Editing Tutorials:Set up your Kubernetes user account

Unfortunately, making your identity known to the cluster on your machine is a decidedly manual process, which involves editing a local configuration that resides in ".kube/config".

== Set up a .kube/config file ==

Create the subdirectory ".kube" in your home and set restrictive permissions. It will contain your cluster credentials, and anyone who has access to the files in there can steal your identity and impersonate you. We do not want this.

<syntaxhighlight lang="bash">
> cd ~
> mkdir .kube
> chmod 700 .kube
</syntaxhighlight>

Create a file ".kube/config" and edit its contents as follows. To get the certificate authority data right, download it here: [[File:kubeconfig_template_ccu.zip]].

<syntaxhighlight lang="yaml">
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJ ....
    server: https://134.34.224.84:6443
  name: ccu
contexts:
- context:
    cluster: ccu
    namespace: testing
    user: your.username
  name: me@ccu
kind: Config
preferences: {}
users:
</syntaxhighlight>

Of course, substitute your own username at the indicated locations. You will later learn what to do about the namespace.

== Get your user credentials (an OAuth ID token) from our server ==

The next step is to authenticate against our server, which will then create a credential (basically a secret token which only you should know) so that you can prove to the cluster that you are indeed who you claim you are.

''Instead of the below, after recent updates, the following works:'' go to ccu-k8s.inf.uni-konstanz.de, "Login to the cluster", login, and copy and paste the displayed credentials into your shell (it starts with `kubectl config set-credentials ...`.)


* Go to [https://ccu.uni-konstanz.de:32002 the dex login application]
* Keep the defaults on the first screen an hit "request token"
* Enter your CCU login. You will get something like this in return:

<syntaxhighlight lang="yaml">
- name: your.username
  user:
    auth-provider:
      config:
        client-id: loginapp
        client-secret: 459679hg...
        id-token: eyJhbGc... 
        idp-issuer-url: https://ccu.uni-konstanz.de:32000/dex
        refresh-token: ChllcHl...
      name: oidc
</syntaxhighlight>

Mark everything and copy it to the clipboard. Paste it into your kubeconfig file .kube/config below the line "users:". If you have some background in programming, the structure of the kubeconfig file should be pretty obvious, and you will be able to extend it to include e.g. multiple identities and contexts which access different namespaces. This is quite useful for quickly switching between them without having to type so much.

After this step, your .kube/config should look something like this:

<syntaxhighlight lang="yaml">
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJ ....
    server: https://134.34.224.84:6443
  name: ccu
contexts:
- context:
    cluster: ccu
    namespace: testing
    user: your.username
  name: me@ccu
kind: Config
preferences: {}
users:
- name: your.username
  user:
    auth-provider:
      config:
        client-id: loginapp
        client-secret: 459679hg...
        id-token: eyJhbGc... 
        idp-issuer-url: https://ccu.uni-konstanz.de:32000/dex
        refresh-token: ChllcHl...
      name: oidc
</syntaxhighlight>




== Enter the CCU context ==

You should now be able to enter the CCU context with your username and the namespace "testing" set up in the kubeconfig file as follows:

<syntaxhighlight lang="bash">
> kubectl config use-context me@ccu
</syntaxhighlight>

Try it out:

<syntaxhighlight lang="bash">
> kubectl get pods
</syntaxhighlight>

You are not in a valid namespace corresponding to your user groups yet, so will get an error which should look like this:

<syntaxhighlight lang="bash">
Error from server (Forbidden): pods is forbidden: User "https://ccu.uni-konstanz.de:32000/dex#your.username" cannot list resource "pods" in API group "" in the namespace "testing"
</syntaxhighlight>

'''For testing purposes, all current users have access to the namespace exc-cb which has access to the DGX-2 (hostname vecna). This will change in the future, watch out for the documentation below.'''

To switch to a different namespace, edit the corresponding line in the kubeconfig. You can also keep a list of contexts for different namespaces and users like this. Choose whatever names you would like for your contexts.

<syntaxhighlight lang="bash">
contexts:
- context:
    cluster: ccu
    namespace: exc-cb
    user: your.username
  name: me@exc-cb.ccu
- context:
    cluster: ccu
    namespace: trr161
    user: your.username
  name: me@trr161.ccu
</syntaxhighlight>

Set the new context, and now you should be able to list the pods. Note that all subsequent kubectl commands now refer to the namespace exc-cb. This is equivalent to specifying "kubectl -n exc-cb" on the command line. You can still override it by issuing "kubectl -n other_namespace" manually.

<syntaxhighlight lang="bash">
> kubectl config use-context me@exc-cb.ccu
> kubectl get pods
# list the pods in another namespace instead
> kubectl -n trr161 get pods
</syntaxhighlight>

== Which namespaces are available and which resources can they access? ==

Refer to these documents:
* [[Cluster:Namespaces|Which namespaces am I allowed to use?]]
* [[Cluster:Nodes|Which compute nodes are available?]]
* [[Cluster:Nodes|Which namespace has access to which compute nodes?]]


[[Category:Tutorials]]