How to connect to a fully isolated Kubernetes Kapsule cluster using Public Gateway

Reviewed on December 04, 2025

When creating your cluster, you can choose to connect it to a Private Network using full isolation. The control plane is created without a public IP, and a Public Gateway is required to connect to it.

You can connect to the control plane using your Public Gateway's SSH bastion. This lets you manage your cluster using kubectl and other tools while ensuring that its control plane is not exposed to the Internet.

Before you start

To complete the actions presented below, you must have:

A Scaleway account logged into the console.
Owner status or IAM permissions to perform actions in the intended Organization.
Created a Private Network with an attached Public Gateway with SSH bastion enabled.
Created a Kubernetes Kapsule cluster attached to the aforementioned Private Network, and configured with full isolation.
kubectl installed locally.
The Scaleway CLI installed locally.
Downloaded a kubeconfig file from the Scaleway console.

Opening a SSH tunnel to the Kubernetes Kapsule control plane

To connect to the fully isolated Kubernetes Kapsule control plane, you can open a SSH tunnel using the Public Gateway's SSH bastion. This will port-forward the control plane to a local port, to which you can then connect.

Finding your cluster's URL

Click Kubernetes in the Containers section of the Scaleway console side menu. The Kubernetes dashboard displays.
From the drop-down menu, select the geographical region you want to manage.
Click on the name of the cluster you want to connect to. The cluster overview page displays.
Scroll down to the Network section, then click the URL value. The URL is copied to your clipboard.

Opening the SSH tunnel

Open a terminal on your computer, then run the following command:

ssh -fNL 6443:<CLUSTER_URL_WITHOUT_HTTPS> bastion@<PUBLIC_GATEWAY_PUBLIC_IP> -p <SSH_BASTION_PORT>

Make sure to replace the values with the appropriate values. <CLUSTER_URL_WITHOUT_HTTPS> should end in :6443, which is the control plane's port.

Here is an example command:

ssh -fNL 6443:1379355f-f36a-4383-9791-b6c573dea811.api.k8s.fr-par.scw.cloud:6443 bastion@51.159.153.192 -p 61000

Note

The command contains several ssh flags:

-f runs the command in the background;
-N tells ssh not to run a remote command, which is the case here since we only want to port-forward;
-L sets up port-forwarding from a local port (here, port 6443) and a given host and port on the remote side;
-p indicates the remote SSH port.

A tunnel to the Kubernetes Kapsule control plane is opened: all local traffic to port 6443 will now be redirected to the control plane through the Public Gateway's SSH bastion.

Accessing the cluster

Editing the /etc/hosts file

The downloaded kubeconfig file points to the control plane's URL, which is currently unreachable due to its lack of public IP. However, you can redirect traffic to your local port-forwarded port by editing your /etc/hosts file.

Open the /etc/hosts file on your computer using a text editor, and add the following line:

127.0.0.1 <CLUSTER_URL_WITHOUT_HTTPS>

Using the same values as the previous example, the line would be:

127.0.0.1 1379355f-f36a-4383-9791-b6c573dea811.api.k8s.fr-par.scw.cloud

Processes on your computer now resolve your cluster's hostname to 127.0.0.1, your localhost address.

Using kubectl

You can now manage your cluster using kubectl. Run the following command:

kubectl get nodes

A list of nodes from your Kapsule cluster should appear.

Note

You need to run the ssh command again every time your computer reboots. This can be automated using various tools such as shell scripts.