Can I Use kubectl If the Cluster Management Permissions Are Not Configured?

IAM authentication is not required for running kubectl commands. Therefore, you can run kubectl commands without configuring cluster management (IAM) permissions. The prerequisite is that the kubectl configuration file (kubeconfig) with the namespace permissions needs to be obtained. In the following scenarios, information leakage may occur during file transmission.

• Scenario 1

  If an IAM user has been configured with the cluster management permissions and namespace permissions, downloads the kubeconfig authentication file and then deletes the cluster management permissions (reserving the namespace permissions), kubectl can still be used to perform operations on Kubernetes clusters. If you want to permanently delete the user's permissions, you must also delete the cluster management permissions and namespace permissions of the user.

• Scenario 2

  An IAM user has certain cluster management and namespace permissions and downloads the kubeconfig authentication file. CCE Autopilot determines which Kubernetes resources can be accessed by kubectl based on the user information. Essentially, the user's authentication information is stored in kubeconfig, which can be used by anyone to access the cluster.