# K8s - Get started

## Getting started

### Connect to Rancher UI

**cegedim.cloud** uses [Rancher](https://rancher.com/docs/rancher/v2.x/en/) as the [Kubernetes ](https://kubernetes.io/fr/docs/home/)platform management.

Rancher handle ITCare SSO authentication : the login / password is the same as ITCare.

#### Rancher Instances <a href="#kuberneteshowtos-rancherinstances" id="kuberneteshowtos-rancherinstances"></a>

Rancher is reachable through different URLs depending on your cluster's region and environment:

| Region / Environment                           | Rancher URL                               | Access Requirements                             |
| ---------------------------------------------- | ----------------------------------------- | ----------------------------------------------- |
| **ET (Toulouse-Labège) - Production**          | <https://rancher-et.cegedim.cloud>        | Server network access only (e.g., from bastion) |
| **ET (Toulouse-Labège) - Non-Production**      | <https://rancher-et-qa.cegedim.cloud>     | Standard network access                         |
| **EB (Boulogne-Billancourt) - Production**     | <https://rancher-eb.cegedim.cloud>        | Server network access only (e.g., from bastion) |
| **EB (Boulogne-Billancourt) - Non-Production** | <https://rancher-eb-qa.cegedim.cloud>     | Standard network access                         |
| **EM (Monaco Cloud)**                          | Managed by the same Ranchers as EB region | Same access as EB                               |

{% hint style="warning" %}
**rancher-et.cegedim.cloud** and **rancher-eb.cegedim.cloud** are only accessible from the server network. You must connect through a bastion host to access these Rancher instances.
{% endhint %}

\
In ITCare, you can find your cluster URL in the cluster detail page :

<figure><img src="/files/lW0d8sQygHrRFJJm7KqG" alt=""><figcaption></figcaption></figure>

#### Connect to Rancher <a href="#kuberneteshowtos-connecttorancher" id="kuberneteshowtos-connecttorancher"></a>

Rancher will ask for an authentication at first login : simply click on "Login with OIDC"

<figure><img src="/files/UnnGQiamjMjdnRvGGEpm" alt=""><figcaption></figcaption></figure>

Then you will be redirected to the standard login process :

<figure><img src="/files/1SeJtLPb66mZgEpc3J8B" alt=""><figcaption></figcaption></figure>

Once logged in, you should have a screen listing all the clusters you have accesses to :

<figure><img src="/files/kdySWO8IXeGRN58bqI7V" alt=""><figcaption></figcaption></figure>

If the UI gets stuck on "Loading" after logging in, please try:

* Opening the Rancher URL in an incognito/private browser window
* Or connecting directly to:
  * <https://rancher-et.cegedim.cloud/dashboard/home>
  * <https://rancher-et-qa.cegedim.cloud/dashboard/home>
  * <https://rancher-eb.cegedim.cloud/dashboard/home>
  * <https://rancher-eb-qa.cegedim.cloud/dashboard/home>

If on first login you don't see your cluster in the cluster list you might want to logout and login again.

<figure><img src="/files/ckHRAWWYA1QFJgSDaZJR" alt=""><figcaption></figcaption></figure>

#### Manage your preferences <a href="#kuberneteshowtos-manageyourpreferences" id="kuberneteshowtos-manageyourpreferences"></a>

You can manage your UI preferences (dark theme, number of rows per table...) by setting up your user preferences. Please refer here to a full documentation:

{% embed url="<https://rancher.com/docs/rancher/v2.x/en/user-settings/preferences/>" %}

### Configure kubectl

In order to connect to the cluster using CLI, you have two options :

* by regular remote kubectl
* using rancher online kubectl

Both are available by getting to the "cluster" page in Rancher.\
There are two ways of doing that :

<figure><img src="/files/ZhWKbm3FhLk5JD9dtxln" alt=""><figcaption><p>Click on the cluster name in the cluster list</p></figcaption></figure>

<figure><img src="/files/mzEdwLgtSf8cPlLJosPu" alt=""><figcaption><p>Click on the cluster name in the top left menu</p></figcaption></figure>

#### Using the kubectl configuration file <a href="#kuberneteshowtos-usingthekubectlconfigurationfile" id="kuberneteshowtos-usingthekubectlconfigurationfile"></a>

Once on the cluster homepage you can download the "Kubeconfig File":

<figure><img src="/files/tkq7PkLA1cKlsXGHZ0bw" alt=""><figcaption></figcaption></figure>

Or just copy the content of "Kubeconfig File":

<figure><img src="/files/FijODHywbBzuEVdjgTTg" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
if you dont have `kubectl` we highly suggest you to install `kubectl` on your administration workstation, following [this document](https://kubernetes.io/docs/tasks/tools/install-kubectl/).
{% endhint %}

This configuration can be mixed with other kubectl configuration.

The authentication can be shared with any cluster managed by the same rancher instance.

