Set up an external client

Many times you need to access a service from outside the cluster. For example, you may want to access Rok, which is running in a cluster, from your laptop.

To do this, you need to:

  1. Create an identity: We are using Kubernetes ServiceAccounts for this. We will create a new ServiceAccount and use its token for the external client. ServiceAccounts are essentially device or machine identities.
  2. Authorize the identity: We are creating RoleBindings to grant permissions to the ServiceAccount.

Step 1: Create an identity

  1. Connect to a Notebook Server

  2. Download this helper script:

    $ wget <download_root>/
  3. Run it to create a new ServiceAccount and retrieve a long-lived token for it:

    $ python3
  4. The script has stored the token in a file. You need to move this file to the device which will use it. For example, download it to your laptop.

Step 2: Authorize the identity

Now that you have created an identity, you need to authorize it to be able to perform actions.


You have to run this for each namespace you want this ServiceAccount to have access to.

  1. Choose a role and a namespace in which you will grant it permissions.


    Role can be one of view, edit, and admin

  2. Connect to a Notebook Server in that namespace and download this helper script:

    $ wget <download_root>/
  3. Run the script and follow the onscreen instructions providing the ServiceAccount name, the namespace it belongs to, and the desired role for this namespace:

    $ python3

Once you have successfully completed these steps, you are ready to use the token with your external client.

Depending on the application, there may be different ways to use the token. This token should be used by the client to create short-lived tokens, which are then used to access the desired API. The individual application client (e.g., the KFP Python client) will usually perform this procedure transparently.

Navigate to the following links for application-specific information: