Updated on 2025-08-28 GMT+08:00

Cluster Access

Access Mode

  • kubectl: You need to download and configure the kubectl and kubeconfig configuration files first, and then use kubectl to access a Kubernetes cluster. For details, see Accessing a Cluster Using kubectl.
  • EIP: You can bind an EIP to the cluster API server. Then, the cluster API server can access the public network. If no EIP is available, assign an EIP. For details, see Assigning an EIP.
    • Binding an EIP to a cluster could bring the cluster potential access risks from the Internet. You are advised to harden the inbound rule of port 5443 for the master node security group. For details, see How Can I Configure a Security Group Rule in a Cluster?
    • This operation will restart kube-apiserver and update the cluster access certificate (kubeconfig). Do not perform any operations on the cluster during this time.
  • Custom SAN: The Subject Alternative Name (SAN) allows multiple values (including IP addresses and domain names) to be associated with certificates. After the custom SAN is configured in the cluster access certificate, the cluster can be accessed using the domain names or IP addresses specified by the SAN. For details, see Accessing a Cluster Using a Custom Domain Name.

    This operation will restart kube-apiserver and update the cluster access certificate (kubeconfig). Do not perform any operations on the cluster during this time.

Authentication

  • Certificate Authentication

    CCE allows you to download the X.509 certificate, which contains the client.key, client.crt, and ca.crt files. Keep your certificate secure.

    For details about how to use a certificate to access clusters, see Accessing a Cluster Using an X.509 Certificate.

    CCE supports X.509 certificate revocation. For details about how to revoke a cluster credential, see Revoking a Cluster Access Credential.

  • OIDC

    CCE supports OpenID Connect (OIDC) authentication. You can configure the necessary identity authentication information to obtain an access token (known as an ID token) and add it to kubectl. For details, see Using Dex for OIDC Authentication on CCE.

    Parameter

    Description

    Example Value

    Issuer URL (oidc-issuer-url)

    The URL for OIDC authentication. It must be HTTPS-compliant.

    https://dex.k8s.example.com

    Client ID (oidc-client-id)

    Client ID registered with the OIDC authentication service. For example, the client ID registered in Step 2: Deploy a Dex Application is kubernetes.

    kubernetes

    Username (oidc-username-claim)

    The value to be used as the username. You need to specify a field in JWT claims for it. The default value is sub. It is typically the unique identifier of the end user. You can also select other fields, such as email or name.

    You can grant Kubernetes permissions based on the username in the cluster. For details, see Step 6: Grant Kubernetes Permissions to a Third-Party User.

    email

    Setting the parameter to email means that the value of the email field (the email address) in the JWT claim is used as the username.

    OIDC Group (oidc-groups-claim)

    The value to be used as the user group. You need to specify a field in JWT claims for it. The field name of the user group is typically groups. You can grant Kubernetes permissions based on the user group. For details, see Step 6: Grant Kubernetes Permissions to a Third-Party User.

    groups

    Setting this parameter to groups means that the value of groups in the JWT claim is used as the user group.

    CA File (oidc-ca-pem)

    A CA certificate in PEM format. It is used to sign the identity provider's web certificate.

    CA certificate of the Dex domain name in Step 1: Create a Key (Skip This Step If You Already Have a Certificate)

    Username Prefix (oidc-username-prefix)

    The prefix of the username. It is used to prevent clashes with existing names (such as system:users). Do not include a colon (:). For example, the value oidc indicates the prefix oidc:, which will create usernames like oidc:foo and oidc:bar.

    • The value you specified will apply to all usernames.
    • If this parameter is not specified, usernames that are not email addresses will be prefixed with the issuer URL to avoid conflicts.

    oidc

    OIDC Group Prefix (oidc-groups-prefix)

    The prefix of the user group. It is used to prevent clashes with existing groups (such as system:groups). Do not include a colon (:). For example, the value oidc indicates the prefix oidc:, which will create user groups like oidc:engineering and oidc:infra.

    oidc

    Required Key-Value Claim (oidc-required-claim)

    A key-value pair that describes a required claim in the ID token. If no value is provided or the value does not match, the authentication will fail.

    key:value

Server Request Settings

Table 1 Parameters

Item

Parameter

Description

Value

Maximum Number of Concurrent Modification API Calls

max-mutating-requests-inflight

Maximum number of concurrent modification API calls. Any requests that exceeding the specified value will be rejected by the server.

The value 0 specifies that there is no limitation on the maximum number of concurrent modification calls. This parameter is related to the cluster scale. You are advised not to change the value.

Manual configuration is no longer supported since clusters of v1.21. The value is automatically specified based on the cluster scale:

  • 200 for clusters with 50 or 200 worker nodes
  • 500 for clusters with 1000 worker nodes
  • 1000 for clusters with 2000 worker nodes

Maximum Number of Concurrent Non-Modification API Calls

max-requests-inflight

Maximum number of concurrent non-modification API calls. Any requests that exceeding the specified value will be rejected by the server.

The value 0 specifies that there is no limitation on the maximum number of concurrent non-modification calls. This parameter is related to the cluster scale. You are advised not to change the value.

Manual configuration is no longer supported since clusters of v1.21. The value is automatically specified based on the cluster scale:

  • 400 for clusters with 50 or 200 worker nodes
  • 1000 for clusters with 1000 worker nodes
  • 2000 for clusters with 2000 worker nodes

Request Timeout

request-timeout

Default request timeout interval of kube-apiserver. Exercise caution when changing the value of this parameter. Ensure that the changed value is proper to prevent frequent API timeout or other errors.

This parameter is available only in clusters of v1.19.16-r30, v1.21.10-r10, v1.23.8-r10, v1.25.3-r10, and later versions.

Default:

1m0s

Options:

Min ≥ 1s

Max ≤ 1 hour

Overload Control

support-overload

Cluster overload control. If enabled, concurrent requests will be dynamically controlled based on the resource demands received by master nodes to ensure the stable running of the master nodes and the cluster. For details, see Enabling Overload Control for a Cluster.

This parameter is available only in clusters of v1.23 or later.

NOTE:

In particular scenarios, such as request burst over a short period of time, a cluster could still be overloaded even though overload control is enabled for it. In such cases, you are advised to manage and control access to the cluster in a timely manner.

None