starlingx/docs
Code Issues Proposed changes
78263d6d95
docs/doc/source/security/kubernetes/security-install-kubectl-and-helm-clients-directly-on-a-host.rst
Juanita-Balaraj 265d96bed1 Fixed \_ as the output was not rendering correctly (pick r5 updates only) 
Fixed Patchset 4 comments
Fixed Patchset 3 comments and added additional updates
Signed-off-by: Juanita-Balaraj <juanita.balaraj@windriver.com>
Change-Id: I7482afc3a90bbdc94b6ecd8b6ac39d831b8a45db
Signed-off-by: Juanita-Balaraj <juanita.balaraj@windriver.com>
2021-11-02 11:27:15 -04:00

169 lines
6.7 KiB
ReStructuredText
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

.. iqi1581955028595
.. _security-install-kubectl-and-helm-clients-directly-on-a-host:
===================================================
Install Kubectl and Helm Clients Directly on a Host
===================================================
You can use :command:`kubectl` and :command:`helm` to interact with a
controller from a remote system.
.. rubric:: |context|
Commands such as those that reference local files or commands that require
a shell are more easily used from clients running directly on a remote
workstation.
Complete the following steps to install :command:`kubectl` and
:command:`helm` on a remote system.
The following procedure shows how to configure the kubectl and helm clients
directly on remote host, for an admin user with **cluster-admin** cluster role.
If using a non-admin user such as one with only role privileges within a
private namespace, the procedure is the same, however, additional
configuration is required in order to use :command:`helm`.
.. rubric:: |proc|
.. _security-install-kubectl-and-helm-clients-directly-on-a-host-steps-f54-qqd-tkb:
#. On the controller, if an **admin-user** service account is not already available, create one.
#. Create the **admin-user** service account in **kube-system**
namespace and bind the **cluster-admin** ClusterRoleBinding to this user.
.. code-block:: none
% cat <<EOF > admin-login.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubernetes-admin
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-admin
namespace: kube-system
EOF
% kubectl apply -f admin-login.yaml
#. Retrieve the secret token.
.. code-block:: none
~(keystone_admin)]$ TOKEN_DATA=$(kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep kubernetes-admin | awk '{print $1}') | grep "token:" | awk '{print $2}')
#. On a remote workstation, install the :command:`kubectl` client. Go to the
following link: `https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/
<https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/>`__.
#. Install the :command:`kubectl` client CLI (for example, an Ubuntu host).
.. code-block:: none
% sudo apt-get update
% sudo apt-get install -y apt-transport-https
% curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | \
sudo apt-key add
% echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" | \
sudo tee -a /etc/apt/sources.list.d/kubernetes.list
% sudo apt-get update
% sudo apt-get install -y kubectl
#. Set up the local configuration and context.
.. note::
In order for your remote host to trust the certificate used by
the |prod-long| K8S API, you must ensure that the
``k8s_root_ca_cert`` specified at install time is a trusted
|CA| certificate by your host. Follow the instructions for adding
a trusted |CA| certificate for the operating system distribution
of your particular host.
If you did not specify a ``k8s_root_ca_cert`` at install
time, then specify ``--insecure-skip-tls-verify``, as shown below.
The following example configures the default ~/.kube/config. See the
following reference:
`https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/
<https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/>`__.
You need to obtain a floating |OAM| IP.
.. code-block:: none
% kubectl config set-cluster mycluster --server=https://${OAM_IP}:6443 \
--insecure-skip-tls-verify
% kubectl config set-credentials kubernetes-admin@mycluster --token=$TOKEN_DATA
% kubectl config set-context kubernetes-admin@mycluster --cluster=mycluster \
--user kubernetes-admin@mycluster --namespace=default
% kubectl config use-context kubernetes-admin@mycluster
``$TOKEN_DATA`` is the token retrieved in step 1.
#. Test remote :command:`kubectl` access.
.. code-block:: none
% kubectl get nodes -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE ...
controller-0 Ready master 15h v1.12.3 192.168.204.3 <none> CentOS L ...
controller-1 Ready master 129m v1.12.3 192.168.204.4 <none> CentOS L ...
worker-0 Ready <none> 99m v1.12.3 192.168.204.201 <none> CentOS L ...
worker-1 Ready <none> 99m v1.12.3 192.168.204.202 <none> CentOS L ...
%
#. On the workstation, install the :command:`helm` client on an Ubuntu
host by taking the following actions on the remote Ubuntu system.
#. Install :command:`helm`. See the following reference:
`https://helm.sh/docs/intro/install/
<https://helm.sh/docs/intro/install/>`__. Helm accesses the Kubernetes
cluster as configured in the previous step, using the default ~/.kube/config.
.. code-block:: none
% wget https://get.helm.sh/helm-v3.2.1-linux-amd64.tar.gz
% tar xvf helm-v3.2.1-linux-amd64.tar.gz
% sudo cp linux-amd64/helm /usr/local/bin
#. Verify that :command:`helm` installed correctly.
.. code-block:: none
% helm version
version.BuildInfo{Version:"v3.2.1", GitCommit:"fe51cd1e31e6a202cba7dead9552a6d418ded79a", GitTreeState:"clean", GoVersion:"go1.13.10"}
#. Run the following commands:
.. code-block:: none
% helm repo add bitnami https://charts.bitnami.com/bitnami
% helm repo update
% helm repo list
% helm search repo
% helm install wordpress bitnami/wordpress
.. seealso::
:ref:`Configure Container-backed Remote CLIs and Clients
<security-configure-container-backed-remote-clis-and-clients>`
:ref:`Using Container-backed Remote CLIs and Clients
<using-container-backed-remote-clis-and-clients>`
:ref:`Configure Remote Helm v2 Client
<configure-remote-helm-client-for-non-admin-users>`
View Git Blame Copy Permalink