[Yandex Cloud documentation](../../../index.md) > [Yandex Managed Service for Kubernetes](../../index.md) > [Step-by-step guides](../index.md) > [Connecting to a cluster](index.md) > Creating a static configuration file

# Creating a static configuration file

Static configuration files allow you to access a [Managed Service for Kubernetes cluster](../../concepts/index.md#kubernetes-cluster) without using the CLI, e.g., from continuous integration systems.

{% note tip %}

For integration with GitLab, we recommend using the GitLab Runner application installed in the cluster. Learn more in [Continuous deployment of containerized applications using GitLab](../../tutorials/gitlab-containers.md).

{% endnote %}

You can also use a static configuration file to configure access to multiple Managed Service for Kubernetes clusters. You can quickly switch between Managed Service for Kubernetes clusters described in configuration files using the `kubectl config use-context` command. Learn more about configuring access to multiple Managed Service for Kubernetes clusters in [this Kubernetes guide](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/).

To create a configuration file:
* [Get a unique cluster ID](#k8s-id).
* [Prepare a Managed Service for Kubernetes cluster certificate](#prepare-cert).
* [Create a ServiceAccount object](#create-sa).
* [Prepare a ServiceAccount token](#prepare-token).
* [Create and populate a configuration file](#create-conf-file).
* [Check the result](#check-result).

To run bash commands, you will need a JSON parser, [jq](https://stedolan.github.io/jq/download/).

## Getting started {#before-you-begin}

1. [Create a service account](../../../iam/operations/sa/create.md).
1. [Create a Managed Service for Kubernetes cluster](../kubernetes-cluster/kubernetes-cluster-create.md#kubernetes-cluster-create) with any suitable configuration.
1. [Create a node group](../node-group/node-group-create.md) with any suitable configuration.
1. [Install kubect](https://kubernetes.io/docs/tasks/tools/install-kubectl) and [set it up to work with the new cluster](index.md#kubectl-connect). Add the credentials to the `test.kubeconfig` configuration file using the `--kubeconfig=test.kubeconfig` parameter.

## Get a unique cluster ID {#k8s-id}

To access a Managed Service for Kubernetes cluster, use its unique ID. Save it to a variable and use it in other commands.
1. Get the unique ID of the Managed Service for Kubernetes cluster:

   {% list tabs group=instructions %}

   - Management console {#console}

     1. In the [management console](https://console.yandex.cloud), select the [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder).
     1. Navigate to **Managed Service for&nbsp;Kubernetes**.
     1. Click the name of the Managed Service for Kubernetes cluster.

     The unique ID of the Managed Service for Kubernetes cluster will appear in the **ID** field.

   - CLI {#cli}

     ```bash
     yc managed-kubernetes cluster list
     ```

     Result:

     ```text
     +----------------------+--------+---------------------+---------+---------+------------------------+--------------------+
     |          ID          |  NAME  |     CREATED AT      | HEALTH  | STATUS  |    EXTERNAL ENDPOINT   |  INTERNAL ENDPOINT |
     +----------------------+--------+---------------------+---------+---------+------------------------+--------------------+
     | catb3ppsdsh7******** | my-k8s | 2019-09-04 15:17:11 | HEALTHY | RUNNING | https://84.201.148.31/ | https://10.0.0.24/ |
     +----------------------+--------+---------------------+---------+---------+------------------------+--------------------+
     ```

    {% endlist %}

1. Save the unique ID of the Managed Service for Kubernetes cluster to a variable:

   {% list tabs group=programming_language %}

   - Bash {#bash}

     ```bash
     CLUSTER_ID=catb3ppsdsh7********
     ```

   - PowerShell {#powershell}

     ```shell script
     $CLUSTER_ID = "catb3ppsdsh7********"
     ```

   {% endlist %}

## Prepare a cluster certificate {#prepare-cert}

Save the Managed Service for Kubernetes cluster certificate to the `ca.pem` file. This certificate confirms the authenticity of the Managed Service for Kubernetes cluster.

