Configure PKS API Access
Page last updated:
This topic describes how to configure access to the Pivotal Container Service (PKS) API. See PKS API Authentication for more information about how the PKS API and UAA interact with your PKS deployment.
To configure routing to the PKS API, perform the following steps:
Configure an external load balancer to forward traffic to the PKS API endpoint. For more information, see the Configure External Load Balancer section of Installing and Configuring PKS on GCP or vSphere.
Note: If your PKS installation is integrated with NSX-T, map the external load balancer to the DNAT IP address assigned in the Apply Changes and Retrieve the PKS Endpoint section of Installing and Configuring PKS with NSX-T Integration.
Locate your Ops Manager root CA certificate.
- If Ops Manager generated your certificate, refer to the Retrieve the Root CA Certificate section of Managing Non-Configurable TLS/SSL Certificates.
- If you provided your own certificate, copy and paste the certificate you entered in the PKS API page into a file.
uaac target UAA-URL --ca-cert ROOT-CA-FILENAMEto target the UAA server. Replace
UAA-URLwith the URL of your UAA server and
ROOT-CA-FILENAMEwith the certificate file you downloaded in a previous step. For example:
$ uaac target api.pks.example.com:8443 --ca-cert my-cert.cert
uaac token client get admin -s UAA-ADMIN-SECRETto request a token from the UAA server. Replace
UAA-ADMIN-SECRETwith your UAA admin secret. Refer to Ops Manager > Pivotal Container Service > Credentials > Uaa Admin Secret to retrieve this value.
Grant cluster access to new or existing users with UAA. See the Grant Cluster Access section of Managing Users in UAA for more information.
pks login -a UAA-URL -u USERNAME -p PASSWORD -kto log in to the PKS CLI. Replace the
UAA-URLwith the URL of your UAA server,
USERNAMEwith your username, and
PASSWORDwith your password. For example:
$ pks login -a api.pks.example.com -u alana -p my-password -k