yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
bfc6e41869eea6458e591ab923df1d86f0af5ffc
doc-exports/docs/cce/umn/cce_10_0107.html
qiujiandong1 bfc6e41869 CCE UMN update 20241130 version 
Reviewed-by: Eotvos, Oliver <oliver.eotvos@t-systems.com>
Co-authored-by: qiujiandong1 <qiujiandong1@huawei.com>
Co-committed-by: qiujiandong1 <qiujiandong1@huawei.com>
2025-02-24 12:45:02 +00:00

57 lines
13 KiB
HTML
Raw Blame History

<a name="cce_10_0107"></a><a name="cce_10_0107"></a>
<h1 class="topictitle1">Connecting to a Cluster Using kubectl</h1>
<div id="body1512462600292"><div class="section" id="cce_10_0107__section14234115144"><h4 class="sectiontitle">Scenario</h4><p id="cce_10_0107__p133539491408">This section uses a CCE standard cluster as an example to describe how to access a CCE cluster using <span class="keyword" id="cce_10_0107__keyword19467121518447">kubectl</span>.</p>
</div>
<div class="section" id="cce_10_0107__section17352373317"><h4 class="sectiontitle">Permissions</h4><p id="cce_10_0107__p51211251156">When you access a cluster using kubectl, CCE uses <strong id="cce_10_0107__b204601556154217">kubeconfig</strong> generated on the cluster for authentication. This file contains user information, based on which CCE determines which Kubernetes resources can be accessed by kubectl. The permissions recorded in a <strong id="cce_10_0107__b16295666413">kubeconfig</strong> file vary from user to user.</p>
<p id="cce_10_0107__p142391810113">For details about user permissions, see <a href="cce_10_0187.html#cce_10_0187__section1464135853519">Cluster Permissions (IAM-based) and Namespace Permissions (Kubernetes RBAC-based)</a>.</p>
</div>
<div class="section" id="cce_10_0107__section37321625113110"><a name="cce_10_0107__section37321625113110"></a><a name="section37321625113110"></a><h4 class="sectiontitle">Using kubectl</h4><p id="cce_10_0107__p764905418355">To connect to a Kubernetes cluster from a PC, you can use kubectl, a Kubernetes command line tool. You can log in to the CCE console and click the name of the target cluster to access the cluster console. On the <strong id="cce_10_0107__b127302345555"><span id="cce_10_0107__text869825054114">Overview</span></strong> page, view the access address and kubectl connection procedure.</p>
<div class="p" id="cce_10_0107__p7805114919351">CCE allows you to access a cluster through a private network or a public network.<ul id="cce_10_0107__ul126071124175518"><li id="cce_10_0107__li144192116548"><span class="keyword" id="cce_10_0107__keyword13441034142917">Intranet access</span>: The client that accesses the cluster must be in the same VPC as the cluster.</li><li id="cce_10_0107__li1460752419555">Public access: The client that accesses the cluster must be able to access public networks and the cluster has been bound with a public network IP.<div class="notice" id="cce_10_0107__note2967194410365"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><p id="cce_10_0107__p19671244103610">To bind an EIP to the cluster, go to the <strong id="cce_10_0107__b1061217302"><span id="cce_10_0107__text6807412192418">Overview</span></strong> page and click <strong id="cce_10_0107__b021910485396">Bind</strong> next to <strong id="cce_10_0107__b132197480394">EIP</strong> in the <strong id="cce_10_0107__b14219164815396">Connection Information</strong> area. In a cluster with an EIP bound, kube-apiserver will be exposed to the Internet and may be attacked. To solve this problem, you can configure Advanced Anti-DDoS for the EIP of the node on which kube-apiserver runs.</p>
</div></div>
</li></ul>
</div>
<p id="cce_10_0107__p2842139103716">Download kubectl and the configuration file. Copy the file to your client, and configure kubectl. After the configuration is complete, you can access your Kubernetes clusters. The process is as follows:</p>
<ol id="cce_10_0107__ol6469105613170"><li id="cce_10_0107__li194691356201712"><span><strong id="cce_10_0107__b469717424401">Download kubectl.</strong></span><p><p id="cce_10_0107__p53069487256">Prepare a computer that can access the public network and install kubectl in CLI mode. You can run the <strong id="cce_10_0107__b2309195102312">kubectl version</strong> command to check whether kubectl has been installed. If kubectl has been installed, skip this step.</p>
