Skip to content

Kubernetes quick start

This page is for people who are familiar with Kubernetes in general, and want to start using it as quickly as possible.

Danger

Kubernetes SIG Network and the Security Response Committee have announced the upcoming retirement of Ingress NGINX, the Ingress controller currently used in our Kubernetes infrastructure. Best-effort maintenance will continue until March 2026. We will evaluate alternative solutions and keep you informed about the migration timeline.

More information about the retirement.

Requesting access

To use the managed Kubernetes service, you need to request a namespace. Choose the method that matches your portal affiliation:

If you are a member of the minu.etais.ee portal, you can order the resource directly.

  1. Login to minu.etais.ee.
  2. Navigate to Marketplace -> Platform -> Kubernetes Namespace.
  3. Click Add resource.
  4. Select the organization and project you want the namespace to be created in.
  5. Specify the preferred name for the namespace as Allocation name (we cannot guarantee that the name will be accepted as-is).
  6. Give the resource a description if you wish.
  7. Click Create.

Info

After the Creation has been submitted then it needs approval from your Organization. When that is granted the namespace will be automatically created. You will see the Ready status once it is done.

If you are a member of the minu.riigipilv.ee portal, you can order the resource directly.

  1. Login to minu.riigipilv.ee.
  2. Navigate to Marketplace -> Platform -> Kubernetes Namespace.
  3. Click Add resource.
  4. Select the organization and project you want the namespace to be created in.
  5. Specify the preferred name for the namespace as Allocation name (we cannot guarantee that the name will be accepted as-is).
  6. Give the resource a description if you wish.
  7. Click Create.

Info

After the Creation has been submitted then it needs approval from your Organization. When that is granted the namespace will be automatically created. You will see the Ready status once it is done.

Submit a Kubernetes request on the UTHPC website. Alternatively, you can email your request to support@hpc.ut.ee .

Info

You will receive an email when the namespace is ready or if we have any additional questions.

Policies set access at the tenant/namespace level. This means that you get a namespace with access to that specific namespace, mostly with administrator permissions.

Using access

UTHPC uses a kubeconfig file to permit access to Kubernetes. The certificate and token are embedded inside the kubeconfig file. This means you need to have kubectl installed.

Kubernetes allows access via the MyAccessID authentication system. This is the easiest way to obtain access to the cluster, as everyone shares the same KUBECONFIG file.

Authenticating requires completing three steps:

  1. Install the kubelogin kubectl plugin. This is required to authenticate with MyAccessID.
  2. Add the shared KUBECONFIG file to your local computer (see below). If you place it at ~/.kube/config, it is automatically used for all kubectl commands.
  3. The first kubectl command you run will open a browser window where you can log in with your institution's credentials. Upon success, you'll have access to the cluster.

Use this configuration if you requested access via the ETAIS portal or via a manual request. Authentication is handled through the ETAIS Keycloak realm.

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01Ea3hOVEV3TlRFek1Gb1hEVE13TURreE16RXdOVEV6TUZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTkt5CnBtNy9BVmFPQStnT1BEQzBtekZ6d0pzRUw3ZkRMN0taR3R1Y3RycUJIR3JaL0MyZ2pJbEpwN2pCZ0FDU0E2eW4KNEhqNXk0UTdTN0s0R0JhbGNya3QrV2duMkwyckxKK0NUYXhiYmh4alczRDR6dEdtanhJTUFSeXRUV2xDL1ZtVAphTUtCZ3pmTFY5LzBPNUxtM1J4cEFMbm9MN1dUS3lyTmxGR29aSWUxbTVjK0JyenZmZjRKa2dmYWVucEw3Uk5CCjM5TDRvQ3NVdFNXeDZUVGNSN25JTHRiUXZZV0doYnE2UHRzS3BDcmxzMXlSazJDS1QwQUI5akFKMHhzakxkckgKZVZEOFROUFl1aEhBRVhLSVZUenVNUm92Q29DZVVnK002Nk9MNHpJem81aFZadFJJRWtkNi9wSTI1NmpsNVFDMQpJZW5KTDFpK2VwazJvQWpac1RNQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZNRTRpQldSS0ptRTFaZEFJOTZGbXYzdWdSdkZNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFERXdBem0zd1BIcDcwcFhObHdzNmhTV2ZIRWQ1b1prOWlTSzFMTVhFNm4vZHBCQkhiagpMOUVyVlBnWXlpeFFzZFIwZEtKUEZYQlh5dDlERllPVzJqTzRRMUFBVks1U3RTMjk5K3lZUDBIS1ZrZU5STE40Cm1wbDE0Zy9xNW1mR05pRlIzVm93cmFoR3ZQc1R6bVhScTNMd1pHbFZFSXNRR2w5elhYaVZoV29FTllVN2JTa1IKM0FxS0dQc2VDTmRmTTE3TzVZTno0cUw4VDA1Q21zZ1V3dlUrSU5CdFFIcmxXQVhQN2wyR3h5NzBDdmlxUXh2Qgp2d3NaVkpkcXdJMEg0c3ZWNW5FbElLM2dGY2hsTWoxS2k2RTJORGJNRmY4aWNQc2kxTFo1dllHUnVDVEN2QmgrCnd4eVQwekxRd1A4STBiNWZ5V1V3WnBzMmErcVR3V2xxRVpjdgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    server: https://kubernetes.hpc.ut.ee:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: etais-user
  name: etais-user@kubernetes
current-context: etais-user@kubernetes
kind: Config
preferences: {}
users:
- name: etais-user
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=https://keycloak.hpc.ut.ee/realms/ETAIS
      - --oidc-client-id=kubernetes.hpc.ut.ee
      - --oidc-pkce-method=auto
      command: kubectl
      env: null
      provideClusterInfo: false