{% list tabs group=programming_language %}

- Bash {#bash}

  Run a command that:
  * Retrieves the Managed Service for Kubernetes cluster information in JSON format.
  * Only retains the certificate information and removes excessive quotation marks from the certificate contents.
  * Removes excessive characters from the certificate contents.
  * Saves the certificate to the `ca.pem` file.

  ```bash
  yc managed-kubernetes cluster get --id $CLUSTER_ID --format json | \
    jq -r .master.master_auth.cluster_ca_certificate | \
    awk '{gsub(/\\n/,"\n")}1' > ca.pem
  ```

- PowerShell {#powershell}

  1. Get the Managed Service for Kubernetes cluster details in JSON format and save it to the `$CLUSTER` variable:

     ```shell script
     $CLUSTER = yc managed-kubernetes cluster get --id $CLUSTER_ID --format json | ConvertFrom-Json
     ```

  1. Get the Managed Service for Kubernetes cluster certificate and save it to the `ca.pem` file:

     ```shell script
     $CLUSTER.master.master_auth.cluster_ca_certificate | Set-Content ca.pem
     ```

{% endlist %}

## Create a ServiceAccount object {#create-sa}

Create a `ServiceAccount` object to interact with the Kubernetes API inside the Managed Service for Kubernetes cluster.
1. Save the following specification for creating the `ServiceAccount` object and its secret to a YAML file named `sa.yaml`.

   For more information about the `ServiceAccount` object, see [this Kubernetes guide](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/service-account-v1/).

   {% list tabs %}

   - Kubernetes version: 1.24 or higher

     ```yaml
     apiVersion: v1
     kind: ServiceAccount
     metadata:
       name: admin-user
       namespace: kube-system
     ---
     apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRoleBinding
     metadata:
       name: admin-user
     roleRef:
       apiGroup: rbac.authorization.k8s.io
       kind: ClusterRole
       name: cluster-admin
     subjects:
     - kind: ServiceAccount
       name: admin-user
       namespace: kube-system
     ---
     apiVersion: v1
     kind: Secret
     type: kubernetes.io/service-account-token
     metadata:
       name: admin-user-token
       namespace: kube-system
       annotations:
         kubernetes.io/service-account.name: "admin-user"
     ```

   - Kubernetes version: 1.23 or lower

     ```yaml
     apiVersion: v1
     kind: ServiceAccount
     metadata:
       name: admin-user
       namespace: kube-system
     ---
     apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRoleBinding
     metadata:
       name: admin-user
     roleRef:
       apiGroup: rbac.authorization.k8s.io
       kind: ClusterRole
       name: cluster-admin
     subjects:
     - kind: ServiceAccount
       name: admin-user
       namespace: kube-system
     ```

   {% endlist %}

1. Create a `ServiceAccount` object and a secret for it:

   ```bash
   kubectl create -f sa.yaml
   ```

## Prepare a ServiceAccount token {#prepare-token}

This token is used to authenticate the `ServiceAccount` object in the Managed Service for Kubernetes cluster.

{% list tabs group=programming_language %}

- Bash {#bash}

  Run a command that:
  * Retrieves information about the previously created `admin-user` [service account](../../../iam/concepts/users/service-accounts.md) in JSON format.
  * Only retains the token information and removes excessive quotation marks from the token contents.
  * Decodes the token from Base64.
  * Saves the token contents to the `SA_TOKEN` variable.

  ```bash
  SA_TOKEN=$(kubectl -n kube-system get secret $(kubectl -n kube-system get secret | \
    grep admin-user-token | \
    awk '{print $1}') -o json | \
    jq -r .data.token | \
    base64 -d)
  ```

- PowerShell {#powershell}

  1. Get a token for the `ServiceAccount` object. Quotation marks in its contents will be removed automatically:

     ```shell script
     $SECRET = kubectl -n kube-system get secret -o json | `
       ConvertFrom-Json | `
       Select-Object -ExpandProperty items | `
       Where-Object { $_.metadata.name -like "*admin-user*" }
     ```

  1. Decode the token from Base64:

     ```shell script
     $SA_TOKEN = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($SECRET.data.token))
     ```

{% endlist %}

## Get the cluster IP address {#get-cluster-ip}

Get the Managed Service for Kubernetes cluster [IP address](../../../vpc/concepts/address.md) and add it to the `MASTER_ENDPOINT` variable for future use.

