starlingx/docs
Code Issues Proposed changes
Files
master
docs/doc/source/security/kubernetes/accessing-kubernetes-cli-locally-from-ssh-local-console-sessio-f35946359562.rest
Suzana Fernandes 0bf77eef8e Update User Management Section in the SECURITY guide 
Change-Id: I753b0cd3912d2f9bc53c50906c05e90f2443d3f0
Signed-off-by: Suzana Fernandes <Suzana.Fernandes@windriver.com>
2025-10-15 17:30:18 +00:00

129 lines
4.0 KiB
ReStructuredText
Raw Permalink Blame History

.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _accessing-kubernetes-cli-locally-from-ssh-local-console-sessio-f35946359562:
.. _configure-local-cli-access_kub:
------------------------------------------------------------
Access Kubernetes CLI locally from SSH/Local Console Session
------------------------------------------------------------
You can access the system via a local CLI from the active controller
node's local console or by SSH-ing to the OAM floating IP Address.
It is highly recommended that only 'sysadmin' and a small number of admin
level user accounts be allowed to SSH to the system.
Using the **sysadmin** account and the Local CLI, you can perform all
required system maintenance, administration and troubleshooting tasks.
For sysadmin Account
--------------------
By default, the **sysadmin** account has Kubernetes Admin credentials.
If you plan on customizing the sysadmin's kubectl configuration on the
|prod-long| Controller, (for example, :command:`kubectl config set-...` or
:command:`or oidc-auth`), you should use a private KUBECONFIG file and NOT
the system-managed KUBECONFIG file ``/etc/kubernetes/admin.conf``, which can be
changed and overwritten by the system.
Copy ``/etc/kubernetes/admin.conf`` to a private file under
``/home/sysadmin`` such as ``/home/sysadmin/.kube/config``, and update
``/home/sysadmin/.profile`` to have the ``KUBECONFIG`` environment variable
point to the private file.
For example, the following commands set up a private KUBECONFIG file.
.. code-block:: none
# ssh sysadmin@<oamFloatingIpAddress>
Password:
% mkdir .kube
% cp /etc/kubernetes/admin.conf .kube/config
% echo "export KUBECONFIG=~/.kube/config" >> ~/.profile
% exit
Confirm that the ``KUBECONFIG`` environment variable is set correctly
and that :command:`kubectl` commands are functioning properly.
.. code-block:: none
# ssh sysadmin@<oamFloatingIpAddress>
Password:
% env | fgrep KUBE
KUBECONFIG=/home/sysadmin/.kube/config
% kubectl get pods
You can now access all Kubernetes CLI commands.
**kubectl commands**
Kubernetes commands are executed with the :command:`kubectl` command
For example:
.. code-block:: none
~(keystone_admin)]$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
controller-0 Ready master 5d19h v1.13.5
~(keystone_admin)]$ kubectl get pods
NAME READY STATUS RESTARTS AGE
dashboard-kubernetes-dashboard-7749d97f95-bzp5w 1/1 Running 0 3d18h
**Helm commands**
Helm commands are executed with the :command:`helm` command
For example:
.. code-block:: none
% helm repo add bitnami https://charts.bitnami.com/bitnami
% helm repo update
% helm repo list
% helm search repo
% helm install wordpress bitnami/wordpress
For an LDAP Account
-------------------
Use ``kubeconfig-setup`` to setup ``KUBECONFIG`` for local environment.
.. code-block::
$ kubeconfig-setup
$ source ~/.profile
Use ``oidc-auth`` to authenticate via |OIDC|/|LDAP|.
.. code-block::
$ oidc-auth
Using "joefulladmin" as username.
Password:
Successful authentication.
Updated /home/joefulladmin/.kube/config .
Use ``kubectl`` to test access to kubernetes commands / resources
(admin and non-admin).
.. code-block::
# Displaying anything in 'kube-system' namespace requires 'cluster-admin' privileges
$ kubectl -n kube-system get secrets
NAME TYPE DATA AGE
ceph-admin Opaque 2 3d8h
ceph-pool-kube-cephfs-data kubernetes.io/cephfs 4 3d8h
ceph-pool-kube-rbd kubernetes.io/rbd 2 3d8h
# Anyone can display resources in 'default' namespace
$ kubectl -n default get all
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 3d9h
View Git Blame Copy Permalink