Connecting to a Cluster Using kubectl
Scenario
You can use kubectl to connect a cluster.
Permissions
When you access a cluster using kubectl, CCE Autopilot uses kubeconfig.json generated on the cluster for authentication. This file contains user information, based on which CCE Autopilot determines which Kubernetes resources can be accessed by kubectl. The permissions recorded in a kubeconfig.json file vary from user to user.
For details about user permissions, see Cluster Permissions (IAM-based) and Namespace Permissions (Kubernetes RBAC-based).
Using kubectl
![Click to enlarge](https://support.huaweicloud.com/intl/en-us/usermanual-cce/en-us_image_0000001906633820.png)
Download kubectl and the configuration file. Copy the file to your client, and configure kubectl. After the configuration is complete, you can access your Kubernetes clusters. The steps are as follows:
- Prepare the environment.
You need to prepare a VM that is in the same VPC as the cluster and bind an EIP to the VM for downloading kubectl.
- Download kubectl.
You can run the kubectl version command to check whether kubectl has been installed. If kubectl has been installed, skip this step.
The Linux environment is used as an example to describe how to install and configure kubectl. For details, see Installing kubectl.
- Log in to your client and download kubectl.
cd /home curl -LO https://dl.k8s.io/release/{v1.25.0}/bin/linux/amd64/kubectl
{v1.25.0} specifies the version number. Replace it as required.
- Install kubectl.
chmod +x kubectl mv -f kubectl /usr/local/bin
- Log in to your client and download kubectl.
- Obtain the kubectl configuration file.
In the Connection Info pane on the Overview page, click Configure next to kubectl to check the kubectl connection. On the displayed page, choose Intranet access or Public network access and download the configuration file.
Figure 2 Downloading the configuration file- The kubectl configuration file (kubeconfig) is used for cluster authentication. If the file is leaked, your clusters may be attacked.
- For IAM users, the Kubernetes permissions specified in the configuration file are the same as those assigned on the CCE console.
- If the KUBECONFIG environment variable is configured in the Linux OS, kubectl preferentially loads the KUBECONFIG environment variable instead of $home/.kube/config.
- Configure kubectl.
A Linux OS is used as an example to describe how to configure kubectl.
- Log in to your client and copy the configuration file (for example, kubeconfig.yaml) downloaded in 3 to the /home directory on your client.
- Configure the kubectl authentication file.
cd /home mkdir -p $HOME/.kube mv -f kubeconfig.yaml $HOME/.kube/config
- Switch the kubectl access mode based on service scenarios.
- Run this command to enable intra-VPC access:
kubectl config use-context internal
- Run this command to enable public access (EIP required):
kubectl config use-context external
- Run this command to enable public access and two-way authentication (EIP required):
kubectl config use-context externalTLSVerify
- Run this command to enable intra-VPC access:
Troubleshooting
- Error from server Forbidden
When you use kubectl to create or query Kubernetes resources, the following information is displayed:
# kubectl get deploy Error from server (Forbidden): deployments.apps is forbidden: User "0c97ac3cb280f4d91fa7c0096739e1f8" cannot list resource "deployments" in API group "apps" in the namespace "default"
This is because the user does not have permission to operate the Kubernetes resources. For details about how to grant permissions to the user, see Namespace Permissions (Kubernetes RBAC-based).
- The connection to the server localhost:8080 was refused
When you use kubectl to create or query Kubernetes resources, the following information is displayed:
The connection to the server localhost:8080 was refused - did you specify the right host or port?
This is because cluster authentication is not configured for the kubectl client. For details, see Configure the kubectl authentication file.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot