Scenario

This section uses a CCE cluster as an example to describe how to connect to a CCE cluster using kubectl or CloudShell.

Permission Description

When you access a cluster using kubectl, CCE uses the kubeconfig.json file generated on the cluster for authentication. This file contains user information, based on which CCE determines which Kubernetes resources can be accessed by kubectl. The permissions recorded in a kubeconfig.json file vary from user to user.

For details about user permissions, see Cluster Permissions (IAM-based) and Namespace Permissions (Kubernetes RBAC-based).

When using kubectl in CloudShell, the kubectl permissions are determined by the user that logs in.

Using CloudShell

CloudShell is a web shell used to manage and maintain cloud resources. CCE allows you to use CloudShell to connect to clusters and use kubectl in CloudShell to access clusters.

The kubectl certificate in CloudShell is valid for one day. You can reset the validity period by accessing CloudShell from the CCE console.

CloudShell is implemented based on VPCEP. To use kubectl to access a cluster, you need to configure the security group (Cluster name-cce-control-Random number) on the master node of the cluster to allow the following CIDR blocks to access port 5443. By default, port 5443 allows access from all CIDR blocks. If you have hardened security groups and any cluster cannot be accessed in CloudShell, check whether port 5443 allows access from the following CIDR blocks:

• 198.19.128.0/20
• 198.19.160.0/20
• 198.19.176.0 /20

CloudShell can be used only after CoreDNS is installed in a cluster.

Figure 1 CloudShell

Figure 2 Using kubectl in CloudShell

Using kubectl

Background

To connect a client to a Kubernetes cluster, you can use kubectl. For details, see Install Tools.

Prerequisites

If public network access is used, the kube-apiserver of the cluster will be exposed to the public network and may be attacked. You are advised to configure Advanced Anti-DDoS for the EIP of the node where the kube-apiserver is located.

Downloading kubectl

You need to download kubectl and configuration file, copy the file to your client, and configure kubectl. After the configuration is complete, you can use kubectl to access your Kubernetes clusters.

Go to the Kubernetes release page to download kubectl corresponding to the cluster version or a later version.

Installing and configuring kubectl

1. Log in to the CCE console, click Resource Management > Clusters, and choose Command Line Tool > Kubectl under the cluster to be connected.
2. On the Kubectl tab page of the cluster details page, connect to the cluster as prompted.
   

   • You can download the kubectl configuration file (kubeconfig.json) on the kubectl tab page. This file is used for user cluster authentication. If the file is leaked, your clusters may be attacked.
   • If two-way authentication is enabled for the current cluster and an EIP has been bound to the cluster, when the authentication fails (x509: certificate is valid), you need to bind the EIP and download the kubeconfig.json file again.
   • The Kubernetes permissions assigned by the configuration file downloaded by IAM users are the same as those assigned to the IAM users on the CCE console.
   • Download the client file when downloading kubectl.
   • If the KUBECONFIG environment variable is configured in the Linux OS, kubectl preferentially loads the KUBECONFIG environment variable instead of $home/.kube/config.
   Figure 3 Connecting to a Kubernetes cluster using kubectl
   

Calling Kubernetes Native APIs Through the API Server

You can use the API server of a Kubernetes cluster to call Kubernetes native APIs.

1. Log in to the CCE console. In the navigation pane, choose Resource Management > Clusters. Choose More > Download X.509 Certificate for the cluster to call APIs.

   

   Download the following certificates:

   • ca.crt
   • client.crt
   • client.key

2. On the cluster details page, obtain the API server address, as shown in the following figure.

   

   With the certificates and API server address, you can call Kubernetes native APIs.

   For example, if you run the curl command to call the API to view the pod information, you only need to carry the certificate in the command as follows:

   curl --cert ./client.crt --key ./client.key https://192.168.0.198:5443/api/v1/namespaces/default/pods/

Common Issue (Error from server Forbidden)

When you use kubectl to create or query Kubernetes resources, the following output is returned:

# kubectl get deploy Error from server (Forbidden): deployments.apps is forbidden: User "0c97ac3cb280f4d91fa7c0096739e1f8" cannot list resource "deployments" in API group "apps" in the namespace "default"

The cause is that the user does not have the permissions to operate the Kubernetes resources. For details about how to assign permissions, see Namespace Permissions (Kubernetes RBAC-based).

Related Operations

After connecting to the cluster, you can use Kubernetes to manage workloads. For details, see kubectl Usage Guide.