# K8s - Get started ## Getting started ### Connect to Rancher UI **cegedim.cloud** uses [Rancher](https://rancher.com/docs/rancher/v2.x/en/) as the [Kubernetes ](https://kubernetes.io/fr/docs/home/)platform management. Rancher handle ITCare SSO authentication : the login / password is the same as ITCare. #### Rancher Instances Rancher is reachable through different URLs depending on your cluster's region and environment: | Region / Environment | Rancher URL | Access Requirements | | ---------------------------------------------- | ----------------------------------------- | ----------------------------------------------- | | **ET (Toulouse-Labège) - Production** | | Server network access only (e.g., from bastion) | | **ET (Toulouse-Labège) - Non-Production** | | Standard network access | | **EB (Boulogne-Billancourt) - Production** | | Server network access only (e.g., from bastion) | | **EB (Boulogne-Billancourt) - Non-Production** | | Standard network access | | **EM (Monaco Cloud)** | Managed by the same Ranchers as EB region | Same access as EB | {% hint style="warning" %} **rancher-et.cegedim.cloud** and **rancher-eb.cegedim.cloud** are only accessible from the server network. You must connect through a bastion host to access these Rancher instances. {% endhint %} \ In ITCare, you can find your cluster URL in the cluster detail page :

#### Connect to Rancher Rancher will ask for an authentication at first login : simply click on "Login with OIDC"

Then you will be redirected to the standard login process :

Once logged in, you should have a screen listing all the clusters you have accesses to :

If the UI gets stuck on "Loading" after logging in, please try: * Opening the Rancher URL in an incognito/private browser window * Or connecting directly to: * * * * If on first login you don't see your cluster in the cluster list you might want to logout and login again.

#### Manage your preferences You can manage your UI preferences (dark theme, number of rows per table...) by setting up your user preferences. Please refer here to a full documentation: {% embed url="" %} ### Configure kubectl In order to connect to the cluster using CLI, you have two options : * by regular remote kubectl * using rancher online kubectl Both are available by getting to the "cluster" page in Rancher.\ There are two ways of doing that :

Click on the cluster name in the cluster list

Click on the cluster name in the top left menu

#### Using the kubectl configuration file Once on the cluster homepage you can download the "Kubeconfig File":

Or just copy the content of "Kubeconfig File":

{% hint style="info" %} if you dont have `kubectl` we highly suggest you to install `kubectl` on your administration workstation, following [this document](https://kubernetes.io/docs/tasks/tools/install-kubectl/). {% endhint %} This configuration can be mixed with other kubectl configuration. The authentication can be shared with any cluster managed by the same rancher instance. #### Using the web cli Once on the cluster home page you can use the web cli by clicking on the below icon :

This should launch a web shell like this one :

{% hint style="info" %} This shell is temporary, any changes made inside will be discarded once the window closed. This session might get disconnected if no input/output is observed. {% endhint %} ### Get API an Token Token management UI is accessible right beneath the user avatar :

#### Token scopes There are two scopes : * no-scope : global scope : used to interact with global rancher API * cluster-scoped : token dedicated to access specific cluster {% hint style="info" %} A cluster-scoped token is recommended for configuring CI/CD pipelines.\ This means that you need a token per cluster in your CI/CD pipelines. {% endhint %} #### Token lifecycle Token can have different lifecycles : * a token can have a unlimited lifespan, it will follow the lifecycle of the account attached to it * a specific lifetime ## Nodes management ### Scale cluster You can use ITCare to add or remove nodes to your cluster. ## Manage Namespaces ### Understanding Project - A Rancher concept Rancher manages namespaces via project, which is a concept specifically existing only in Kubernetes clusters managed by Rancher. Project is not a Kubernetes native resource. By default, a Kubernetes cluster is provisioned with 2 projects: * System: containing core-component's namespaces like: kube-system, etc. * Default: containng the "default" namespace Users are free to create more Projects if needed. Basing on Project level, Rancher offers built-in automation like: access rights granting, network isolation, etc. Users are very encouraged to classify namespace into a Project. ### How to properly create a namespace * Switch to project view

* Create a new namespace from project view

* Insert a unique name, and fill other fields if needed, and click on "Create" {% hint style="info" %} If you create a namespace with kubernetes CLI, e.g. kubectl, the created namespace will be moved into the the project parent of the namespace "default" (which is, by default, the project named Default) {% endhint %} ## Rights Management **cegedim.cloud** recommends and officially supports access rights managing via AD groups. Only AD groups starting with G\_EMEA\_\* and G\_K8\_\* are known by Rancher. By default, when a cluster is created: * Standard user role is given to the group **G\_K8\_**\**\_USERS** which contains the power users of the related Cloud * Admin role is given to the group **G\_K8\_**\**\_ADMINS** which is empty by default and can be populated with competent & certified users via ITCare ticket toward AD support team. For instance, user **** needs to have standard user access to cluster **test-preprod**, he needs to ask to add to the AD group named **G\_K8\_TEST\_PREPROD\_USERS**. When users create a new Project, as default owner, they are free to bind any role on any AD group in the scope of this project. {% embed url="" %} If the Rancher predefined roles cannot fullfill your needs, please contact admins of your cluster to configure a custom rolebinding or clusterrolebinding. {% embed url="" %} ### Manage Rights **Project Level Rights Management** {% hint style="warning" %} **cegedim.cloud** only supports rights binding on **groups**, not individual users. This ensures consistent access management and simplifies administration. {% endhint %} In order to manage rights on a project, there are two ways: The UI or the API. The highest role you can assign is **"Cegedim.Cloud Project Admin"**, which is a predefined Rancher Project Owner role with extended rights on CRD (Custom Resource Definition) resources. #### Using UI Edit the project that you are owner or are given to sufficient rights from the project creator.

Select the group and the role in the form. {% hint style="info" %} Please note that only groups starting with G\_EMEA\_\* and G\_K8\_\* are known by Rancher. {% endhint %}

#### Using API Using the API is straightforward. You will first need some parameters: * **Getting Project ID** To get the project ID, you can use the API explorer or simply use the "View in API" button. {% code overflow="wrap" %} ```bash curl --request GET \ --url https://rancher-eb.cegedim.cloud/v3/projects \ --header 'authorization: Bearer token-tttt:token-of-doom' ``` {% endcode %} * **Give access** Using your API token, you can make a single POST request to create the role binding: {% code overflow="wrap" %} ```bash curl --request POST \ --url https://rancher-eb.cegedim.cloud/v3/projectRoleTemplateBindings \ --header 'authorization: Bearer token-tttt:token-of-doom' \ --header 'content-type: application/json' \ --data '{ "projectId": "c-6t7f4:p-d43l6", "namespaceId":"", "groupPrincipalId":"keycloakoidc_group_group://G_EMEA_DUPER_GROUP", "roleTemplateId": "cgdm-project-admin" }' ``` {% endcode %}