yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
218900ecfc237f6c0ba9f9684f9afa10f1d5ea9a
doc-exports/docs/cce/umn/cce_10_0175.html
qiujiandong1 ab1e53a279 CCE UMN 20251031 version 
Reviewed-by: Gergo-Bence Lorincz <a200452876@noreply.gitea.eco.tsi-dev.otc-service.com>
Co-authored-by: qiujiandong1 <qiujiandong1@huawei.com>
Co-committed-by: qiujiandong1 <qiujiandong1@huawei.com>
2026-01-15 10:25:22 +00:00

27 lines
5.3 KiB
HTML
Raw Blame History

<a name="cce_10_0175"></a><a name="cce_10_0175"></a>
<h1 class="topictitle1">Accessing a Cluster Using an X.509 Certificate</h1>
<div id="body1556615866530"><p id="cce_10_0175__p776312512519">X.509 certificates are essential for verifying identities and encrypting communication within CCE clusters. These certificates enable authorized clients to access target clusters while encrypting data transmission between them. This prevents threats like eavesdropping and tampering, ensuring secure communication, authenticated identities, and valid access. To initiate a connection using X.509 certificates, obtain the cluster certificate from the CCE console and use it to configure the client accordingly.</p>
<div class="section" id="cce_10_0175__section1590914113306"><h4 class="sectiontitle">Procedure</h4><ol id="cce_10_0175__ol898314521505"><li id="cce_10_0175__li4829928181812"><span>Log in to the <span id="cce_10_0175__ph1519791153812">CCE console</span> and click the cluster name to access the cluster console.</span></li><li id="cce_10_0175__li179831852301"><span>On the <strong id="cce_10_0175__b1562014204338"><span id="cce_10_0175__text999619481471">Overview</span></strong> page, locate the <strong id="cce_10_0175__b15595218133311">Connection Information</strong> area, and click <strong id="cce_10_0175__b17735142393311">Download</strong> next to <strong id="cce_10_0175__b11788192563319">X.509 certificate</strong>.</span></li><li id="cce_10_0175__li1979910715109"><span>In the <span class="uicontrol" id="cce_10_0175__uicontrol13516511412"><b>Obtain Certificate</b></span> dialog box, select the validity period and download the <span class="keyword" id="cce_10_0175__keyword2331112794610">X.509 certificate</span> of the cluster as prompted.</span><p><div class="fignone" id="cce_10_0175__fig873583013712"><span class="figcap"><b>Figure 1 </b>Downloading a certificate</span><br><span><img id="cce_10_0175__image5191162792910" src="en-us_image_0000002483959374.png"></span></div>
<div class="notice" id="cce_10_0175__note21816913343"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><ul id="cce_10_0175__ul45041635102414"><li id="cce_10_0175__li050403542411">The downloaded certificate contains three files: <strong id="cce_10_0175__b1790092752911">client.key</strong>, <strong id="cce_10_0175__b990002710298">client.crt</strong>, and <strong id="cce_10_0175__b690015272292">ca.crt</strong>. Keep these files secure.</li><li id="cce_10_0175__li150414359248">Certificates are not required for mutual access between containers in a cluster.</li><li id="cce_10_0175__li193993573192">An issued X.509 certificate remains valid even if the user who requested it is deleted. To ensure cluster security, manually revoke the user's cluster access credentials. For details, see <a href="cce_10_0744.html">Revoking a Cluster Access Credential</a>.</li></ul>
</div></div>
</p></li><li id="cce_10_0175__li067115818495"><span>Import the X.509 certificate to the client and use the certificate to call Kubernetes native APIs.</span><p><p id="cce_10_0175__p1870145813497">For example, run the <strong id="cce_10_0175__b19239134672614">curl</strong> command to call an API to obtain the pod information. The following is an example:</p>
<pre class="screen" id="cce_10_0175__screen157018584498">curl --cacert <i><span class="varname" id="cce_10_0175__varname8215622133210">./ca.crt</span></i> --cert <i><span class="varname" id="cce_10_0175__varname414983110226">./client.crt</span></i> --key <i><span class="varname" id="cce_10_0175__varname1660914275228">./client.key</span></i> https://<i><span class="varname" id="cce_10_0175__varname1534114227226">192.168.0.18:5443</span></i>/api/v1/namespaces/default/pods/</pre>
<div class="note" id="cce_10_0175__note56493341315"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="cce_10_0175__ul8301125115619"><li id="cce_10_0175__li15301185115612"><i><span class="varname" id="cce_10_0175__varname20330154211313">./ca.crt</span></i>, <i><span class="varname" id="cce_10_0175__varname105711351835">./client.crt</span></i>, and <i><span class="varname" id="cce_10_0175__varname040213581930">./client.key</span></i> are the paths for uploading the <strong id="cce_10_0175__b102362152711">client.key</strong>, <strong id="cce_10_0175__b20236513276">client.crt</strong>, and <strong id="cce_10_0175__b523619132720">ca.crt</strong> files, respectively.</li><li id="cce_10_0175__li530113518615"><i><span class="varname" id="cce_10_0175__varname189561619101012">192.168.0.18:5443</span></i> is the private or public network address of the API server in the cluster.</li></ul>
</div></div>
<p id="cce_10_0175__p1247614577288">If the following information is displayed, the X.509 certificate is correctly configured and the API Server of the cluster is running properly:</p>
<pre class="screen" id="cce_10_0175__screen3587204810306">{
"kind": "PodList",
"apiVersion": "v1",
...</pre>
<p id="cce_10_0175__p12685134972212">For more cluster APIs, see <a href="https://kubernetes.io/docs/reference/kubernetes-api/" target="_blank" rel="noopener noreferrer">Kubernetes API</a>.</p>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="cce_10_0140.html">Accessing a Cluster</a></div>
</div>
</div>
View Git Blame Copy Permalink