cluster version is displayed.
    Table. Add K8S Cluster – Add using admin token authentication
    ItemExplanation
    Authentication methodSelect the client certificate method.
    API server URLEnter the Kubernetes API Server address.
    client certificateEnter the client certificate information.
    Client KeyEnter the client Key information.
    Table. Add K8S Cluster - Item for adding by authenticating with a client certificate
    ItemExplanation
    Authentication methodSelect the kubeconfig file upload method.
    kubeconfig fileBrowse button to select the kubeconfig file
    • Only files with the .yml or .yaml extension can be uploaded.
    • If the file is uploaded successfully, the CA Certificate, API server URL, user, admin token, or client certificate will be populated automatically.
    API server URLSelect the Kubernetes API Server address.
    userSelect the user to authenticate
    • Depending on the selected user, the admin token or client certificate information is displayed below
    Table. Adding K8S Cluster - Adding via kubeconfig file upload item

Managing a K8S cluster

Modify K8S cluster

To modify the K8S cluster, follow these steps.

  1. Click the Admin icon at the top right of the Main page. You will be taken to the Tenant Dashboard page.
  2. From the left menu, click the Deploy Target > K8S Cluster menu. You will be taken to the K8S Cluster page.
  3. From the list on the K8S Cluster page, click the K8S cluster. You will be taken to the K8S Cluster Details page of the selected K8S cluster.
  4. On the K8S Cluster Details page, click the Edit button.
  5. After editing the information, click the Connection Test button.
  6. After selecting the Helm version, click the Save button.

Delete K8S cluster

To delete a K8S cluster, follow these steps.

  1. Click the Admin icon at the top right of the Main page. You will be taken to the Tenant Dashboard page.
  2. From the left menu, click the Deploy Target > K8S Cluster menu. You will be taken to the K8S Cluster page.
  3. From the list on the K8S Cluster page, click the K8S cluster. You will be taken to the K8S Cluster Details page of the selected K8S cluster.
  4. On the K8S Cluster Details page, click the Delete button.
  5. Click the Confirm button in the confirmation popup to complete the deletion.

Add a member to a K8S cluster

To add a K8S cluster member, follow the steps below.

  1. Click the Admin icon at the top right of the Main page. Navigate to the Tenant Dashboard page.
  2. From the left menu, click the Deploy Target > K8S Cluster menu. You will be taken to the K8S Cluster page.
  3. In the list on the K8S Cluster page, click the K8S cluster. You will be taken to the K8S Cluster Details page of the selected K8S cluster.
  4. On the K8S Cluster Details page, click the Members tab.
  5. When you click the Add button in the Member tab, the Add Member popup window opens.
  6. Add Member In the popup, enter the email address and click the Search icon.
  7. Click the Add button to add the member to the list below.
  8. After selecting the permission, click the Save button to complete adding the member.

Delete K8S cluster member

To delete a K8S cluster member, follow these steps.

  1. Click the Admin icon at the top right of the Main page. You will be taken to the Tenant Dashboard page.
  2. From the left menu, click the Deploy Target > K8S Cluster menu. You will be taken to the K8S Cluster page.
  3. From the list on the K8S cluster page, click the K8S cluster. You will be taken to the K8S cluster details page of the selected K8S cluster.
  4. On the K8S Cluster Details page, click the Members tab.
  5. In the Member tab, select the checkbox of the user you want to delete.
  6. Click the Delete button to remove the selected user from the members.

Managing K8S Cluster Permission Requests

To approve or reject a K8S cluster access request, follow these steps.

  1. Click the Admin icon at the top right of the Main page. You will be taken to the Tenant Dashboard page.
  2. From the left menu, click the Deploy Target > K8S Cluster menu. You will be taken to the K8S Cluster page.
  3. Click the K8S cluster permission request item for the cluster whose permission request you want to approve. The displayed number indicates the number of permissions requested.
  4. K8S Cluster Permission Request Approval The popup window opens.
  5. Click the application you want to approve or reject.
  6. After entering your comment, click the Approve or Reject button.
Note
A comment is required to reject a permission request.

View K8S cluster permission approval history

To view the K8S cluster permission request approval history, follow these steps.

  1. Click the Admin icon at the top right of the Main page. You will be taken to the Tenant Dashboard page.
  2. From the left menu, click the Deploy Target > K8S Cluster menu. You will be taken to the K8S Cluster page.
  3. From the list on the K8S Cluster page, click the K8S Cluster. You will be taken to the K8S Cluster Details page of the selected K8S Cluster.
  4. Click the Approval History tab. The approval history list appears.
Note
Access is allowed only for users with Administrator privileges on the K8S cluster.

Managing namespaces

Notice
  • To use the K8S cluster from menus such as project creation and helm install, you must have permissions on the namespace.
  • You cannot create a namespace in the actual K8S cluster. You can only import an already created namespace into the DevOps Console.

Import namespace

To import the namespace, follow these steps.

  1. Click the Admin icon at the top right of the Main page. You will be taken to the Tenant Dashboard page.
  2. From the left menu, click the Deploy Target > K8S Cluster menu. You will be taken to the K8S Cluster page.
  3. On the K8S Cluster page, click the K8S cluster from the list. You will be taken to the K8S Cluster Details page of the selected K8S cluster.
  4. Click the Namespace tab. The namespace list appears.
  5. On the Namespace tab screen, clicking the Import button opens the Import Namespace popup.
  6. Namespace Import In the popup window, select the namespace and click the Save button to complete the namespace import.

Delete namespace

Notice
Only the namespace information managed by the DevOps Console is deleted, and the actual namespace in the cluster is not deleted.

To delete a namespace, follow these steps.

  1. Click the Admin icon at the top right of the Main page. You will be taken to the Tenant Dashboard page.
  2. From the left menu, click the Deploy Target > K8S Cluster menu. You will be taken to the K8S Cluster page.
  3. On the K8S cluster page, click the K8S cluster from the list. You will be taken to the K8S cluster details page of the selected K8S cluster.
  4. Click the Namespace tab. The namespace list appears.
  5. On the Namespace tab screen, clicking a namespace navigates to the Namespace Details page.
  6. On the Namespace Details page, click the Delete button to complete the namespace deletion.

Adding a namespace member

To add a namespace member, follow these steps.

  1. Main page, click the Admin icon at the top right. It navigates to the Tenant Dashboard page.
  2. From the left menu, click the Deploy Target > K8S Cluster menu. You will be taken to the K8S Cluster page.
  3. From the list on the K8S Cluster page, click the K8S cluster. You will be taken to the K8S Cluster Details page of the selected K8S cluster.
  4. Click the Namespace tab. The namespace list appears.
  5. Namespace tab screen, when you click the namespace, you are taken to the Namespace Details page.
  6. Namespace Details page, when you click the Members tab, the namespace member list appears.
  7. When you click the Add button, the Add Member popup opens.
  8. In the Add Member popup, enter the email address and click the Search icon.
  9. Click the Add button to add the member to the list below.
  10. After selecting the permission, click the Save button to complete adding the member.

Delete namespace member

To delete a namespace member, follow these steps.

  1. Click the Admin icon at the top right of the Main page. You will be taken to the Tenant Dashboard page.
  2. From the left menu, click the Deploy Target > K8S Cluster menu. You will be taken to the K8S Cluster page.
  3. On the K8S Cluster page, click the K8S cluster from the list. You will be taken to the K8S Cluster Details page of the selected K8S cluster.
  4. Click the Namespace tab. The namespace list appears.
  5. On the Namespace tab screen, clicking the namespace takes you to the Namespace Details page.
  6. Namespace Details page, when you click the Members tab, the namespace member list appears.
  7. Select the checkbox of the user you want to delete from the list.
  8. Click the Delete button to remove the selected user from the members.

Manage namespace permission requests

To approve or reject a namespace permission request, follow these steps.

  1. Click the Admin icon at the top right of the Main page. You will be taken to the Tenant Dashboard page.
  2. From the left menu, click the Deploy Target > K8S Cluster menu. You will be taken to the K8S Cluster page.
  3. From the list on the K8S Cluster page, click the Namespace Permission Request item for the cluster whose permission request you want to approve. The displayed number indicates the number of permission requests.
  4. Namespace Permission Request Approval A popup window opens.
  5. Select the checkbox for the application you want to approve or reject.
  6. After entering your comment, click the Approve or Reject button.
Reference
Providing a comment is required to reject a permission request.

View namespace permission request approval history

To view the namespace permission request approval history, follow these steps.

  1. Click the Admin icon at the top right of the Main page. You will be taken to the Tenant Dashboard page.
  2. From the left menu, click the Deploy Target > K8S Cluster menu. You will be taken to the K8S Cluster page.
  3. In the list on the K8S Cluster page, click the K8S cluster. You will be taken to the K8S Cluster Details page of the selected K8S cluster.
  4. Namespace tab, click it. The namespace list appears.
  5. On the Namespace tab screen, clicking a namespace takes you to the Namespace Details page.
  6. Namespace Details page, when you click the Approval History tab, the approval history list appears.

Managing Ingress Domains

information
  • This is reference information that is managed only in the DevOps Console.
  • The registered information is displayed so that users can refer to it when creating a project or performing a Helm install using the cluster.

Add Ingress Domain

To add an ingress domain, follow these steps.

  1. Click the Admin icon at the top right of the Main page. You will be taken to the Tenant Dashboard page.
  2. From the left menu, click the Deploy Target > K8S Cluster menu. You will be taken to the K8S Cluster page.
  3. On the K8S cluster page, click the K8S cluster from the list. You will be taken to the K8S cluster details page of the selected K8S cluster.
  4. Click the Ingress Domain tab. The Ingress Domain list appears.
  5. Ingress Domain tab screen, when you click the Add button, the Add Ingress Domain Information popup opens.
  6. Add Ingress Domain Information Enter the information in the popup window and click the Save button to complete adding the ingress domain.
    ItemExplanation
    Node selectorEnter the node selector.
    It is composed of a key that includes a prefix separated by the first slash (/) of the input value, and its corresponding value.
    The prefix is optional.
    e.g., kubernetes.io/nodetype: app
    Proxy IPEnter the Proxy Server IP or Proxy Server LoadBalancer IP.
    Ingress domainEnter the domain that the application will use by default.
    Ingress classEnter the Ingress controller class.
    Table. Ingress Domain Additional Input Items

Modify Ingress Domain

To modify the Ingress domain, follow these steps.

  1. Click the Admin icon at the top right of the Main page. You will be taken to the Tenant Dashboard page.
  2. From the left menu, click the Deploy Target > K8S Cluster menu. You will be taken to the K8S Cluster page.
  3. From the list on the K8S Cluster page, click the K8S cluster. You will be taken to the K8S Cluster Details page of the selected K8S cluster.
  4. Click the Ingress Domain tab. The Ingress Domain list appears.
  5. On the Ingress Domain tab screen, when you click the Ingress Domain you want to edit, the Edit Ingress Domain Information popup opens.
  6. Edit Ingress Domain Information In the popup window, modify the information and click the Save button to complete the Ingress domain edit.

Delete Ingress Domain

To modify the Ingress domain, follow these steps.

  1. Click the Admin icon at the top right of the Main page. You will be taken to the Tenant Dashboard page.
  2. From the left menu, click the Deploy Target > K8S Cluster menu. You will be taken to the K8S Cluster page.
  3. From the list on the K8S Cluster page, click the K8S cluster. You will be taken to the K8S Cluster Details page of the selected K8S cluster.
  4. Ingress Domain Click the tab. Ingress Domain list appears.
  5. On the Ingress Domain tab, select the checkbox of the Ingress Domain you want to delete.
  6. On the Ingress Domain tab screen, click the Delete button to delete the selected ingress domain.

1 - Verify Cluster Admin Token

To register a K8S cluster, you must verify the cluster’s Admin Token.

An Admin Token refers to the token value of a ServiceAccount that has the ClusterRole/cluster-admin bound by a ClusterRoleBinding.

Preparation before start

information

Before checking the Admin Token, review and prepare the following.