{% list tabs group=programming_language %}

- Bash {#bash}

  Run a command that:
  * Retrieves the Managed Service for Kubernetes cluster details in JSON format based on its unique ID.
  * Retains only the Managed Service for Kubernetes cluster IP address.
  * Removes excessive quotation marks from its contents.
  * Writes the IP address to the `MASTER_ENDPOINT` variable.

  To connect to the Managed Service for Kubernetes cluster API from the internet (outside Yandex Cloud).

  ```bash
  MASTER_ENDPOINT=$(yc managed-kubernetes cluster get --id $CLUSTER_ID \
    --format json | \
    jq -r .master.endpoints.external_v4_endpoint)
  ```

  To use the Managed Service for Kubernetes cluster API for connecting to the [master](../../concepts/index.md#master) from [cloud networks](../../../vpc/concepts/network.md#network).

  ```bash
  MASTER_ENDPOINT=$(yc managed-kubernetes cluster get --id $CLUSTER_ID \
    --format json | \
    jq -r .master.endpoints.internal_v4_endpoint)
  ```

- PowerShell {#powershell}

  Run the command below to connect to the Managed Service for Kubernetes cluster API from the internet (outside Yandex Cloud):

  ```shell script
  $MASTER_ENDPOINT = $CLUSTER.master.endpoints.external_v4_endpoint
  ```

  Run the command below to connect to the Managed Service for Kubernetes cluster API from cloud networks:

  ```shell script
  $MASTER_ENDPOINT = $CLUSTER.master.endpoints.internal_v4_endpoint
  ```

{% endlist %}

## Add data to the configuration file {#create-conf-file}

1. Add information about the Managed Service for Kubernetes cluster to the configuration file.

   {% list tabs group=programming_language %}

   - Bash {#bash}

     Run this command:

     ```bash
     kubectl config set-cluster sa-test2 \
       --certificate-authority=ca.pem \
       --embed-certs \
       --server=$MASTER_ENDPOINT \
       --kubeconfig=test.kubeconfig
     ```

   - PowerShell {#powershell}

     Run this command:

     ```bash
     kubectl config set-cluster sa-test2 `
       --certificate-authority=ca.pem `
       --embed-certs `
       --server=$MASTER_ENDPOINT `
       --kubeconfig=test.kubeconfig
     ```

   {% endlist %}

1. Add information about the token for `admin-user` to the configuration file.

   {% list tabs group=programming_language %}

   - Bash {#bash}

     Run this command:

     ```bash
     kubectl config set-credentials admin-user \
       --token=$SA_TOKEN \
       --kubeconfig=test.kubeconfig
     ```

   - PowerShell {#powershell}

     Run this command:

     ```shell script
     kubectl config set-credentials admin-user `
       --token=$SA_TOKEN `
       --kubeconfig=test.kubeconfig
     ```

   {% endlist %}

1. Add context information to the configuration file.

   {% list tabs group=programming_language %}

   - Bash {#bash}

     Run this command:

     ```bash
     kubectl config set-context default \
       --cluster=sa-test2 \
       --user=admin-user \
       --kubeconfig=test.kubeconfig
     ```

   - PowerShell {#powershell}

     Run this command:

     ```shell script
     kubectl config set-context default `
       --cluster=sa-test2 `
       --user=admin-user `
       --kubeconfig=test.kubeconfig
     ```

   {% endlist %}

1. Use the configuration you created for further operations.

   {% list tabs group=programming_language %}

   - Bash {#bash}

     Run this command:

     ```bash
     kubectl config use-context default \
       --kubeconfig=test.kubeconfig
     ```

   - PowerShell {#powershell}

     Run this command:

     ```shell script
     kubectl config use-context default `
       --kubeconfig=test.kubeconfig
     ```

   {% endlist %}

## Check the result {#check-result}

Make sure the configuration is correct by running this command:

```bash
kubectl get namespace --kubeconfig=test.kubeconfig
```

Result:

```bash
NAME     STATUS  AGE
default  Active  9d
```

The `test.kubeconfig` file enables you to connect to the cluster without the CLI, e.g., from continuous integration systems, as well as use the `kubectl config use-context` command to switch between clusters.

{% note warning %}

To store the static configuration file, use a storage for secrets or encryption.

{% endnote %}