Help Center> Cloud Container Engine> User Guide> User Guide for Autopilot Clusters> Clusters> Connecting to a Cluster> Connecting to a Cluster Using kubectl
Updated on 2024-07-05 GMT+08:00
View PDF

Connecting to a Cluster Using kubectl

Scenario

You can use kubectl to connect a cluster.

Permissions

When you access a cluster using kubectl, CCE Autopilot uses kubeconfig.json generated on the cluster for authentication. This file contains user information, based on which CCE Autopilot determines which Kubernetes resources can be accessed by kubectl. The permissions recorded in a kubeconfig.json file vary from user to user.

For details about user permissions, see Cluster Permissions (IAM-based) and Namespace Permissions (Kubernetes RBAC-based).

Using kubectl

kubectl is a Kubernetes command line tool for you to connect to a Kubernetes cluster from a client. You can log in to the CCE console, click the name of the cluster to be connected, and view the access address and connection steps on the cluster details page.
Figure 1 Cluster connection information

Download kubectl and the configuration file. Copy the file to your client, and configure kubectl. After the configuration is complete, you can access your Kubernetes clusters. The steps are as follows:

  1. Prepare the environment.

    You need to prepare a VM that is in the same VPC as the cluster and bind an EIP to the VM for downloading kubectl.

  2. Download kubectl.

    You can run the kubectl version command to check whether kubectl has been installed. If kubectl has been installed, skip this step.

    The Linux environment is used as an example to describe how to install and configure kubectl. For details, see Installing kubectl.

    1. Log in to your client and download kubectl.
      cd /home
curl -LO https://dl.k8s.io/release/{v1.25.0}/bin/linux/amd64/kubectl

      {v1.25.0} specifies the version number. Replace it as required.

    2. Install kubectl.
      chmod +x kubectl
mv -f kubectl /usr/local/bin

  3. Obtain the kubectl configuration file.

    In the Connection Info pane on the Overview page, click Configure next to kubectl to check the kubectl connection. On the displayed page, choose Intranet access or Public network access and download the configuration file.

    Figure 2 Downloading the configuration file
    • The kubectl configuration file (kubeconfig) is used for cluster authentication. If the file is leaked, your clusters may be attacked.
    • For IAM users, the Kubernetes permissions specified in the configuration file are the same as those assigned on the CCE console.
    • If the KUBECONFIG environment variable is configured in the Linux OS, kubectl preferentially loads the KUBECONFIG environment variable instead of $home/.kube/config.

  4. Configure kubectl.

    A Linux OS is used as an example to describe how to configure kubectl.
    1. Log in to your client and copy the configuration file (for example, kubeconfig.yaml) downloaded in 3 to the /home directory on your client.
    2. Configure the kubectl authentication file.
      cd /home
mkdir -p $HOME/.kube
mv -f kubeconfig.yaml $HOME/.kube/config
    3. Switch the kubectl access mode based on service scenarios.
      • Run this command to enable intra-VPC access:
        kubectl config use-context internal
      • Run this command to enable public access (EIP required):
        kubectl config use-context external
      • Run this command to enable public access and two-way authentication (EIP required):
        kubectl config use-context externalTLSVerify

Troubleshooting

  • Error from server Forbidden

    When you use kubectl to create or query Kubernetes resources, the following information is displayed:

    # kubectl get deploy Error from server (Forbidden): deployments.apps is forbidden: User "0c97ac3cb280f4d91fa7c0096739e1f8" cannot list resource "deployments" in API group "apps" in the namespace "default"

    This is because the user does not have permission to operate the Kubernetes resources. For details about how to grant permissions to the user, see Namespace Permissions (Kubernetes RBAC-based).

  • The connection to the server localhost:8080 was refused

    When you use kubectl to create or query Kubernetes resources, the following information is displayed:

    The connection to the server localhost:8080 was refused - did you specify the right host or port?

    This is because cluster authentication is not configured for the kubectl client. For details, see Configure the kubectl authentication file.

Related Operations

Parent topic: Connecting to a Cluster