  • Environment where the kubectl CLI can be used
  • Check cluster admin permissions
    • View and create ClusterRole, ClusterRoleBinding
    • Namespace and ServiceAccount lookup and creation
  • The cluster-admin ClusterRole is listed.
Color mode
$ kubectl get clusterrole cluster-admin
NAME            CREATED AT
cluster-admin   2022-12-09T08:21:50Z
$ kubectl get clusterrole cluster-admin
NAME            CREATED AT
cluster-admin   2022-12-09T08:21:50Z
cluster-admin ClusterRole query result

Query Admin Token

View existing generated Admin Token

  1. Retrieve the ClusterRoleBinding that has ClusterRole/cluster-admin bound.
  2. Check the ServiceAccount that is bound by a ClusterRoleBinding.
    Color mode
    # admin token lookup
$ kubectl get clusterrolebinding | grep ClusterRole/cluster-admin
[crb_name]     ClusterRole/cluster-admin     77d

$ kubectl describe clusterrolebinding [crb_name]
Name:         [crb_name]
Labels:       <none>
Annotations:  <none>
Role:
Kind:  ClusterRole
Name:  cluster-admin
Subjects:
Kind            Name       Namespace
  ----            ----       ---------
ServiceAccount  [sa_name]  [namespace_name]
    # admin token lookup
$ kubectl get clusterrolebinding | grep ClusterRole/cluster-admin
[crb_name]     ClusterRole/cluster-admin     77d

$ kubectl describe clusterrolebinding [crb_name]
Name:         [crb_name]
Labels:       <none>
Annotations:  <none>
Role:
Kind:  ClusterRole
Name:  cluster-admin
Subjects:
Kind            Name       Namespace
  ----            ----       ---------
ServiceAccount  [sa_name]  [namespace_name]
    Result of retrieving previously generated Admin Token
  3. Check the Secret associated with the ServiceAccount and retrieve the token (Admin Token).
    Color mode
    # Secret lookup
$ kubectl get secret -n [namespace_name] | grep [sa_name]
[sa_name]-token-xxxxx                            kubernetes.io/service-account-token   3      77d

# token lookup
$ kubectl describe secret [sa_name]-token-xxxxx -n [namespace_name]
Name:         [sa_name]-token-xxxxx
...<중략>...
Data
====
ca.crt:     1070 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiI...
    # Secret lookup
$ kubectl get secret -n [namespace_name] | grep [sa_name]
[sa_name]-token-xxxxx                            kubernetes.io/service-account-token   3      77d

# token lookup
$ kubectl describe secret [sa_name]-token-xxxxx -n [namespace_name]
Name:         [sa_name]-token-xxxxx
...<중략>...
Data
====
ca.crt:     1070 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiI...
    Result of retrieving the Secret and token associated with the ServiceAccount

Create Admin Token

  1. Create the Namespace for the ServiceAccount. If it already exists, proceed to the next step.
    Color mode
    $ kubectl create namespace [namespace_name]

# ex) kubectl create namespace my-app
    $ kubectl create namespace [namespace_name]

# ex) kubectl create namespace my-app
    Admin Token creation command
  2. Create the [namespace_name]-additional-cluster-admin-sa.yaml file and then run it.
    Color mode
    apiVersion: v1
kind: ServiceAccount
metadata:
name: [namespace_name]-additional-cluster-admin
namespace: [namespace_name]
    apiVersion: v1
kind: ServiceAccount
metadata:
name: [namespace_name]-additional-cluster-admin
namespace: [namespace_name]
    ServiceAccount creation example
    Color mode
    # Create ServiceAccount
$ kubectl apply -f [namespace_name]-additional-cluster-admin-sa.yaml -n [namespace_name]

# ex) kubectl apply -f my-app-additional-cluster-admin-sa.yaml -n my-app
    # Create ServiceAccount
$ kubectl apply -f [namespace_name]-additional-cluster-admin-sa.yaml -n [namespace_name]