<p id="cce_10_0107__p125851851153510">This section uses the Linux environment as an example to describe how to install and configure kubectl. For details, see <a href="https://kubernetes.io/docs/tasks/tools/#kubectl" target="_blank" rel="noopener noreferrer">Installing kubectl</a>.</p>
<ol type="a" id="cce_10_0107__ol735517018289"><li id="cce_10_0107__li551132463520">Log in to your client and download kubectl.<pre class="screen" id="cce_10_0107__screen8511142418352">cd /home
curl -LO https://dl.k8s.io/release/<em id="cce_10_0107__i13511182443516">{v1.25.0}</em>/bin/linux/amd64/kubectl</pre>
<p id="cce_10_0107__p6511924173518"><em id="cce_10_0107__i719013311241">{v1.25.0}</em> specifies the version. Replace it as required.</p>
</li><li id="cce_10_0107__li1216814211286">Install kubectl.<pre class="screen" id="cce_10_0107__screen16892115815271">chmod +x kubectl
mv -f kubectl /usr/local/bin</pre>
</li></ol>
</p></li><li id="cce_10_0107__li34691156151712"><a name="cce_10_0107__li34691156151712"></a><a name="li34691156151712"></a><span><strong id="cce_10_0107__b196211619192411">Obtain the kubectl configuration file.</strong></span><p><p id="cce_10_0107__p1295818109256">In the <span class="uicontrol" id="cce_10_0107__uicontrol9472521182416"><b>Connection Info</b></span> pane on the <strong id="cce_10_0107__b182944389444"><span id="cce_10_0107__text10158103924216">Overview</span></strong> page, click <strong id="cce_10_0107__b1547035714410">Configure</strong> next to <strong id="cce_10_0107__b5182125174514">kubectl</strong> to check the kubectl connection. On the displayed page, choose <strong id="cce_10_0107__b171301231185115">Intranet access</strong> or <strong id="cce_10_0107__b1113211495516">Public network access</strong> and download the configuration file.</p>
<div class="note" id="cce_10_0107__note191638104210"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="cce_10_0107__ul795610485546"><li id="cce_10_0107__li495634817549">The kubectl configuration file <strong id="cce_10_0107__b11741123981418">kubeconfig</strong> is used for cluster authentication. If the file is leaked, your clusters may be attacked.</li><li id="cce_10_0107__li16956194817544">The Kubernetes permissions assigned by the configuration file downloaded by IAM users are the same as those assigned to the IAM users on the CCE console.</li><li id="cce_10_0107__li1537643019239">If the KUBECONFIG environment variable is configured in the Linux OS, kubectl preferentially loads the KUBECONFIG environment variable instead of <strong id="cce_10_0107__b5859154717398">$home/.kube/config</strong>.</li></ul>
</div></div>
</p></li><li id="cce_10_0107__li25451059122317"><a name="cce_10_0107__li25451059122317"></a><a name="li25451059122317"></a><span>Configure kubectl.</span><p><div class="p" id="cce_10_0107__p109826082413">Configure kubectl (A Linux OS is used).<ol type="a" id="cce_10_0107__ol2291154772010"><li id="cce_10_0107__li102911547102012">Log in to your client and copy the configuration file (for example, <strong id="cce_10_0107__b156991854125914">kubeconfig.yaml</strong>) downloaded in <a href="#cce_10_0107__li34691156151712">2</a> to the <strong id="cce_10_0107__b175828331240">/home</strong> directory on your client.</li><li id="cce_10_0107__li114766383477">Configure the kubectl authentication file.<pre class="screen" id="cce_10_0107__screen849155210477">cd /home
mkdir -p $HOME/.kube
mv -f <i><span class="varname" id="cce_10_0107__varname937302110334">kubeconfig.yaml</span></i> $HOME/.kube/config</pre>
</li><li id="cce_10_0107__li1480512253214">Switch the kubectl access mode based on service scenarios.<ul id="cce_10_0107__ul91037595229"><li id="cce_10_0107__li5916145112313">Run this command to enable intra-VPC access:<pre class="screen" id="cce_10_0107__screen279213242247">kubectl config use-context internal</pre>
</li><li id="cce_10_0107__li113114274233">Run this command to enable public access (EIP required):<pre class="screen" id="cce_10_0107__screen965013316242">kubectl config use-context external</pre>
</li><li id="cce_10_0107__li104133512481">Run this command to enable public access and two-way authentication (EIP required):<pre class="screen" id="cce_10_0107__screen61712126498">kubectl config use-context externalTLSVerify</pre>
<p id="cce_10_0107__p211573774917">For details about the cluster two-way authentication, see <a href="#cce_10_0107__section1559919152711">Two-Way Authentication for Domain Names</a>.</p>
