.. WARNING: Add no lines of text between the label immediately following .. and the title. .. _accessing-kubernetes-cli-locally-from-ssh-local-console-sessio-f35946359562: .. _configure-local-cli-access_kub: ------------------------------------------------------------ Access Kubernetes CLI locally from SSH/Local Console Session ------------------------------------------------------------ You can access the system via a local CLI from the active controller node's local console or by SSH-ing to the OAM floating IP Address. It is highly recommended that only 'sysadmin' and a small number of admin level user accounts be allowed to SSH to the system. Using the **sysadmin** account and the Local CLI, you can perform all required system maintenance, administration and troubleshooting tasks. For sysadmin Account -------------------- By default, the **sysadmin** account has Kubernetes Admin credentials. If you plan on customizing the sysadmin's kubectl configuration on the |prod-long| Controller, (for example, :command:`kubectl config set-...` or :command:`or oidc-auth`), you should use a private KUBECONFIG file and NOT the system-managed KUBECONFIG file ``/etc/kubernetes/admin.conf``, which can be changed and overwritten by the system. Copy ``/etc/kubernetes/admin.conf`` to a private file under ``/home/sysadmin`` such as ``/home/sysadmin/.kube/config``, and update ``/home/sysadmin/.profile`` to have the ``KUBECONFIG`` environment variable point to the private file. For example, the following commands set up a private KUBECONFIG file. .. code-block:: none # ssh sysadmin@ Password: % mkdir .kube % cp /etc/kubernetes/admin.conf .kube/config % echo "export KUBECONFIG=~/.kube/config" >> ~/.profile % exit Confirm that the ``KUBECONFIG`` environment variable is set correctly and that :command:`kubectl` commands are functioning properly. .. code-block:: none # ssh sysadmin@ Password: % env | fgrep KUBE KUBECONFIG=/home/sysadmin/.kube/config % kubectl get pods You can now access all Kubernetes CLI commands. **kubectl commands** Kubernetes commands are executed with the :command:`kubectl` command For example: .. code-block:: none ~(keystone_admin)]$ kubectl get nodes NAME STATUS ROLES AGE VERSION controller-0 Ready master 5d19h v1.13.5 ~(keystone_admin)]$ kubectl get pods NAME READY STATUS RESTARTS AGE dashboard-kubernetes-dashboard-7749d97f95-bzp5w 1/1 Running 0 3d18h **Helm commands** Helm commands are executed with the :command:`helm` command For example: .. code-block:: none % helm repo add bitnami https://charts.bitnami.com/bitnami % helm repo update % helm repo list % helm search repo % helm install wordpress bitnami/wordpress For an LDAP Account ------------------- Use ``kubeconfig-setup`` to setup ``KUBECONFIG`` for local environment. .. code-block:: $ kubeconfig-setup $ source ~/.profile Use ``oidc-auth`` to authenticate via |OIDC|/|LDAP|. .. code-block:: $ oidc-auth Using "joefulladmin" as username. Password: Successful authentication. Updated /home/joefulladmin/.kube/config . Use ``kubectl`` to test access to kubernetes commands / resources (admin and non-admin). .. code-block:: # Displaying anything in 'kube-system' namespace requires 'cluster-admin' privileges $ kubectl -n kube-system get secrets NAME TYPE DATA AGE ceph-admin Opaque 2 3d8h ceph-pool-kube-cephfs-data kubernetes.io/cephfs 4 3d8h ceph-pool-kube-rbd kubernetes.io/rbd 2 3d8h # Anyone can display resources in 'default' namespace $ kubectl -n default get all NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/kubernetes ClusterIP 10.96.0.1 443/TCP 3d9h