Kubernetes Web Terminal
The Kubernetes Web Terminal includes the HPE Kubectl plug-in, Helm, and access to the Kubernetes tenant FS mounts. Kubernetes Web Terminal is not available in HPE Ezmeral Runtime Enterprise Essentials. Privileges to execute commands are granted according to the user role.
Accessing the Kubernetes Web Terminal
To access the Kubernetes Web Terminal:
- Log in to the web interface, and then navigate to the appropriate Kubernetes cluster or tenant according to your credentials and role (Member, Tenant Administrator, or Cluster Administrator.)
-
Click the green Initialize button that appears at the bottom of most Kubernetes screens within the web interface.
The screen displays the message: Waiting for terminal to be ready or Connecting to the terminal and the green Initialize button is replaced by a red Terminate button.
If this is the first time you are accessing the Web Terminal, it takes a few minutes for the Web Terminal to be ready because HPE Ezmeral Runtime Enterprise must launch a new webterm service pod.
- Once the Web Terminal is ready, click the Launch icon (plus sign) to launch the terminal window.
The Kubernetes Web Terminal enables CLI command execution, but it does not
implement a fully functional terminal. For example, using the
vi command to edit a file might only show a partial file if
it is a large file. You can enlarge the screen and use the small font option
(default is Regular) to see fit more lines in the window.
However, it might not be possible to see the entire file if it is large. To work
around this issue, you can do one of the following:
- Execute the
cat/morecommand to view the file. - Edit the file on your local machine and then upload it using an FS mount.
The Web Terminal environment includes Kubectl, and the appropriate kubeconfig is configured. This configuration behaves in the same way as a locally downloaded config, as described in Role Privileges. You should never need to manually refresh or recreate the kubeconfig.
This example shows the kubectl config view command. In this example,
the Member user does not have the ability to execute the command kubectl get
namespaces.
k8suser@kd-977sb-0:~$ kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://mip.storage.enterprise.net:9500
name: clust1
contexts:
- context:
cluster: clust1
namespace: hpecp-tenant-4-gtx9s
user: hpecp-admin
name: clust1-eng-tenant-admin
current-context: clust1-eng-tenant-admin
kind: Config
preferences: {}
users:
- name: hpecp-admin
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
- epic
- authenticate
- mip-bd-vm38.mip.storage.enterprise.net:8080
- --hpecp-user=admin
- --hpecp-token=/api/v2/session/37391bb6-fac9-44a0-ae08-cf0806bd54bf
- --hpecp-token-expiry=1574976938
- --insecure=true
command: kubectl
env: null
k8suser@kd-977sb-0:~$ kubectl get namespaces
error: You must be logged in to the server (Unauthorized)
Kubernetes Role Privileges
Users who perform Kubernetes API operations in a namespace through the built-in authentication proxy (see Kubernetes Physical Architecture), will have privileges in that namespace as granted by the role they have (if any) in the corresponding Kubernetes cluster or tenant. If the user has a Platform Administrator role or a Kubernetes Cluster Administrator role in the current cluster, then that user has those access rights regardless of any explicit tenant role assignments that user may also have.
The following screens show the Kubernetes ACLs for Kubernetes Member and Kubernetes Tenant Administrator users.
# kubectl describe role hpecp-tenant-4-member-99zrv -n my-tenant-namespace Name: hpecp-tenant-4-member-99zrv Labels: <none> Annotations: <none> PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- configmaps [] [] [*] endpoints [] [] [*] events [] [] [*] namespaces [] [] [*] persistentvolumeclaims [] [] [*] pods/exec [] [] [*] pods/logs [] [] [*] pods [] [] [*] resourcequotas [] [] [*] secrets [] [] [*] services [] [] [*] daemonsets.apps [] [] [*] deployments.apps [] [] [*] replicasets.apps [] [] [*] statefulsets.apps [] [] [*] networkpolicies.networking.k8s.io [] [] [*] rolebindings.rbac.authorization.k8s.io [] [] [*] roles.rbac.authorization.k8s.io [] [] [*] storageclasses.storage.k8s.io [] [] [*] kubedirectorclusters.kubedirector.bluedata.io [] [] [create update delete get list watch] hpecpfsmounts.hpecp.hpe.com [] [] [get list watch] hpecptenants.hpecp.hpe.com [] [] [get list watch] kubedirectorapps.kubedirector.bluedata.io [] [] [get list watch] poddisruptionbudgets.policy/status [] [] [get list watch] poddisruptionbudgets.policy [] [] [get list watch] # kubectl describe role hpecp-tenant-4-admin-g8vtg -n my-tenant-namespace Name: hpecp-tenant-4-admin-g8vtg Labels: <none> Annotations: <none> PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- configmaps [] [] [*] endpoints [] [] [*] events [] [] [*] namespaces [] [] [*] persistentvolumeclaims [] [] [*] pods/exec [] [] [*] pods/logs [] [] [*] pods [] [] [*] resourcequotas [] [] [*] secrets [] [] [*] serviceaccounts [] [] [*] services [] [] [*] daemonsets.apps [] [] [*] deployments.apps [] [] [*] replicasets.apps [] [] [*] statefulsets.apps [] [] [*] networkpolicies.networking.k8s.io [] [] [*] poddisruptionbudgets.policy/status [] [] [*] poddisruptionbudgets.policy [] [] [*] rolebindings.rbac.authorization.k8s.io [] [] [*] roles.rbac.authorization.k8s.io [] [] [*] storageclasses.storage.k8s.io [] [] [*] hpecpfsmounts.hpecp.hpe.com [] [] [get list watch create update delete] hpecptenants.hpecp.hpe.com [] [] [get list watch create update delete] kubedirectorapps.kubedirector.bluedata.io [] [] [get list watch create update delete] kubedirectorclusters.kubedirector.bluedata.io [] [] [get list watch create update delete]