Using Customized kubectl
CCI provides a customized kubectl that allows you to create resources such as workloads by using kubectl commands.
Obtain the native kubectl by following the procedure provided in Using Native kubectl (Recommended). The customized kubectl will be unavailable soon.
Before using kubectl, ensure that you have assigned cci_admin role permissions. Otherwise, the message error: the server doesn't have a resource type "ns" is displayed when you run the kubectl get ns command. If this message is displayed, run the kubectl get ns -v=8 command to view detailed logs.
Supported kubectl Commands
kubectl provided by CCI is adapted from kubectl of the Kubernetes community. For kubectl commands supported by CCI, see CCI kubectl Commands. kubectl calls APIs to perform operations on CCI resources such as pods, Deployments, and jobs. The operable resources and operations that kubectl can perform are the same as those of CCI APIs.
Downloading kubectl
The latest version of the customized kubectl is v2.10.11.
On Linux OS, download the latest kubectl version from https://cci-kubectl.obs.cn-north-1.myhuaweicloud.com/kubectl-linux.zip.
On macOS, download the latest kubectl version from https://cci-kubectl-for-mac.obs.cn-north-1.myhuaweicloud.com/kubectl-darwin.zip.
Only the URL of the latest kubectl version is provided.
|
Version |
Change History |
|---|---|
|
2.10.11 (Latest) |
This issue is the fifth official release, which incorporates the following changes:
|
|
2.4.20 |
This is the fourth official release. Fixed an issue where a non-root user occasionally fails to use kubectl. |
|
v2.4.2 |
This is the third official release. Disabled the kubectl cp command to prevent Kubernetes security vulnerabilities. |
|
v2.2.23 |
This is the second official release. Issues fixed:
|
|
v1.1.13 |
This is the first official release. |
Configuring kubectl
Download and decompress the package to any directory without installation. The directory structure after the decompression is as follows:
kubectl README.md
Run the following commands to add the kubectl directory to environment variables and grant the execute permission to kubectl: In the commands, /DIR/TO/KUBECTL indicates the directory where the kubectl file is located. Replace it with the actual directory.
export PATH=/DIR/TO/KUBECTL:$PATH
chmod +x /DIR/TO/KUBECTL/kubectl
Run the kubectl --help command to check supported commands and the resource scope. If the following information is displayed, kubectl can be used properly:
# kubectl --help kubectl controls the Kubernetes cluster manager. Find more information at: https://kubernetes.io/docs/reference/kubectl/overview/ Basic Commands (Beginner): create Create a resource from a file or from stdin. expose Take a replication controller, service, deployment or pod and expose it as a new Kubernetes Service run Run a particular image on the cluster set Set specific features on objects ......
You can also run the kubectl version command to view the kubectl version.
# kubectl version Client Version: v2.2.23, Build Date: 2019-02-23T10:28:53Z
Using kubectl
- Configure the kubeconfig file.
By default, the kubeconfig file is the config file in the ${HOME}/.kube directory. This file is used to store cluster access information, including the endpoint address and identity authentication information.
Each time a kubectl command is executed, authentication is required. Currently, token-based and AK/SK-based authentication modes are supported. You can select one mode.
- Token-based authentication: The validity period of a token is 24 hours. For details about how to obtain a token, see Obtaining a Token.
kubectl config init --server=https://CCI_ENDPOINT --token=$token
In the preceding command, CCI_ENDPOINT is an endpoint of CCI and $token is the obtained token.
For details about IAM endpoints, see Regions and Endpoints. Note that the endpoint must be in the same region as CCI.
For example, if the endpoint is https://cci.cn-north-1.myhuaweicloud.com and the token is MIIEYwYJKoZIhvcNAQc..., run the following command:
kubectl config init --server=https://cci.cn-north-1.myhuaweicloud.com --token=MIIEYwYJKoZIhvcNAQc...
- AK/SK-based authentication: AK/SK is valid for a long period. For details about how to obtain AK/SK, see Obtaining an AK/SK.
AK/SK-based authentication can be implemented by using either of the following methods:
- Run the following command with the access key and secret key specified:
kubectl config init --server=https://CCI_ENDPOINT --auth-provider=hws --auth-provider-arg=ak=$ak --auth-provider-arg=sk=$sk
In the preceding command, CCI_ENDPOINT is an endpoint of CCI, $ak is the access key, and $sk is the secret key.
For example, if the endpoint is https://cci.cn-north-1.myhuaweicloud.com, the AK is ABCDEFAK.. and the SK is ABCDEFSK... Run the following command:
kubectl config init --server=https://cci.cn-north-1.myhuaweicloud.com --auth-provider=hws --auth-provider-arg=ak=ABCDEFAK.. --auth-provider-arg=sk=ABCDEFAK..
- Run the following command with the AK and SK file directory specified:
kubectl config init --server=https://CCI_ENDPOINT --auth-provider=hws --auth-provider-arg=akskDir=$akskDir
In the preceding command, CCI_ENDPOINT is an endpoint of CCI and $akskDir is the directory where the AK and SK files are stored. If this method is used, you need to save the AK and SK to the ak and sk files, respectively and save the two files in the directory specified by $akskDir in advance.
For example, if the ak and sk files are stored in the /home/aksk directory, run the following command:
kubectl config init --server=https://cci.cn-north-1.myhuaweicloud.com --auth-provider=hws --auth-provider-arg=akskDir=/home/aksk
The kubectl config init command completes the operations performed by running the four commands: kubectl config set-cluster, kubectl config set-credentials, kubectl config set-context, and kubectl config set current-context. If custom configuration is required, see kubectl config Command Reference.
- Run the following command with the access key and secret key specified:
- Token-based authentication: The validity period of a token is 24 hours. For details about how to obtain a token, see Obtaining a Token.
- After the kubeconfig file is configured, you can run kubectl commands to perform operations on CCI resources.
For example, run the kubectl get namespace command to view resources.
# kubectl get namespace No resources found.
The command output shows that there is no namespace. Before creating resources in CCI, create a namespace by following the procedure described in Namespace and Network.
If a message indicating a certificate authentication failure is displayed when you run a kubectl command, add --insecure-skip-tls-verify=true to the command. However, this setting enables CCI not to check the validity of the server certificate, making your HTTPS connection insecure.
Obtaining a Token
Send POST https://IAM endpoint/v3/auth/tokens. For details, see IAM API Reference.
For details about IAM endpoints, see Regions and Endpoints. Note that the endpoint must be in the same region as CCI.
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"name": "username",
"password": "******",
"domain": {
"name": "domainname"
}
}
}
},
"scope": {
"project": {
"name": "cn-north-1"
}
}
}
}
After a response is returned, the value of X-Subject-Token in the response header is the token value.
Obtaining an AK/SK
AK: access key ID. It is a unique ID associated with an SK. AK is used together with SK to sign requests.
- Log in to the management console.
- Click the username and choose My Credentials from the drop-down list.
- Choose Access Keys from the navigation pane.
- Click Create Access Key, and enter the verification code.
- Click OK to generate an access key and download it.
Keep the AK/SK file confidential to prevent information leakage.
Last Article: Using Native kubectl (Recommended)
Next Article: Namespace and Network
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.