Cluster Access Overview

Accessing a cluster means communicating with it and executing cluster management tasks. A CCE cluster is a distributed system consisting of multiple nodes. Resources in a cluster such as pods, Services, and Deployments need to be centrally managed and operated using various tools and methodologies. The process of accessing a cluster involves interacting with the cluster using tools such as kubectl, CloudShell, and X.509 certificates for resource creation, configuration, monitoring, and debugging.

Cluster Access Modes

You can select a proper mode to access a CCE cluster. The following table lists cluster access modes.

**Table 1** Comparison between cluster access modes
Mode	Pros	Cons	Application Scenario
Accessing a Cluster Using kubectl	High flexibility and comprehensive functions Automatic and batch operations	Manual configuration of the local environment and credentials Credential management-based security	This mode is intended for developers and O&M personnel for daily cluster management, such as resource creation, status monitoring, and debugging.
Accessing a Cluster Using CloudShell	Rapid cluster access, without the need of configuring the local environment Integrated with the cloud platform, facilitating cross-service management	Coupled with the cloud platform, allowing only online operations Only command line operations are allowed. This is somewhat limited compared to local tools like kubectl	This mode is suitable for scenarios where temporary access to a cluster is necessary, as it eliminates the need for local tool installation and configuration.
Accessing a Cluster Using an X.509 Certificate	High security, preventing attacks Enhanced identity authentication and data encryption	Complex configuration that requires certificates, keys, and related permissions Complex certificate management and update	This mode is ideal for scenarios requiring secure service communication, identity authentication, and encryption.
Accessing a Cluster Using a Custom Domain Name	Easy-to-remember domain name, facilitating cluster access	Complex SAN configuration	This mode is designed for scenarios where a simple domain name instead of an IP address is used to access a cluster.
Configuring a Cluster's API Server for Internet Access	Comprehensive remote access capabilities Cross-region and global access	Security measures such as firewalls, encryption, and authentication need to be taken to minimize the risk of attacks on the API server exposed to the Internet. Affected by bandwidth and latency, especially in global access	This mode is ideal for managing clusters in cloud environments or across regions, particularly when access from multiple locations is required.

Revoking a Cluster Credential

CCE clusters allow you to revoke credentials. In multi-tenant scenarios, CCE generates a unique credential (such as a kubeconfig file or an X.509 certificate) for each user to access their designated cluster. These credentials contain user identity and authorization details to enable users to perform authorized operations while ensuring secure isolation and management. However, credentials typically have a fixed validity period. If an employee resigns or a credential is compromised, manual revocation is required to maintain cluster security. For details, see Revoking a Cluster Access Credential.

Parent Topic: Accessing a Cluster

Previous topic: Accessing a Cluster

Next topic: Accessing a Cluster Using kubectl