Skip to main content
Version: 13.x (Current)

Runtime

Mia-Platform PaaS offering provides you with a managed Kubernetes runtime environment, customized to your specific needs, without the complexities of hosting and managing it yourself. Our runtime options help you to utilize the full potential of Kubernetes, whether through a shared cluster or a dedicated cluster exclusively for your organization.

Shared cluster

In a shared Kubernetes cluster configuration, multiple organizations share a single cluster while maintaining complete isolation and security. This option is ideal for those seeking a cost-effective solution, where resources are efficiently utilized across multiple projects. Our robust infrastructure and advanced resource management ensure smooth performance and a reliable experience for all tenants.
When using this option you will get access and ownership of a set of namespaces dedicated only for your applications.

Dedicated cluster

For organizations requiring enhanced control, customization, and resource isolation, our dedicated Kubernetes cluster offering is the perfect fit. With a dedicated cluster, you have exclusive access to all resources, ensuring optimal performance and security for your applications.

Accessing Kubernetes Clusters

This guide assists you in configuring kubectl to connect to your own Kubernetes cluster. Before you begin, ensure that the kubelogin plugin is installed. Here's how to install it based on your system:

Install kubelogin

# Homebrew (macOS and Linux)
brew install int128/kubelogin/kubelogin

# Krew (macOS, Linux, Windows and ARM)
kubectl krew install oidc-login

# Chocolatey (Windows)
choco install kubelogin

kubectl configuration

To set up kubectl for connecting to your Kubernetes cluster, kindly request the following information from your designated Mia-Platform contact:

  • CLUSTER_NAME
  • CLIENT_ID
  • OIDC_ENDPOINT
  • OIDC_ISSUER_URL

Next, replace the placeholders in the script below with the provided values, and then execute the commands to apply the configuration:

cluster="<CLUSTER_NAME>"
client_id="<CLIENT_ID>"
endpoint="<OIDC_ENDPOINT>"
oidc_issuer_url="<OIDC_ISSUER_URL>"

echo "Setting login-$cluster credentials"
kubectl config set-credentials "login-$cluster" \
--exec-api-version=client.authentication.k8s.io/v1beta1 \
--exec-command=kubectl \
--exec-arg=oidc-login \
--exec-arg=get-token \
--exec-arg=--oidc-issuer-url=$oidc_issuer_url \
--exec-arg=--oidc-client-id=$client_id \
--exec-arg=--oidc-extra-scope=groups \
--exec-arg=--oidc-extra-scope=openid \
--exec-arg=--oidc-extra-scope=profile \
--exec-arg=--oidc-extra-scope=email \
--exec-arg=--oidc-extra-scope=offline_access

echo "Setting cluster $cluster"
kubectl config set-cluster $cluster --server=$endpoint

echo "Setting context $cluster"
kubectl config set-context $cluster --cluster $cluster --user "login-$cluster"

Usage

Once configured, new kube-context will be available, view them with:

kubectl config get-contexts

To connect to a specific cluster, use the following command and proceed with kubectl as usual:

kubectl config use-context <CONTEXT_NAME>

During the first command, kubelogin will open a new browser tab to retrieve an OIDC token, which will be stored in the kubectl cache folder and used for cluster authentication.

Troubleshooting

If you encounter issues, try deleting the OIDC token in .kube/cache/oidc-login/{token_hash} and retry the kubectl command. If the problem persists, seek assistance from our dedicated Mia-Platform PaaS support team.

Permissions

Mia-Platform PaaS provides two main different roles for runtime:

  • Developer: Developer users can view the majority of the Kubernetes Resources (pods, services, deployments, events, logs etc...) and exec/port-forward into pods using Kubernetes APIs
  • Admin: Admin users can also edit, delete and create most of the Kubernetes Resources using Kubernetes APIs.
info

For shared Kubernetes Clusters, the already mentioned permissions are restricted only to their relative namespaces.

Usually Mia-Platform teams have Admin and Developer roles depending on the environment on which they operate. Instead, external users such as partners and customer teams works with Developer permission.

