The page has been translated by Gen AI.

Access Cluster

kubectl Installation and Usage

After creating a Kubernetes Engine service, you can use the Kubernetes command-line tool kubectl to execute commands against your Kubernetes cluster. With kubectl, you can deploy applications, inspect and manage cluster resources, and view logs. You can find how to install and use kubectl in the official Kubernetes documentation.

CategoryReference URL
kubectl installation (Linux)https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/
kubectl installation (Windows)https://kubernetes.io/docs/tasks/tools/install-kubectl-windows/
kubectl Introductionhttps://kubernetes.io/docs/reference/kubectl/
kubectl Quick Referencehttps://kubernetes.io/docs/reference/kubectl/quick-reference/
kubectl command referencehttps://kubernetes.io/docs/reference/kubectl/kubectl/
Table. kubectl reference documentation
Reference

You must use a kubectl version that is within the cluster’s minor version difference. For example, if the cluster version is 1.30, you can use kubectl versions 1.29, 1.30, or 1.31.

To access a Kubernetes cluster with kubectl, you need a kubeconfig file that contains the Kubernetes server address and authentication information.

Reference
For detailed information on Kubernetes authentication and authorization, refer to the Authentication and Authorization.

Kubernetes Engine supports authentication via admin certificate kubeconfig and user authentication key kubeconfig.

Admin certificate kubeconfig

This kubeconfig uses the admin certificate as the authentication method when accessing the Kubernetes API.

Download admin kubeconfig

Kubernetes Engine > Cluster List > Cluster Details > Admin kubeconfig download Click the button to download the kubeconfig file.

Caution
  • Downloading the admin kubeconfig is allowed only for Admin.
  • There are separate private endpoint and public endpoint versions, and each can be downloaded only once.

Use admin kubeconfig

Reference
  • By default, kubectl looks for a file named config in the $HOME/.kube directory. You can also set the KUBECONFIG environment variable or specify the kubeconfig flag to use a different kubeconfig file.
  • Private endpoints are, by default, only accessible from the nodes of the respective cluster. For resources in the same account and the same region, you can allow access by adding them to the private endpoint access control settings.
  • If you need to access the cluster from the external internet, setting public endpoint access to enabled allows you to access it using the public endpoint kubeconfig.

User authentication key kubeconfig

This kubeconfig uses the user’s Open API authentication key as the credential when accessing the Kubernetes API.

User kubeconfig download

Kubernetes Engine > Cluster List > Cluster Details > User kubeconfig Download Click the button to download the kubeconfig file.

Caution
  • Downloading a user’s kubeconfig is allowed only for users with cluster read permissions.
  • There are separate ones for private endpoints and public endpoints.
  • Since the downloaded kubeconfig file does not contain the authentication key token, you must add the authentication key token information before using it. (See the next paragraph)

Add authentication key token to the user kubeconfig file

Below is an example of a user kubeconfig file. To use the kubeconfig file, you must add the authentication key token (AUTHKEY_TOKEN) information to the token field inside the file.

Color mode
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0t...
    server: https://my-cluster-a1c3e.ske.xxx.samsungsdscloud.com:6443
  name: my-cluster-a1c3e
contexts:
- context:
    cluster: my-cluster-a1c3e
    user: jane.doe
  name: jane.doe@my-cluster-a1c3e
current-context: jane.doe@my-cluster-a1c3e
kind: Config
preferences: {}
users:
- name: jane.doe
  user:
    token: <AUTHKEY_TOKEN> #### Writing required
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0t...
    server: https://my-cluster-a1c3e.ske.xxx.samsungsdscloud.com:6443
  name: my-cluster-a1c3e
contexts:
- context:
    cluster: my-cluster-a1c3e
    user: jane.doe
  name: jane.doe@my-cluster-a1c3e
current-context: jane.doe@my-cluster-a1c3e
kind: Config
preferences: {}
users:
- name: jane.doe
  user:
    token: <AUTHKEY_TOKEN> #### Writing required
Code block. Example of a user kubeconfig file

AUTHKEY_TOKEN can be generated by concatenating the ACCESS_KEY and SECRET_KEY of the authentication key with a colon (:) and then Base64 encoding it. The following is an example of creating an AUTHKEY_TOKEN in a Linux environment.

