Accessing a Cluster Using an X.509 Certificate

X.509 certificates are essential for verifying identities and encrypting communication within CCE clusters. These certificates enable authorized clients to access target clusters while encrypting data transmission between them. This prevents threats like eavesdropping and tampering, ensuring secure communication, authenticated identities, and valid access. To initiate a connection using X.509 certificates, obtain the cluster certificate from the CCE console and use it to configure the client accordingly.

Procedure

Log in to the CCE console and click the cluster name to access the cluster console.
On the Overview page, locate the Connection Information area, and click Download next to X.509 certificate.

Figure 1 Downloading a cluster certificate
In the Obtain Certificate dialog box displayed, select the certificate expiration time and download the X.509 certificate of the cluster as prompted.
- The downloaded certificate contains three files: client.key, client.crt, and ca.crt. Keep these files secure.
- Certificates are not required for mutual access between containers in a cluster.
- An issued X.509 certificate remains valid even if the user who requested it is deleted. To ensure cluster security, manually revoke the user's cluster access credentials. For details, see Revoking a Cluster Access Credential.
Import the X.509 certificate to the client and use the certificate to call Kubernetes native APIs.

For example, run the curl command to call an API to obtain the pod information. The following is an example:
```
curl --cacert ./ca.crt --cert ./client.crt --key ./client.key  https://192.168.0.18:5443/api/v1/namespaces/default/pods/
```
- ./ca.crt, ./client.crt, and ./client.key are the paths for uploading the client.key, client.crt, and ca.crt files, respectively.
- 192.168.0.18:5443 is the private or public network address of the API server in the cluster.
If the following information is displayed, the X.509 certificate is correctly configured and the API Server of the cluster is running properly:
```
{
  "kind": "PodList",
  "apiVersion": "v1",
...
```
For more cluster APIs, see Kubernetes API.

Helpful Links

For details about how to manually revoke a cluster access credential, see Revoking a Cluster Access Credential.

Parent Topic: Accessing a Cluster

Previous topic: Accessing a Cluster Using CloudShell

Next topic: Accessing a Cluster Using a Custom Domain Name

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot