Updated on 2024-11-12 GMT+08:00

Obtaining a kubeconfig File

A kubeconfig file contains the authentication credentials and endpoint (access address) required for accessing a Kubernetes cluster when used in conjunction with kubectl or other clients. For details, see the Kubernetes documentation.

This section describes how to obtain the kubeconfig file of a cluster. Different cluster providers have different kubeconfig file formats. Perform operations based on your cluster.

The kubeconfig file contains cluster authentication information. If this file is leaked, your clusters may be attacked. Keep it secure.

Huawei Cloud Clusters

  1. Log in to the CCE console and click the cluster name to access the cluster console.
  2. In the Connection Information area, click Configure next to kubectl.
  3. Download the kubectl configuration file as prompted. (If the public IP address is changed, you need to download it again.)
  4. Use the configuration file downloaded in 3 to connect to the cluster. For details, see Registering an Attached Cluster (Public Network Access) or Registering an Attached Cluster (Private Network Access).

Third-Party Cloud Clusters

Different third-party cloud vendors have different kubeconfig file formats. You need to create a ServiceAccount that has the permission of all cluster resources and obtain the token of the ServiceAccount to configure the kubeconfig file supported by UCS.

  1. Use kubectl to connect to the cluster.
  2. Create the ucs-service-account.yaml file.

    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: ucs-user
    ---
    apiVersion: v1
    kind: Secret
    metadata:
      name: ucs-user-token
      annotations:
        kubernetes.io/service-account.name: "ucs-user"
    type: kubernetes.io/service-account-token
    ---
    apiVersion: rbac.authorization.k8s.io/v1  
    kind: ClusterRole
    metadata:
      name: ucs-user-role
    rules:
    - apiGroups:
      - '*'
      resources:
      - '*'
      verbs:
      - '*'
    - nonResourceURLs:
      - '*'
      verbs:
      - get
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: ucs-user-role-binding
    subjects:
      - kind: ServiceAccount
        name: ucs-user
        namespace: default
    roleRef:
      kind: ClusterRole
      name: ucs-user-role
      apiGroup: rbac.authorization.k8s.io

  3. Run the following command in the cluster to create a ServiceAccount:

    kubectl apply -f ucs-service-account.yaml

  4. Run the following command to obtain the token:

    kubectl get secret ucs-user-token -n default -oyaml | grep token: | awk '{print $2}' | base64 -d ;echo

  5. Configure the kubeconfig file.

    Create a kubeconfig.yaml file by referring to the following example and replace the token with the value obtained in 4.

    kubeconfig.yaml:

    kind: Config
    apiVersion: v1
    preferences: {}
    clusters:
      - name: internalCluster
        cluster:
          server: 'https://kubernetes.default.svc.cluster.local:443'
          insecure-skip-tls-verify: true
    users:
      - name: ucs-user
        user:
          token: 'MIIFbAYJKo*****'
    contexts:
      - name: internal
        context:
          cluster: internalCluster
          user: ucs-user
    current-context: internal
    The parameters in the kubeconfig file are described as follows:

    Parameter

    Value

    Description

    Mandatory

    server

    'https://kubernetes.default.svc.cluster.local:443'

    Intra-cluster access address of the API server. Some vendors restrict cluster external access to the API server, so UCS may fail to connect to the cluster. You are advised to use the intra-cluster access address.

    Yes

    insecure-skip-tls-verify

    true

    If this parameter is used, certificate authentication is skipped. The value must be true.

    1 out of 2

    NOTE:

    If the value of server is an intra-cluster access address, certificate authentication is preferentially skipped.

    certificate-authority-data

    Base64-encrypted string

    If this parameter is used, two-way authentication is enabled for the cluster. The value is the server certificate encrypted using Base64.

    The default path of the server certificate of a native Kubernetes cluster is /etc/kubernetes/pki/ca.crt on the master node.

    token

    Base64-encrypted string

    Token-based authentication. The value is the token obtained in 4.

    1 out of 3

    NOTE:

    Token-based authentication is recommended. UCS supports only the three authentication modes.

    • client-certificate-data
    • client-key-data

    Base64-encrypted string

    Certificate- and private key–based authentication.

    • client-certificate-data: client certificate encrypted using Base64.
    • client-key-data: client private key encrypted using Base64.
    • username
    • password

    String

    Username- and password-based authentication.

    • username: username for accessing the cluster.
    • password: password of the username.

  6. Use the kubeconfig file configured in 5 to connect the cluster to UCS. For details, see Registering an Attached Cluster (Public Network Access) or Registering an Attached Cluster (Private Network Access).

    When using UCS, you cannot delete the ServiceAccount, ClusterRole, and ClusterRoleBinding. Otherwise, the token will be invalid.

    If the cluster is no longer connected to UCS, you can run the kubectl delete -f ucs-service-account.yaml command to delete the ServiceAccount.

    If the server address in the kubeconfig.yaml file of the cluster is changed to the API server address of the cluster, the cluster cannot be connected to UCS. For details, see What Can I Do If an Attached Cluster Fails to Be Connected? - Check Item 3: kube-apiserver.

Self-Managed Clusters

If your cluster is a standard cluster built using an official Kubernetes binary file or a deployment tool such as Kubeadm, you can perform the following steps to obtain the kubeconfig file.

The procedure does not apply to commercial clusters provided by cloud service vendors. For details about how to obtain the kubeconfig file of a commercial cluster, see Third-Party Cloud Clusters.

  1. Log in to the master node of the cluster.
  2. View the cluster access credential. By default, the kubeconfig file of a self-managed cluster is stored in $HOME/.kube/config on the master node. If another kubeconfig file is specified for your cluster, change the directory.

    cat $HOME/.kube/config

  3. Copy the credential content.
  4. Create a YAML file on your local PC, paste the credential content to the file, and save the file.
  5. Use the YAML file created in 4 to connect to the cluster. For details, see Registering an Attached Cluster (Public Network Access) or Registering an Attached Cluster (Private Network Access).

On-Premises Clusters

For details about the kubeconfig file of an on-premises cluster, see kubeconfig of an On-Premises Cluster.

You need to use ucs-ctl to obtain the kubeconfig file of an on-premises cluster.

  1. Use ucs-ctl to obtain the name of the on-premises cluster.

    ./ucs-ctl get cluster

  2. Use ucs-ctl to export the kubeconfig file of the on-premises cluster.

    ./ucs-ctl get kubeconfig -c test-redhat86 -o kubeconfig

    You can run the ucs-ctl get kubeconfig -h command to view the following parameters in a kubeconfig file:

    • -c, --cluster: specifies the name of the cluster whose kubeconfig file is to be exported.
    • -e, --eip: specifies the EIP of the API server.
    • -o, --output: specifies the name of the kubeconfig file.