Color mode
$ ACCESS_KEY=5df418813aed051548a72f4a814cf09e
$ SECRET_KEY=6ba7b810-9dad-11d1-80b4-00c04fd430c8
$ AUTHKEY_TOKEN=$(echo -n "$ACCESS_KEY:$SECRET_KEY" | base64 -w0)
$ echo $AUTHKEY_TOKEN
NWRmNDE4ODEzYWVkMDUxNTQ4YTcyZjRhODE0Y2YwOWU6NmJhN2I4MTAtOWRhZC0xMWQxLTgwYjQtMDBjMDRmZDQzMGM4r
$ ACCESS_KEY=5df418813aed051548a72f4a814cf09e
$ SECRET_KEY=6ba7b810-9dad-11d1-80b4-00c04fd430c8
$ AUTHKEY_TOKEN=$(echo -n "$ACCESS_KEY:$SECRET_KEY" | base64 -w0)
$ echo $AUTHKEY_TOKEN
NWRmNDE4ODEzYWVkMDUxNTQ4YTcyZjRhODE0Y2YwOWU6NmJhN2I4MTAtOWRhZC0xMWQxLTgwYjQtMDBjMDRmZDQzMGM4r
Code block. Example of generating AUTHKEY_TOKEN value
Reference
  • For detailed information on generating authentication keys, refer to API Reference > Common > Samsung Cloud Platform Open API Call Procedure.

User kubeconfig execution example

You can view an example of executing the user kubeconfig.

When access is blocked by access control or a firewall

Color mode
$ kubectl --kubeconfig=user-kubeconfig.yaml get namespaces
Unable to connect to the server: dial tcp 123.123.123.123:6443: i/o timeout
$ kubectl --kubeconfig=user-kubeconfig.yaml get namespaces
Unable to connect to the server: dial tcp 123.123.123.123:6443: i/o timeout
Code block. Example execution when access is blocked by access control or firewall.

When authentication fails because the AUTHKEY_TOKEN does not match

Color mode
$ kubectl --kubeconfig=user-kubeconfig.yaml get namespaces
error: You must be logged in to the server (Unauthorized)
$ kubectl --kubeconfig=user-kubeconfig.yaml get namespaces
error: You must be logged in to the server (Unauthorized)
Code block. Example execution when authentication fails because the AUTHKEY_TOKEN does not match.

AUTHKEY_TOKEN when authentication succeeds

Color mode
$ kubectl --kubeconfig=user-kubeconfig.yaml get namespaces
...
kube-node-lease    Active 10d
kube-public        Active 10d
kube-system        Active 10d
$ kubectl --kubeconfig=user-kubeconfig.yaml get namespaces
...
kube-node-lease    Active 10d
kube-public        Active 10d
kube-system        Active 10d
Code block. Example execution when AUTHKEY_TOKEN authentication succeeds

AUTHKEY_TOKEN Authentication succeeded but lacks permission

Color mode
$ kubectl --kubeconfig=user-kubeconfig.yaml get nodes
Error from server (Forbidden): nodes is forbidden: User "jane.doe" cannot list resource "nodes" in API group "" at the cluster scope
$ kubectl --kubeconfig=user-kubeconfig.yaml get nodes
Error from server (Forbidden): nodes is forbidden: User "jane.doe" cannot list resource "nodes" in API group "" at the cluster scope
Code block. Example execution when AUTHKEY_TOKEN authentication succeeds but the user lacks permission.
Reference
If AUTHKEY_TOKEN authentication succeeds but lacks permission, the authentication process completed correctly, but the authority to perform the requested operation was not granted (authorized). For detailed information about authorization, see 인증 및 인가.
Kubernetes Engine Usage Guide
Authentication and Authorization