Obtaining a kubeconfig File
A kubeconfig file contains the authentication credentials and endpoint (access address) required for accessing a Kubernetes cluster when used in conjunction with kubectl or other clients. For details, see the Kubernetes documentation.
This section describes how to obtain the kubeconfig file of a cluster. Different cluster providers have different kubeconfig file formats. Perform operations based on your cluster.
The kubeconfig file contains cluster authentication information. If this file is leaked, your clusters may be attacked. Keep it secure.
Huawei Cloud Clusters
- Log in to the CCE console and click the cluster name to access the cluster console.
- In the Connection Information area, click Configure next to kubectl.
- Download the kubectl configuration file as prompted. (If the public IP address is changed, you need to download it again.)
- Use the configuration file downloaded in 3 to connect to the cluster. For details, see Registering an Attached Cluster (Public Network Access) or Registering an Attached Cluster (Private Network Access).
Third-Party Cloud Clusters
Different third-party cloud vendors have different kubeconfig file formats. You need to create a ServiceAccount that has the permission of all cluster resources and obtain the token of the ServiceAccount to configure the kubeconfig file supported by UCS.
- Use kubectl to connect to the cluster.
- Create the ucs-service-account.yaml file.
apiVersion: v1 kind: ServiceAccount metadata: name: ucs-user --- apiVersion: v1 kind: Secret metadata: name: ucs-user-token annotations: kubernetes.io/service-account.name: "ucs-user" type: kubernetes.io/service-account-token --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ucs-user-role rules: - apiGroups: - '*' resources: - '*' verbs: - '*' - nonResourceURLs: - '*' verbs: - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: ucs-user-role-binding subjects: - kind: ServiceAccount name: ucs-user namespace: default roleRef: kind: ClusterRole name: ucs-user-role apiGroup: rbac.authorization.k8s.io
- Run the following command in the cluster to create a ServiceAccount:
kubectl apply -f ucs-service-account.yaml
- Run the following command to obtain the token:
kubectl get secret ucs-user-token -n default -oyaml | grep token: | awk '{print $2}' | base64 -d ;echo
- Configure the kubeconfig file.
Create a kubeconfig.yaml file by referring to the following example and replace the token with the value obtained in 4.
kubeconfig.yaml:
kind: Config apiVersion: v1 preferences: {} clusters: - name: internalCluster cluster: server: 'https://kubernetes.default.svc.cluster.local:443' insecure-skip-tls-verify: true users: - name: ucs-user user: token: 'MIIFbAYJKo*****' contexts: - name: internal context: cluster: internalCluster user: ucs-user current-context: internal
The parameters in the kubeconfig file are described as follows:Parameter
Value
Description
Mandatory
server
'https://kubernetes.default.svc.cluster.local:443'
Intra-cluster access address of the API server. Some vendors restrict cluster external access to the API server, so UCS may fail to connect to the cluster. You are advised to use the intra-cluster access address.
Yes
insecure-skip-tls-verify
true
If this parameter is used, certificate authentication is skipped. The value must be true.
1 out of 2
NOTE:If the value of server is an intra-cluster access address, certificate authentication is preferentially skipped.
certificate-authority-data
Base64-encrypted string
If this parameter is used, two-way authentication is enabled for the cluster. The value is the server certificate encrypted using Base64.
The default path of the server certificate of a native Kubernetes cluster is /etc/kubernetes/pki/ca.crt on the master node.
token
Base64-encrypted string
Token-based authentication. The value is the token obtained in 4.
1 out of 3
NOTE:Token-based authentication is recommended. UCS supports only the three authentication modes.
- client-certificate-data
- client-key-data
Base64-encrypted string
Certificate- and private key–based authentication.
- client-certificate-data: client certificate encrypted using Base64.
- client-key-data: client private key encrypted using Base64.
- username
- password
String
Username- and password-based authentication.
- username: username for accessing the cluster.
- password: password of the username.
- Use the kubeconfig file configured in 5 to connect the cluster to UCS. For details, see Registering an Attached Cluster (Public Network Access) or Registering an Attached Cluster (Private Network Access).
When using UCS, you cannot delete the ServiceAccount, ClusterRole, and ClusterRoleBinding. Otherwise, the token will be invalid.
If the cluster is no longer connected to UCS, you can run the kubectl delete -f ucs-service-account.yaml command to delete the ServiceAccount.
If the server address in the kubeconfig.yaml file of the cluster is changed to the API server address of the cluster, the cluster cannot be connected to UCS. For details, see What Can I Do If an Attached Cluster Fails to Be Connected? - Check Item 3: kube-apiserver.
Self-Managed Clusters
If your cluster is a standard cluster built using an official Kubernetes binary file or a deployment tool such as Kubeadm, you can perform the following steps to obtain the kubeconfig file.
The procedure does not apply to commercial clusters provided by cloud service vendors. For details about how to obtain the kubeconfig file of a commercial cluster, see Third-Party Cloud Clusters.
- Log in to the master node of the cluster.
- View the cluster access credential. By default, the kubeconfig file of a self-managed cluster is stored in $HOME/.kube/config on the master node. If another kubeconfig file is specified for your cluster, change the directory.
cat $HOME/.kube/config
- Copy the credential content.
- Create a YAML file on your local PC, paste the credential content to the file, and save the file.
- Use the YAML file created in 4 to connect to the cluster. For details, see Registering an Attached Cluster (Public Network Access) or Registering an Attached Cluster (Private Network Access).
On-Premises Clusters
For details about the kubeconfig file of an on-premises cluster, see kubeconfig of an On-Premises Cluster.
You need to use ucs-ctl to obtain the kubeconfig file of an on-premises cluster.
- Use ucs-ctl to obtain the name of the on-premises cluster.
./ucs-ctl get cluster
- Use ucs-ctl to export the kubeconfig file of the on-premises cluster.
./ucs-ctl get kubeconfig -c test-redhat86 -o kubeconfig
You can run the ucs-ctl get kubeconfig -h command to view the following parameters in a kubeconfig file:
- -c, --cluster: specifies the name of the cluster whose kubeconfig file is to be exported.
- -e, --eip: specifies the EIP of the API server.
- -o, --output: specifies the name of the kubeconfig file.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot