Updated on 2025-04-27 GMT+08:00

Cluster Access Overview

Accessing a cluster involves establishing communication with it and executing cluster management tasks. A CCE cluster is a distributed system consisting of multiple nodes. Resources in a cluster such as pods, Services, and Deployments need to be centrally managed and operated via various tools and methodologies. The process of accessing a cluster involves interacting with the cluster using tools such as kubectl, CloudShell, and X.509 certificates to create, configure, monitor, and debug resources.

Cluster Access Modes

You can select a proper mode to access a CCE cluster. The following table lists cluster access modes.

Table 1 Comparison between cluster access modes

Mode

Pros

Cons

Application Scenario

Accessing a Cluster Using kubectl

  • High flexibility and comprehensive functions
  • Automatic and batch operations
  • Manual configuration for the local environment and credentials
  • Credential management-based security

This mode is intended for developers and O&M personnel for the daily management of clusters, including resource creation, status monitoring, and debugging.

Accessing a Cluster Using CloudShell

  • Rapid cluster access, without the need of configuring the local environment
  • Integrated with the cloud platform, facilitating cross-service management
  • Coupled with the cloud platform, allowing only online operations
  • Allowing only command line operations, which is somewhat limited compared to local tools like kubectl

This mode is suitable for scenarios where temporary access to a cluster is necessary, as it eliminates the need for local tool installation and configuration

Accessing a Cluster Using an X.509 Certificate

  • High security, preventing attacks
  • Enhanced identity authentication and data encryption
  • Complex configuration that requires certificates, keys, and related permissions
  • Complex certificate management and update

This mode is ideal for scenarios requiring secure service communication, identity authentication, and encryption.

Accessing a Cluster Using a Custom Domain Name

  • Easy-to-remember domain name, facilitating cluster access
  • Complex SAN configuration

This mode is designed for scenarios where a simple domain name instead of an IP address is used to access a cluster.

Configuring a Cluster's API Server for Internet Access

  • Comprehensive remote access capabilities
  • Cross-region and global access
  • Security measures such as firewalls, encryption, and authentication need to be taken to minimize the risk of attacks on the API server exposed to the Internet
  • Affected by bandwidth and latency, especially on global access

This mode is ideal for managing clusters in cloud environments or across regions, particularly when access from multiple locations is required.

Revoking a Cluster Credential

CCE clusters allow you to revoke credentials. In multi-tenant scenarios, CCE generates a unique credential (such as a kubeconfig file or an X.509 certificate) for each user to access their designated cluster. These credentials contain user identity and authorization details, enabling users to perform authorized operations while ensuring secure isolation and management. However, credentials typically have a fixed validity period. If an employee resigns or a credential is compromised, manual revocation is required to maintain cluster security. For details, see Revoking a Cluster Access Credential.