How to connect to a Kubernetes Kapsule cluster with kubectl
Once your cluster is created, you can install a kubeconfig file using Scaleway's command-line tool on your local machine to manage your Kubernetes cluster.
You can use this with kubectl, the Kubernetes command-line tool, allowing you to run commands against your Kubernetes cluster. This enables you to deploy applications, inspect and manage cluster resources, and view logs directly from your local machine.
Before you start
To complete the actions presented below, you must have:
- A Scaleway account logged into the console.
- Owner status or IAM permissions to perform actions in the intended Organization.
- Created a Kubernetes Kapsule cluster.
- kubectl installed locally.
- The Scaleway CLI installed locally.
Setting fine-grained permissions (IAM Policies) for Kubernetes access
If your Organization uses IAM to control access, ensure that you or your group/application has the following permission sets assigned at the Project scope:
KubernetesFullAccess(orKubernetesReadOnly, depending on your needs): Grants you the ability to manage (or list/read) Kubernetes clusters, nodes, and related actions in your Scaleway Project.
If you have not yet configured IAM on your account, you can generate a kubeconfig file with IAM and the required permission sets from the Scaleway console after creating a cluster.
Accessing the cluster
You can use the Scaleway CLI to automatically retrieve (and merge) your kubeconfig file, then interact with your Kubernetes cluster.
Install and configure the Scaleway CLI
If you have not set up the Scaleway CLI yet:
- Follow our installation guide for platform-specific instructions using Homebrew, Chocolatey, or manual methods.
- Run the following command and follow the prompts to set up your CLI with your Scaleway API keys:
You will need your API Key (access key and secret key).
scw init
Retrieve and install the kubeconfig using scw
-
Run the following command to install the
kubeconfigfile for your cluster:scw k8s kubeconfig install <cluster-id>This command will:
- Download the
kubeconfigfor the specified cluster. - Merge it into your existing
kubeconfigfile (default location:~/.kube/config).
- Download the
-
Verify the installation:
kubectl get nodesA list of nodes from your Kapsule cluster should appear.
Revoking user access to the Kubernetes cluster
When a user loses access rights (e.g., departs from the Organization), the Kubernetes administrator must take steps to revoke their access to the cluster. This is typically done by modifying IAM settings, such as adjusting policies or deleting the user’s credentials.
Steps to revoke access
To revoke a user's access to the cluster, ensure that any API keys associated with the user are no longer granted permission. Here are the steps you can take:
Delete the API key
- Locate the API key associated with the user.
- Remove the key to immediately revoke access.
Modify IAM policies
- Adjust the IAM policy linked to the API key to limit or remove its permissions.
Reassign the user to a restricted group
- Transfer the principal (application or user) to a group with reduced permissions that does not allow cluster access.
Delete the principal
- Permanently remove the user or application from the IAM system to ensure no further access is possible.
Revoking kubeconfig access
To permanently revoke kubeconfig access via IAM:
- Delete the API Key: This will ensure that the user's
kubeconfigfile becomes invalid immediately. - Delete the Principal: Removing the user or application guarantees that no further access can be gained, even if residual configurations exist.