</li></ul>
</li></ol>
</div>
</p></li></ol>
</div>
<div class="section" id="cce_10_0107__section1559919152711"><a name="cce_10_0107__section1559919152711"></a><a name="section1559919152711"></a><h4 class="sectiontitle"><span class="keyword" id="cce_10_0107__keyword311020376452">Two-Way Authentication for Domain Names</span></h4><p id="cce_10_0107__p138948491274">CCE supports two-way authentication for domain names.</p>
<ul id="cce_10_0107__ul88981331482"><li id="cce_10_0107__li1705116151915">After an EIP is bound to an API Server, two-way domain name authentication is disabled by default if kubectl is used to access the cluster. You can run <strong id="cce_10_0107__b198732542582">kubectl config use-context externalTLSVerify</strong> to enable the two-way domain name authentication.</li><li id="cce_10_0107__li1807459174818">When an EIP is bound to or unbound from a cluster, or a custom domain name is configured or updated, the cluster server certificate will be added the latest cluster access address (including the EIP bound to the cluster and all custom domain names configured for the cluster).</li><li id="cce_10_0107__li17898153310483">Asynchronous cluster synchronization takes about 5 to 10 minutes. You can view the synchronization result in <strong id="cce_10_0107__b196404619200">Synchronize Certificate</strong> in <strong id="cce_10_0107__b364620682012">Operation Records</strong>.</li><li id="cce_10_0107__li614337712">For a cluster that has been bound to an EIP, if the authentication fails (x509: certificate is valid) when two-way authentication is used, bind the EIP again and download <strong id="cce_10_0107__b121611451417">kubeconfig.yaml</strong> again.</li><li id="cce_10_0107__li5950658165414">If the two-way domain name authentication is not supported, <strong id="cce_10_0107__b56091346184712">kubeconfig.yaml</strong> contains the <strong id="cce_10_0107__b1961534614476">"insecure-skip-tls-verify": true</strong> field, as shown in <a href="#cce_10_0107__fig1941342411">Figure 1</a>. To use two-way authentication, download the <strong id="cce_10_0107__b549311585216">kubeconfig.yaml</strong> file again and enable two-way authentication for the domain names.<div class="fignone" id="cce_10_0107__fig1941342411"><a name="cce_10_0107__fig1941342411"></a><a name="fig1941342411"></a><span class="figcap"><b>Figure 1 </b>Two-way authentication disabled for domain names</span><br><span><img id="cce_10_0107__image3414621613" src="en-us_image_0000002101597765.png"></span></div>
</li></ul>
</div>
<div class="section" id="cce_10_0107__section1628510591883"><h4 class="sectiontitle">FAQs</h4><ul id="cce_10_0107__ul1374831051115"><li id="cce_10_0107__li4748810121112"><strong id="cce_10_0107__b456677171119"><span class="keyword" id="cce_10_0107__keyword0702458114510">Error from server Forbidden</span></strong><p id="cce_10_0107__p75241832114916">When you use kubectl to create or query Kubernetes resources, the following output is returned:</p>
<pre class="screen" id="cce_10_0107__screen5530165114117"># kubectl get deploy Error from server (Forbidden): deployments.apps is forbidden: User "0c97ac3cb280f4d91fa7c0096739e1f8" cannot list resource "deployments" in API group "apps" in the namespace "default"</pre>
<p id="cce_10_0107__p1418636115119">The cause is that the user does not have the permissions to operate the Kubernetes resources. For details about how to assign permissions, see <a href="cce_10_0189.html">Namespace Permissions (Kubernetes RBAC-based)</a>.</p>
</li><li id="cce_10_0107__li0365152110"><strong id="cce_10_0107__b1829619716131"><span class="keyword" id="cce_10_0107__keyword159213536451">The connection to the server localhost:8080 was refused</span></strong><p id="cce_10_0107__p1776396131212">When you use kubectl to create or query Kubernetes resources, the following output is returned:</p>
<pre class="screen" id="cce_10_0107__screen197636617124">The connection to the server localhost:8080 was refused - did you specify the right host or port?</pre>
<p id="cce_10_0107__p87631764129">The cause is that cluster authentication is not configured for the kubectl client. For details, see <a href="#cce_10_0107__li25451059122317">3</a>.</p>
</li></ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="cce_10_0140.html">Connecting to a Cluster</a></div>
</div>
</div>
View Git Blame Copy Permalink