Use this configuration if you requested access via the Riigipilv portal. Authentication is handled through the TARA Keycloak realm using PKCE.

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01Ea3hOVEV3TlRFek1Gb1hEVE13TURreE16RXdOVEV6TUZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTkt5CnBtNy9BVmFPQStnT1BEQzBtekZ6d0pzRUw3ZkRMN0taR3R1Y3RycUJIR3JaL0MyZ2pJbEpwN2pCZ0FDU0E2eW4KNEhqNXk0UTdTN0s0R0JhbGNya3QrV2duMkwyckxKK0NUYXhiYmh4alczRDR6dEdtanhJTUFSeXRUV2xDL1ZtVAphTUtCZ3pmTFY5LzBPNUxtM1J4cEFMbm9MN1dUS3lyTmxGR29aSWUxbTVjK0JyenZmZjRKa2dmYWVucEw3Uk5CCjM5TDRvQ3NVdFNXeDZUVGNSN25JTHRiUXZZV0doYnE2UHRzS3BDcmxzMXlSazJDS1QwQUI5akFKMHhzakxkckgKZVZEOFROUFl1aEhBRVhLSVZUenVNUm92Q29DZVVnK002Nk9MNHpJem81aFZadFJJRWtkNi9wSTI1NmpsNVFDMQpJZW5KTDFpK2VwazJvQWpac1RNQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZNRTRpQldSS0ptRTFaZEFJOTZGbXYzdWdSdkZNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFERXdBem0zd1BIcDcwcFhObHdzNmhTV2ZIRWQ1b1prOWlTSzFMTVhFNm4vZHBCQkhiagpMOUVyVlBnWXlpeFFzZFIwZEtKUEZYQlh5dDlERllPVzJqTzRRMUFBVks1U3RTMjk5K3lZUDBIS1ZrZU5STE40Cm1wbDE0Zy9xNW1mR05pRlIzVm93cmFoR3ZQc1R6bVhScTNMd1pHbFZFSXNRR2w5elhYaVZoV29FTllVN2JTa1IKM0FxS0dQc2VDTmRmTTE3TzVZTno0cUw4VDA1Q21zZ1V3dlUrSU5CdFFIcmxXQVhQN2wyR3h5NzBDdmlxUXh2Qgp2d3NaVkpkcXdJMEg0c3ZWNW5FbElLM2dGY2hsTWoxS2k2RTJORGJNRmY4aWNQc2kxTFo1dllHUnVDVEN2QmgrCnd4eVQwekxRd1A4STBiNWZ5V1V3WnBzMmErcVR3V2xxRVpjdgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    server: https://kubernetes.hpc.ut.ee:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: tara-user
  name: tara-user@kubernetes
current-context: tara-user@kubernetes
kind: Config
preferences: {}
users:
- name: tara-user
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=https://keycloak.hpc.ut.ee/realms/TARA
      - --oidc-client-id=kubernetes.hpc.ut.ee
      - --oidc-pkce-method=S256
      command: kubectl
      env: null
      provideClusterInfo: false

Explore key concepts

For a deeper understanding of how to use the full potential of the Kubernetes environment, please explore the detailed concept guides. These guides provide explanations and examples into how the managed Kubernetes service is set up.

Available guides

  • Databases - Learn how to deploy and manage databases within the managed Kubernetes cluster.
  • Ingress - Discover how to set up and configure Ingress objects to manage external access to your applications.
  • Load Balancers - Understand the setup and usage of LoadBalancer service to manage external access to your applications.
  • Using storage - Learn how to keep data across Pod restarts, persistently.
  • GPU Usage - Explore how to utilize GPUs within the cluster for computing-intensive applications.
  • CI/CD Integration - Get insights into integrating continuous integration and continuous deployment pipelines with UTHPC Kubernetes infrastructure.

Each guide is designed to provide you with the knowledge needed to effectively use and manage the relevant Kubernetes resources. If you're missing some specific feature, feel free to ask HPC support. New operators and extra configurations can be added on request, if it does not negatively impact the cluster's security or usability.

Billing

[ALPHA]

Billing is still in [ALPHA] status, meaning it's not properly done. For now, Kubernetes billing works on agreement basis, but we are working towards implementing an understandable and transparent billing structure.