Obtaining a kubeconfig File

Huawei Cloud Clusters

1. Log in to the CCE console and click the cluster name to access the cluster console.
2. In the Connection Information area, click Configure next to kubectl.
3. Download the kubectl configuration file as prompted. (If the public IP address is changed, you need to download it again.)
4. Use the configuration file downloaded in 3 to connect to the cluster. For details, see Registering an Attached Cluster (Public Network Access) or Registering an Attached Cluster (Private Network Access).

Third-Party Cloud Clusters

Different third-party cloud vendors have different kubeconfig file formats. You need to create a ServiceAccount that has the permission of all cluster resources and obtain the token of the ServiceAccount to configure the kubeconfig file supported by UCS.

1. Use kubectl to connect to the cluster.
2. Create the ucs-service-account.yaml file.

   apiVersion: v1
   kind: ServiceAccount
   metadata:
     name: ucs-user
   ---
   apiVersion: v1
   kind: Secret
   metadata:
     name: ucs-user-token
     annotations:
       kubernetes.io/service-account.name: "ucs-user"
   type: kubernetes.io/service-account-token
   ---
   apiVersion: rbac.authorization.k8s.io/v1  
   kind: ClusterRole
   metadata:
     name: ucs-user-role
   rules:
   - apiGroups:
     - '*'
     resources:
     - '*'
     verbs:
     - '*'
   - nonResourceURLs:
     - '*'
     verbs:
     - get
   ---
   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRoleBinding
   metadata:
     name: ucs-user-role-binding
   subjects:
     - kind: ServiceAccount
       name: ucs-user
       namespace: default
   roleRef:
     kind: ClusterRole
     name: ucs-user-role
     apiGroup: rbac.authorization.k8s.io

3. Run the following command in the cluster to create a ServiceAccount:

   kubectl apply -f ucs-service-account.yaml

4. Run the following command to obtain the token:

   kubectl get secret ucs-user-token -n default -oyaml | grep token: | awk '{print $2}' | base64 -d ;echo

5. Configure the kubeconfig file.

   Create a kubeconfig.yaml file by referring to the following example and replace the token with the value obtained in 4.

   kubeconfig.yaml:

   kind: Config
   apiVersion: v1
   preferences: {}
   clusters:
     - name: internalCluster
       cluster:
         server: 'https://kubernetes.default.svc.cluster.local:443'
         insecure-skip-tls-verify: true
   users:
     - name: ucs-user
       user:
         token: 'MIIFbAYJKo*****'
   contexts:
     - name: internal
       context:
         cluster: internalCluster
         user: ucs-user
   current-context: internal

   The parameters in the kubeconfig file are described as follows:

   Parameter	Value	Description	Mandatory
   server	'https://kubernetes.default.svc.cluster.local:443'	Intra-cluster access address of the API server. Some vendors restrict cluster external access to the API server, so UCS may fail to connect to the cluster. You are advised to use the intra-cluster access address.	Yes
   insecure-skip-tls-verify	true	If this parameter is used, certificate authentication is skipped. The value must be true.	1 out of 2 NOTE: If the value of server is an intra-cluster access address, certificate authentication is preferentially skipped.
   certificate-authority-data	Base64-encrypted string	If this parameter is used, two-way authentication is enabled for the cluster. The value is the server certificate encrypted using Base64. The default path of the server certificate of a native Kubernetes cluster is /etc/kubernetes/pki/ca.crt on the master node.
   token	Base64-encrypted string	Token-based authentication. The value is the token obtained in 4.	1 out of 3 NOTE: Token-based authentication is recommended. UCS supports only the three authentication modes.
   client-certificate-data client-key-data	Base64-encrypted string	Certificate- and private key–based authentication. client-certificate-data: client certificate encrypted using Base64. client-key-data: client private key encrypted using Base64.
   username password	String	Username- and password-based authentication. username: username for accessing the cluster. password: password of the username.

6. Use the kubeconfig file configured in 5 to connect to the cluster. For details, see Registering an Attached Cluster (Public Network Access) or Registering an Attached Cluster (Private Network Access).
   

   When using UCS, you cannot delete the ServiceAccount, ClusterRole, and ClusterRoleBinding. Otherwise, the token will be invalid.

   If the cluster is no longer connected to UCS, you can run the kubectl delete -f ucs-service-account.yaml command to delete the ServiceAccount.

Self-Managed Clusters

If your cluster is a standard cluster built using an official Kubernetes binary file or a deployment tool such as Kubeadm, you can perform the following steps to obtain the kubeconfig file.

The procedure does not apply to commercial clusters provided by cloud service vendors. For details about how to obtain the kubeconfig file of a commercial cluster, see Third-Party Cloud Clusters.

1. Log in to the master node of the cluster.
2. View the cluster access credential. By default, the kubeconfig file of a self-managed cluster is stored in $HOME/.kube/config on the master node. If another kubeconfig file is specified for your cluster, change the directory.

   cat $HOME/.kube/config

3. Copy the credential content.
4. Create a YAML file on your local PC, paste the credential content to the file, and save the file.
5. Use the YAML file created in 4 to connect to the cluster. For details, see Registering an Attached Cluster (Public Network Access) or Registering an Attached Cluster (Private Network Access).