# ex) kubectl apply -f my-app-additional-cluster-admin-sa.yaml -n my-app
    ServiceAccount creation command
  3. Create the [namespace_name]-additional-cluster-admin-crb.yaml file and then run it.
    Color mode
    kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
   name: [namespace_name]-additional-cluster-admin
subjects:
- kind: ServiceAccount
  name: [namespace_name]-additional-cluster-admin
  namespace: [namespace_name]
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: ""
    kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
   name: [namespace_name]-additional-cluster-admin
subjects:
- kind: ServiceAccount
  name: [namespace_name]-additional-cluster-admin
  namespace: [namespace_name]
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: ""
    Example of creating a ClusterRoleBinding
    Color mode
    # Create ClusterRoleBinding
$ kubectl apply -f [namespace_name]-additional-cluster-admin-crb.yaml

# ex) kubectl apply -f my-app-additional-cluster-admin-crb.yaml
    # Create ClusterRoleBinding
$ kubectl apply -f [namespace_name]-additional-cluster-admin-crb.yaml

# ex) kubectl apply -f my-app-additional-cluster-admin-crb.yaml
    Command to create a ClusterRoleBinding
  4. Check the Secret associated with the ServiceAccount and retrieve the token (Admin Token).
    Color mode
    # Secret lookup
$ kubectl get secret -n [namespace_name] | grep [namespace_name]-additional-cluster-admin
[namespace_name]-additional-cluster-admin-token-xxxxx   kubernetes.io/service-account-token   3      4m53s

# Token lookup
$ kubectl describe secret [namespace_name]-additional-cluster-admin-token-xxxxx -n [namespace_name]
Name:         [namespace_name]-additional-cluster-admin-token-xxxxx
...<중략>...
Data
====
ca.crt:     1111 bytes
namespace:  6 bytes
token:      eyJhbGciOiJSUzI1Ni...
    # Secret lookup
$ kubectl get secret -n [namespace_name] | grep [namespace_name]-additional-cluster-admin
[namespace_name]-additional-cluster-admin-token-xxxxx   kubernetes.io/service-account-token   3      4m53s

# Token lookup
$ kubectl describe secret [namespace_name]-additional-cluster-admin-token-xxxxx -n [namespace_name]
Name:         [namespace_name]-additional-cluster-admin-token-xxxxx
...<중략>...
Data
====
ca.crt:     1111 bytes
namespace:  6 bytes
token:      eyJhbGciOiJSUzI1Ni...
    Result of retrieving the Secret and token associated with the ServiceAccount
    Reference
    If there is no generated Secret (after Kuberentes 1.24), create one manually and then retrieve the token.
    Color mode
    apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: [namespace_name]-additional-cluster-admin-token
namespace: [namespace_name]
annotations:
kubernetes.io/service-account.name: "[namespace_name]-additional-cluster-admin"
    apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: [namespace_name]-additional-cluster-admin-token
namespace: [namespace_name]
annotations:
kubernetes.io/service-account.name: "[namespace_name]-additional-cluster-admin"
    Example of creating a secret

Verify Admin Token Validity

You can verify the validity of the retrieved Admin Token value by editing the ~/.kube/config file.

  1. Modify ~/.kube/config to use a token for user authentication.
    Modify to ex) users[0].user.token and then enter the Admin Token value.
    Color mode
    apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0...
    server: https://devopscluster-12345.sk...
  name: devopscluster-12345
contexts:
- context:
    cluster: devopscluster-12345
    user: user
  name: user@devopscluster-12345
current-context: user@devopscluster-12345
kind: Config
users:
- name: user
  user:
    token: [admin_token]
    apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0...
    server: https://devopscluster-12345.sk...
  name: devopscluster-12345
contexts:
- context:
    cluster: devopscluster-12345
    user: user
  name: user@devopscluster-12345
current-context: user@devopscluster-12345
kind: Config
users:
- name: user
  user:
    token: [admin_token]
    Example of editing ~/.kube/config
  2. Run the kubectl command to verify that you have cluster-admin privileges.
    Color mode
    $ kubectl get nodes
$ kubectl get namespace
$ kubectl get all -n kube-system
$ kubectl create namespace admin-test
$ kubectl delete namespace admin-test

# Run other commands
    $ kubectl get nodes
$ kubectl get namespace
$ kubectl get all -n kube-system
$ kubectl create namespace admin-test
$ kubectl delete namespace admin-test

# Run other commands
    Command to check cluster-admin permissions