NavigationContentFooter
Jump toSuggest an edit
Was this page helpful?

How to connect to a Kubernetes Kapsule cluster with kubectl

Reviewed on 27 January 2025Published on 20 September 2020

Once your cluster is created, you can install a kubeconfig file using Scaleway’s command-line tool on your local machine to manage your Kubernetes cluster.

You can use this with kubectl, the Kubernetes command-line tool, allowing you to run commands against your Kubernetes cluster. This enables you to deploy applications, inspect and manage cluster resources, and view logs directly from your local machine.

Before you startLink to this anchor

To complete the actions presented below, you must have:

  • A Scaleway account logged into the console.
  • Owner status or IAM permissions to perform actions in the intended Organization.
  • Created a Kubernetes Kapsule cluster.
  • kubectl installed locally.
  • The Scaleway CLI installed locally.

Setting fine-grained permissions (IAM Policies) for Kubernetes accessLink to this anchor

If your Organization uses IAM to control access, ensure that you or your group/application has the following permission sets assigned at the Project scope:

  • KubernetesFullAccess (or KubernetesReadOnly, depending on your needs): Grants you the ability to manage (or list/read) Kubernetes clusters, nodes, and related actions in your Scaleway Project.

To create a new policy with the correct permission sets, follow these steps:

Configure an IAM policyLink to this anchor

  1. Create a new policy: Navigate to the Policies tab in your Organization’s IAM console and create a new policy.
  2. Add your user (or group/application): Assign your user, group, or application as the Principal.
  3. Add an IAM rule:
    • Scope: Set to Access to resources and specify the desired Project(s).
    • Permission Sets: Include the following as needed:
      • KubernetesFullAccess for full cluster management.
      • KubernetesReadOnly for read-only access.
  4. Click Validate and then Create Policy.
Tip
  • Refer to our policy and permission sets documentation for more details.
  • Scaleway may automatically generate IAM resources, such as applications, groups and policies. Refer to auto-generated IAM resources for further information.

Accessing the clusterLink to this anchor

You can use the Scaleway CLI to automatically retrieve (and merge) your kubeconfig file, then interact with your Kubernetes cluster.

Install and configure the Scaleway CLILink to this anchor

If you have not set up the Scaleway CLI yet:

  1. Follow our installation guide for platform-specific instructions using Homebrew, Chocolatey, or manual methods.
  2. Run the following command and follow the prompts to set up your CLI with your Scaleway API keys: 
    scw init
    You will need your API Key (access key and secret key).

Retrieve and install the kubeconfig using scwLink to this anchor

  1. Run the following command to install the kubeconfig file for your cluster:

    scw k8s kubeconfig install <cluster-id>

    This command will:

    • Download the kubeconfig for the specified cluster.
    • Merge it into your existing kubeconfig file (default location: ~/.kube/config).

  2. Verify the installation:

    kubectl get nodes

    A list of nodes from your Kapsule cluster should appear.

Tip

Refer to our complete Documentation for scw k8s to learn more about all available commands to manage your Kubernetes cluster using scw.

Revoking user access to the Kubernetes clusterLink to this anchor

When a user loses access rights (e.g., departs from the Organization), the Kubernetes administrator must take steps to revoke their access to the cluster. This is typically done by modifying IAM settings, such as adjusting policies or deleting the user’s credentials.

Steps to revoke accessLink to this anchor

To revoke a user’s access to the cluster, ensure that any API keys associated with the user are no longer granted permission. Here are the steps you can take:

Delete the API key

  • Locate the API key associated with the user.
  • Remove the key to immediately revoke access.

Modify IAM policies

  • Adjust the IAM policy linked to the API key to limit or remove its permissions.

Reassign the user to a restricted group

  • Transfer the principal (application or user) to a group with reduced permissions that does not allow cluster access.

Delete the principal

  • Permanently remove the user or application from the IAM system to ensure no further access is possible.

Revoking kubeconfig accessLink to this anchor

To permanently revoke kubeconfig access via IAM:

  • Delete the API Key: This will ensure that the user’s kubeconfig file becomes invalid immediately.
  • Delete the Principal: Removing the user or application guarantees that no further access can be gained, even if residual configurations exist.
Note
  • Be cautious when modifying IAM policies to avoid unintended access issues for other users or services.
  • Regularly audit IAM settings and API keys to ensure compliance with organizational security policies.
See also
How to manage allowed IPsHow to deploy an image from Container Registry
Was this page helpful?
API DocsScaleway consoleDedibox consoleScaleway LearningScaleway.comPricingBlogCareers
© 2023-2025 – Scaleway