- Refer to our policy and permission sets documentation for more details.
- Scaleway may automatically generate IAM resources, such as applications, groups and policies. Refer to auto-generated IAM resources for further information.
How to connect to a Kubernetes Kapsule cluster with kubectl
Once your cluster is created, you can install a kubeconfig
file using Scaleway’s command-line tool on your local machine to manage your Kubernetes cluster.
You can use this with kubectl
, the Kubernetes command-line tool, allowing you to run commands against your Kubernetes cluster. This enables you to deploy applications, inspect and manage cluster resources, and view logs directly from your local machine.
Before you startLink to this anchor
To complete the actions presented below, you must have:
- A Scaleway account logged into the console.
- Owner status or IAM permissions to perform actions in the intended Organization.
- Created a Kubernetes Kapsule cluster.
- kubectl installed locally.
- The Scaleway CLI installed locally.
Setting fine-grained permissions (IAM Policies) for Kubernetes accessLink to this anchor
If your Organization uses IAM to control access, ensure that you or your group/application has the following permission sets assigned at the Project scope:
KubernetesFullAccess
(orKubernetesReadOnly
, depending on your needs): Grants you the ability to manage (or list/read) Kubernetes clusters, nodes, and related actions in your Scaleway Project.
To create a new policy with the correct permission sets, follow these steps:
Configure an IAM policyLink to this anchor
- Create a new policy: Navigate to the Policies tab in your Organization’s IAM console and create a new policy.
- Add your user (or group/application): Assign your user, group, or application as the Principal.
- Add an IAM rule:
- Scope: Set to Access to resources and specify the desired Project(s).
- Permission Sets: Include the following as needed:
KubernetesFullAccess
for full cluster management.KubernetesReadOnly
for read-only access.
- Click Validate and then Create Policy.
Accessing the clusterLink to this anchor
You can use the Scaleway CLI to automatically retrieve (and merge) your kubeconfig
file, then interact with your Kubernetes cluster.
Install and configure the Scaleway CLILink to this anchor
If you have not set up the Scaleway CLI yet:
- Follow our installation guide for platform-specific instructions using Homebrew, Chocolatey, or manual methods.
- Run the following command and follow the prompts to set up your CLI with your Scaleway API keys:
You will need your API Key (access key and secret key).scw init
Retrieve and install the kubeconfig using scwLink to this anchor
-
Run the following command to install the
kubeconfig
file for your cluster:scw k8s kubeconfig install <cluster-id>This command will:
- Download the
kubeconfig
for the specified cluster. - Merge it into your existing
kubeconfig
file (default location:~/.kube/config
).
- Download the
-
Verify the installation:
kubectl get nodesA list of nodes from your Kapsule cluster should appear.
Refer to our complete Documentation for scw k8s
to learn more about all available commands to manage your Kubernetes cluster using scw
.
Revoking user access to the Kubernetes clusterLink to this anchor
When a user loses access rights (e.g., departs from the Organization), the Kubernetes administrator must take steps to revoke their access to the cluster. This is typically done by modifying IAM settings, such as adjusting policies or deleting the user’s credentials.
Steps to revoke accessLink to this anchor
To revoke a user’s access to the cluster, ensure that any API keys associated with the user are no longer granted permission. Here are the steps you can take:
Delete the API key
- Locate the API key associated with the user.
- Remove the key to immediately revoke access.
Modify IAM policies
- Adjust the IAM policy linked to the API key to limit or remove its permissions.
Reassign the user to a restricted group
- Transfer the principal (application or user) to a group with reduced permissions that does not allow cluster access.
Delete the principal
- Permanently remove the user or application from the IAM system to ensure no further access is possible.
Revoking kubeconfig accessLink to this anchor
To permanently revoke kubeconfig
access via IAM:
- Delete the API Key: This will ensure that the user’s
kubeconfig
file becomes invalid immediately. - Delete the Principal: Removing the user or application guarantees that no further access can be gained, even if residual configurations exist.
- Be cautious when modifying IAM policies to avoid unintended access issues for other users or services.
- Regularly audit IAM settings and API keys to ensure compliance with organizational security policies.