K8s - Get started
Getting started
Connect to Rancher UI
cegedim.cloud uses Rancher as the Kubernetes platform management.
Rancher handle ITCare SSO authentication : the login / password is the same as ITCare.
Rancher Instances
Rancher is reachable through different URLs depending on your cluster's region and environment:
ET (Toulouse-Labège) - Production
Server network access only (e.g., from bastion)
EB (Boulogne-Billancourt) - Production
Server network access only (e.g., from bastion)
EB (Boulogne-Billancourt) - Non-Production
Standard network access
EM (Monaco Cloud)
Managed by the same Ranchers as EB region
Same access as EB
rancher-et.cegedim.cloud and rancher-eb.cegedim.cloud are only accessible from the server network. You must connect through a bastion host to access these Rancher instances.
In ITCare, you can find your cluster URL in the cluster detail page :
Connect to Rancher
Rancher will ask for an authentication at first login : simply click on "Login with OIDC"
Then you will be redirected to the standard login process :
Once logged in, you should have a screen listing all the clusters you have accesses to :
If the UI gets stuck on "Loading" after logging in, please try:
Opening the Rancher URL in an incognito/private browser window
If on first login you don't see your cluster in the cluster list you might want to logout and login again.
Manage your preferences
You can manage your UI preferences (dark theme, number of rows per table...) by setting up your user preferences. Please refer here to a full documentation:
Configure kubectl
In order to connect to the cluster using CLI, you have two options :
by regular remote kubectl
using rancher online kubectl
Both are available by getting to the "cluster" page in Rancher. There are two ways of doing that :
Using the kubectl configuration file
Once on the cluster homepage you can download the "Kubeconfig File":
Or just copy the content of "Kubeconfig File":
This configuration can be mixed with other kubectl configuration.
The authentication can be shared with any cluster managed by the same rancher instance.
Using the web cli
Once on the cluster home page you can use the web cli by clicking on the below icon :
This should launch a web shell like this one :
Get API an Token
Token management UI is accessible right beneath the user avatar :
Token scopes
There are two scopes :
no-scope : global scope : used to interact with global rancher API
cluster-scoped : token dedicated to access specific cluster
Token lifecycle
Token can have different lifecycles :
a token can have a unlimited lifespan, it will follow the lifecycle of the account attached to it
a specific lifetime
Nodes management
Scale cluster
You can use ITCare to add or remove nodes to your cluster.
Manage Namespaces
Understanding Project - A Rancher concept
Rancher manages namespaces via project, which is a concept specifically existing only in Kubernetes clusters managed by Rancher.
Project is not a Kubernetes native resource.
By default, a Kubernetes cluster is provisioned with 2 projects:
System: containing core-component's namespaces like: kube-system, etc.
Default: containng the "default" namespace
Users are free to create more Projects if needed.
Basing on Project level, Rancher offers built-in automation like: access rights granting, network isolation, etc.
Users are very encouraged to classify namespace into a Project.
How to properly create a namespace
Switch to project view
Create a new namespace from project view
Insert a unique name, and fill other fields if needed, and click on "Create"
Rights Management
cegedim.cloud recommends and officially supports access rights managing via AD groups.
Only AD groups starting with G_EMEA_* and G_K8_* are known by Rancher.
By default, when a cluster is created:
Standard user role is given to the group G_K8_<CLUSTER_NAME>_USERS which contains the power users of the related Cloud
Admin role is given to the group G_K8_<CLUSTER_NAME>_ADMINS which is empty by default and can be populated with competent & certified users via ITCare ticket toward AD support team.
For instance, user [email protected] needs to have standard user access to cluster test-preprod, he needs to ask to add [email protected] to the AD group named G_K8_TEST_PREPROD_USERS.
When users create a new Project, as default owner, they are free to bind any role on any AD group in the scope of this project.
If the Rancher predefined roles cannot fullfill your needs, please contact admins of your cluster to configure a custom rolebinding or clusterrolebinding.
Manage Rights
Project Level Rights Management
cegedim.cloud only supports rights binding on groups, not individual users. This ensures consistent access management and simplifies administration.
In order to manage rights on a project, there are two ways: The UI or the API.
The highest role you can assign is "Cegedim.Cloud Project Admin", which is a predefined Rancher Project Owner role with extended rights on CRD (Custom Resource Definition) resources.
Using UI
Edit the project that you are owner or are given to sufficient rights from the project creator.
Select the group and the role in the form.
Using API
Using the API is straightforward. You will first need some parameters:
Getting Project ID
To get the project ID, you can use the API explorer or simply use the "View in API" button.
Give access
Using your API token, you can make a single POST request to create the role binding:
Last updated