Accessing Kubernetes Containers

You can use Kubectl or SSHD to access Kubernetes containers in HPE Ezmeral Runtime Enterprise deployments.

There are two ways to access Kubernetes containers:

SSHD

If the Kubernetes container is running the SSHD service, then you may use an SSH client to log in normally. The following considerations apply to this method:

  • Automatic LDAP/AD integration is not provided for Kubernetes containers. To SSH into a container, you must therefore know of a valid user account within that container and know the login password for that account.
  • The port for the SSHD service must be exposed through a Kubernetes service. For access from outside the Kubernetes cluster, this should be a NodePort service that is mapped to a port on a Gateway host. You can then use an external SSH client to connect to that port on the Gateway host.

Kubectl

Container access via the kubectl plugin is available via either an LDAP/AD directory server or via SAML. To authenticate with the plugin:

  1. Verify that the computer to you are using to access the container is able to access the requisite ports described in Port Requirements and Kubernetes Port Requirements.
  2. Verify HTTP access to the Controller host by executing the following command: 
    curl -k https://<gateway_ip_address>:8080/config
  3. Verify HTTP access to the ports required for the authenticating proxy by executing the following command: 
    curl -k https://<gateway_ip_address>:9500/api\?timeout\=32s
  4. Verify that both kubectl and kubectl-hpecp are installed on the computer you are using to access the container, and they are both on the PATH of your computer. You may download both plugins from a web interface Kubernetes Dashboard screen. See any of the following, as appropriate:
  5. Execute the following command, being sure to add the --insecure flag if the API is not protected by TLS. 
    kubectl hpecp refresh <gateway_ip_address>
  6. When prompted, authenticate to the platform as instructed.
  7. If prompted, select the tenant or cluster that the current context should be in.
  8. Follow all printed instructions.

You may use the kubectl exec command to execute commands or open a shell inside the container.

  • kubectl must be set up to access the Kubernetes cluster with privileges that include the create verb on the pods/exec resource. A Kubernetes Cluster Administrator will typically have this privilege, but other users typically will not, unless they get that privilege allowed for a restricted list of pods. See Kubernetes Tenant RBAC.
  • For more details about using kubectl exec, see standard documentation such as https://kubernetes.io/docs/tasks/debug-application-cluster/get-shell-running-container/ (link opens an external website in a new browser tab/window).