#### Using the web cli <a href="#kuberneteshowtos-usingthewebcli" id="kuberneteshowtos-usingthewebcli"></a>

Once on the cluster home page you can use the web cli by clicking on the below icon :

<figure><img src="/files/tHhXCVpIm5gVgVFuTXQd" alt=""><figcaption></figcaption></figure>

This should launch a web shell like this one :

<figure><img src="/files/etBiZDmFrAGDYQlfZNTP" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
This shell is temporary, any changes made inside will be discarded once the window closed. This session might get disconnected if no input/output is observed.
{% endhint %}

### Get API an Token

Token management UI is accessible right beneath the user avatar :

<figure><img src="/files/rjoW2tdLqVNTh84wWwMk" alt=""><figcaption></figcaption></figure>

#### Token scopes <a href="#kuberneteshowtos-tokenscopes" id="kuberneteshowtos-tokenscopes"></a>

There are two scopes :

* no-scope : global scope : used to interact with global rancher API
* cluster-scoped : token dedicated to access specific cluster

{% hint style="info" %}
A cluster-scoped token is recommended for configuring CI/CD pipelines.\
This means that you need a token per cluster in your CI/CD pipelines.
{% endhint %}

#### Token lifecycle <a href="#kuberneteshowtos-tokenlifecycle" id="kuberneteshowtos-tokenlifecycle"></a>

Token can have different lifecycles :

* a token can have a unlimited lifespan, it will follow the lifecycle of the account attached to it
* a specific lifetime

## Nodes management

### Scale cluster

You can use ITCare to add or remove nodes to your cluster.

## Manage Namespaces

### Understanding Project - A Rancher concept <a href="#publicdocumentationreview-understandingproject-arancherconcept" id="publicdocumentationreview-understandingproject-arancherconcept"></a>

Rancher manages namespaces via project, which is a concept specifically existing only in Kubernetes clusters managed by Rancher.

Project is not a Kubernetes native resource.

By default, a Kubernetes cluster is provisioned with 2 projects:

* System: containing core-component's namespaces like: kube-system, etc.
* Default: containng the "default" namespace

Users are free to create more Projects if needed.

Basing on Project level, Rancher offers built-in automation like: access rights granting, network isolation, etc.

Users are very encouraged to classify namespace into a Project.

### How to properly create a namespace <a href="#publicdocumentationreview-howtocreateproperlyanamespace" id="publicdocumentationreview-howtocreateproperlyanamespace"></a>

* Switch to project view

<figure><img src="/files/K6SWhrHKsbYwgzvDaaKK" alt=""><figcaption></figcaption></figure>

* Create a new namespace from project view

<figure><img src="/files/YUFqANRj3agkL2fOXuSx" alt=""><figcaption></figcaption></figure>

* Insert a unique name, and fill other fields if needed, and click on "Create"

{% hint style="info" %}
If you create a namespace with kubernetes CLI, e.g. kubectl, the created namespace will be moved into the the project parent of the namespace "default" (which is, by default, the project named Default)
{% endhint %}

## Rights Management <a href="#kuberneteshowtos-rightsmanagement" id="kuberneteshowtos-rightsmanagement"></a>

**cegedim.cloud** recommends and officially supports access rights managing via AD groups.

Only AD groups starting with G\_EMEA\_\* and G\_K8\_\* are known by Rancher.

By default, when a cluster is created:

* Standard user role is given to the group **G\_K8\_**\<CLUSTER\_NAME>**\_USERS** which contains the power users of the related Cloud
* Admin role is given to the group **G\_K8\_**\<CLUSTER\_NAME>**\_ADMINS** which is empty by default and can be populated with competent & certified users via ITCare ticket toward AD support team.

For instance, user **<user1@cegedim.com>** needs to have standard user access to cluster **test-preprod**, he needs to ask to add <user1@cegedim.com> to the AD group named **G\_K8\_TEST\_PREPROD\_USERS**.

When users create a new Project, as default owner, they are free to bind any role on any AD group in the scope of this project.

{% embed url="<https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/manage-role-based-access-control-rbac/cluster-and-project-roles>" %}

If the Rancher predefined roles cannot fullfill your needs, please contact admins of your cluster to configure a custom rolebinding or clusterrolebinding.

{% embed url="<https://kubernetes.io/docs/reference/access-authn-authz/rbac/>" %}

### Manage Rights

**Project Level Rights Management**

{% hint style="warning" %}
**cegedim.cloud** only supports rights binding on **groups**, not individual users. This ensures consistent access management and simplifies administration.
{% endhint %}

In order to manage rights on a project, there are two ways: The UI or the API.

The highest role you can assign is **"Cegedim.Cloud Project Admin"**, which is a predefined Rancher Project Owner role with extended rights on CRD (Custom Resource Definition) resources.

#### Using UI

Edit the project that you are owner or are given to sufficient rights from the project creator.

<figure><img src="/files/oDkM294tW9B0KZkyjtbd" alt=""><figcaption></figcaption></figure>

Select the group and the role in the form.

{% hint style="info" %}
Please note that only groups starting with G\_EMEA\_\* and G\_K8\_\* are known by Rancher.
{% endhint %}

<figure><img src="/files/8WdlveRDiTU6bs8pQrlv" alt=""><figcaption></figcaption></figure>

#### Using API

Using the API is straightforward. You will first need some parameters:

* **Getting Project ID**

To get the project ID, you can use the API explorer or simply use the "View in API" button.

{% code overflow="wrap" %}

```bash
curl --request GET \
 --url https://rancher-eb.cegedim.cloud/v3/projects \
 --header 'authorization: Bearer token-tttt:token-of-doom'
```

{% endcode %}

* **Give access**

Using your API token, you can make a single POST request to create the role binding:

{% code overflow="wrap" %}

```bash
curl --request POST \
--url https://rancher-eb.cegedim.cloud/v3/projectRoleTemplateBindings \
--header 'authorization: Bearer token-tttt:token-of-doom' \
--header 'content-type: application/json' \
--data '{
"projectId": "c-6t7f4:p-d43l6",
"namespaceId":"",
"groupPrincipalId":"keycloakoidc_group_group://G_EMEA_DUPER_GROUP",
"roleTemplateId": "cgdm-project-admin"
}'
```

{% endcode %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://academy.cegedim.cloud/compute/containers-k8s/k8s-get-started.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.