Access from laptop¶
This guide will take you through the required tools and permissions that need to be in place for you to be able to operate your own NAIS application directly from your laptop.
Set up a team¶
The primary unit of access is a team, whose origin lies in NAIS teams. Each team is given its own namespace with the same name as the team. The team will have unrestricted access to all Kubernetes assets in that namespace.
See creating a new team to get started with teams. After creating a new team, you should have access to all clusters.
You're probably part of an existing team
If this is your first time here, chances are that you're already part of a team in the context of NAIS. Please speak with your colleagues in order to figure this out. You can also log in to NAIS console and check.
Install naisdevice¶
naisdevice ensures that your laptop meets NAVs requirements before allowing access to internal resources such as our NAIS clusters. Install by following the naisdevice installation guide.
Install nais-cli¶
nais-cli is a simple CLI application that developers in NAV can use. Install by following the nais-cli installation guide.
Install kubectl¶
kubectl is a command-line tool used to manage your Kubernetes resources.
Check out kubectl´s official documentation for instructions on how to install the binaries.
Remember that kubectl is supported within one minor version (older or newer) of kube-apiserver.
This is called version skew.
On-prem version is shown in Grafana - clusters.
Using brew to manage kubectl will make it troublesome to be within the version skew, as it's hard to downgrade kubectl to older versions.
Therefor we recommend installing kubectl manually, or through tools like asdf.
Setup your kubeconfig¶
The kubectl tool uses a kubeconfig file to get the information it needs in order to connect to a cluster.
We provide the command nais kubeconfig to set up the necessary clusters.
kubectl will by default look for a file named config in the $HOME/.kube/ folder.
If you have configured kubectl before
If you have configured kubectl before, ensure you have updated nais-cli and run nais kubeconfig --clean.
Authenticate kubectl¶
Google Cloud Platform (GCP)¶
Before following these steps, make sure your team is enabled for Google Cloud Platform.
You will also need to perform a self-service step to synchronize your user from Azure AD to Google Cloud Platform. This can be done by following these steps:
- Login to My Apps > Add Application
- Locate "Google Cloud Platform", and click on the icon
After you have done this your user will be synced to Google Cloud Platform. The sync is not instantaneous, but usually does not take more than a few minutes.
First you need to install gcloud following the instructions for your platform.
Once installed, you need to authenticate with Google using your NAV e-mail.
You will also need to install a plugin in order to authenticate to the Kubernetes clusters:
Then, select a cluster:
And verify that you're connected:
On-premise¶
Before accessing on-premise clusters, you need to install kubelogin.
When connecting to on-premise clusters, you need to authenticate with Azure AD.
$ kubectl config use-context prod-fss
Switched to context "prod-fss".
$ kubectl get pods
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code CR69DPQQZ to authenticate.
When prompted like above, go to the address and enter the code.
You then log in with your NAV e-mail and password.
When done, kubectl will update your kubeconfig-file with the tokens needed to gain access to the cluster.
Recommended tools¶
- kubectx - Simplifies changing cluster and namespace context.
- kubeaware - Visualize which cluster and namespace is currently active.
- Starship - Visualize which cluster and namespace is currently active in your terminal prompt, amongst many other things. Kubernetes specific config
- emacs-kubectx-mode - Switch kubectl context and namespace in Emacs and display current setting in mode line.
Created: 2019-09-09