If you are wondering which Kubernetes permissions each role has in depth, check the following table:

ResourcesDeveloper permissionsAdmin permissions
pods/execCreateCreate
pods/portforwardCreateCreate
pods.metrics.k8s.ioGet; List; WatchGet; List; Watch
configmapsGet; List; WatchGet; List; Watch
eventsGet; List; WatchGet; List; Watch
limitrangesGet; List; WatchUpdate; Delete; Create; Deletecollection; Patch; Get; List; Watch
namespaces/statusGet; List; WatchUpdate; Delete; Create; Deletecollection; Patch; Get; List; Watch
namespacesGet; List; WatchUpdate; Delete; Create; Deletecollection; Patch; Get; List; Watch
persistentvolumeclaimsGet; List; WatchGet; List; Watch
pods/logGet; List; WatchUpdate; Delete; Create; Deletecollection; Patch; Get; List; Watch
pods/proxyGet; List; WatchUpdate; Delete; Create; Deletecollection; Patch; Get; List; Watch
pods/statusGet; List; WatchUpdate; Delete; Create; Deletecollection; Patch; Get; List; Watch
podsGet; List; WatchUpdate; Delete; Create; Deletecollection; Patch; Get; List; Watch
resourcequotas/statusGet; List; WatchGet; List; Watch
resourcequotasGet; List; WatchGet; List; Watch
services/proxyGet; List; WatchUpdate; Delete; Create; Deletecollection; Patch; Get; List; Watch
servicesGet; List; WatchGet; List; Watch
challenges.acme.cert-manager.ioGet; List; WatchGet; List; Watch
deamonset.appsGet; List; WatchUpdate; Delete; Create; Deletecollection; Patch; Get; List; Watch
deployments.app/scaleGet; List; WatchUpdate; Delete; Create; Deletecollection; Patch; Get; List; Watch
deployments.appsGet; List; WatchUpdate; Delete; Create; Deletecollection; Patch; Get; List; Watch
replicasets.apps/scaleGet; List; WatchUpdate; Delete; Create; Deletecollection; Patch; Get; List; Watch
replicasets.appGet; List; WatchUpdate; Delete; Create; Deletecollection; Patch; Get; List; Watch
statefulsets.apps/scaleGet; List; WatchUpdate; Delete; Create; Deletecollection; Patch; Get; List; Watch
statefulsets.appGet; List; WatchUpdate; Delete; Create; Deletecollection; Patch; Get; List; Watch
verticalpodautoscalers.autoscaling.k8s.ioGet; List; WatchUpdate; Delete; Create; Deletecollection; Patch; Get; List; Watch
horizontalpodautoscalers.autoscalingGet; List; WatchUpdate; Delete; Create; Deletecollection; Patch; Get; List; Watch
cronjobs.batchGet; List; WatchUpdate; Delete; Create; Deletecollection; Patch; Get; List; Watch
jobs.batchGet; List; WatchUpdate; Delete; Create; Deletecollection; Patch; Get; List; Watch
certificates.cert-manager.ioGet; List; WatchUpdate; Delete; Create; Deletecollection; Patch; Get; List; Watch
sleepinfos.kube-green.comGet; List; WatchUpdate; Delete; Deletecollection; Patch; Get; List; Watch
podmonitors.monitoring.coreos.comGet; List; WatchUpdate; Delete; Create; Deletecollection; Patch; Get; List; Watch
prometheusrules.monitoring.coreos.comGet; List; WatchUpdate; Delete; Create; Deletecollection; Patch; Get; List; Watch
servicemonitors.monitoring.coreos.comGet; List; WatchUpdate; Delete; Create; Deletecollection; Patch; Get; List; Watch
ingressroutes.traefik.containo.usGet; List; WatchUpdate; Delete; Create; Deletecollection; Patch; Get; List; Watch
ingressroutetcps.traefik.containo.usGet; List; WatchUpdate; Delete; Create; Deletecollection; Patch; Get; List; Watch
middlewares.traefik.containo.usGet; List; WatchUpdate; Delete; Create; Deletecollection; Patch; Get; List; Watch
tlsoptions.traefik.containo.usGet; List; WatchUpdate; Delete; Create; Deletecollection; Patch; Get; List; Watch
secretsList,WatchUpdate; Delete; Create; Deletecollection; Patch; Get; List; Watch