I have setup a cluster on AWS using kops. I want to connect to the cluster from my local machine.
I have to do cat ~/.kube/config, copy the content and replace it with my local kube config to access to the cluster.
The problem is that it expires after certain amount of time. Is there a way to get permanent access to the cluster?
Not sure if you can get permanent access to the cluster, but based on official kOps documentation you can just run kops update cluster command with --admin={duration} flag and set expire time to a very big value.
For example - let set it for almost 10 years:
kops update cluster {your-cluster-name} --admin=87599h --yes
Then just copy as usual your config file to the client.
Based on official release notes, to back to the previous behaviour just use value 87600h.
Related
I'm trying to connect to a Digital Ocean Kubernates cluster using doctl but when I run
doctl kubernetes cluster kubeconfig save <> I get an error saying .kube/config: not a directory. I've authenticated using doctl and when I run doctl account get I see my account info. I'm confused as to what the problem is. Is this some sort of permission issue or did I miss a config step somewhere?
kubectl (by default) stores a configuration in ${HOME}/.kube/config. It appears you don't have the file and the command doesn't create it if it doesn't exist; I recommend you try creating ${HOME}/.kube first as doctl really ought to create the config file if it doesn't exist.
kubectl facilitates interacting with multiple clusters as multiple users in multiple namespaces through the use a tuple called 'context' which combines a cluster with a user with a(n optional) namespace. The command lets you switch between these easily.
After you're done with a cluster, generally (!) you must tidy up its entires in ${HOME}/.kube/config too as these configs tend to grow over time.
You can change the location of the kubectl config file using an environment variable (KUBECONFIG).
See Organizing Cluster Access Using kubeconfig Files
From this question How to uninstall / remove tiller from Kubernetes manually? I see I can use
helm reset --force
to quoting https://helm.sh/docs/helm/#helm-reset ...
uninstalls Tiller (the Helm server-side component) from your Kubernetes Cluster and optionally deletes local configuration in $HELM-HOME (default ~/.helm/)
My question is :
In a multi-node cluster should this be ran once per master or once per cluster ?
Once per cluster should be enough, because tiller is a single cluster-wide component that is running completely on kubernetes, not tied to a specific node.
Additionally, you do not need to run this command on the nodes themselves - you can run it locally as well, as long as you can talk to the kube-apiserver. This is what is meant by the "local configuration files (~/.helm.)".
I'm playing with kops, and set up 2 clusters. After setting up the second cluster, I updated the KOPS_STATE_STORE value in my .profile. Now when I do
$ kops get clusters
I get
cluster not found first-cluster.k8s.local
I can't remember what the original KOPS_STATE_STORE was. How can I fix this so first-cluster.k8s.local is gone from kops?
Thanks!
There is no way to check it by kops.
Usually, a KOPS_STATE_STORE value is an AWS S3 bucket so you can try to check the list of your buckets.
If I am able to SSH into the master or any nodes in the cluster, is it possible for me to get 1) the kubeconfig file or 2) all information necessary to compose my own kubeconfig file?
You could find configuration on master node under /etc/kubernetes/admin.conf (on v1.8+).
On some versions of kubernetes, this can be found under ~/.kube
I'd be interested in hearing the answer to this as well. But I think it depends on how the authentication is set up. For example,
Minikube uses "client certificate" authentication. If it stores the client.key on the cluster as well, you might construct a kubeconfig file by combining it with the cluster’s CA public key.
GKE (Google Kubernetes Engine) uses authentication on a frontend that's separate from the Kubernetes cluster (masters are hosted separately). You can't ssh into the master, but if it was possible, you still might not be able to construct a token that works against the API server.
However, by default Pods have a service account token that can be used to authenticate to Kubernetes API. So if you SSH into a node and run docker exec into a container managed by Kubernetes, you will see this:
/ # ls run/secrets/kubernetes.io/serviceaccount
ca.crt namespace token
You can combine ca.crt and token to construct a kubeconfig file that will authenticate to the Kubernetes master.
So the answer to your question is yes, if you SSH into a node, you can then jump into a Pod and collect information to compose your own kubeconfig file. (See this question on how to disable this. I think there are solutions to disable it by default as well by forcing RBAC and disabling ABAC, but I might be wrong.)
I've installed Kubernetes via Vagrant on OS X and everything seems to be working fine, but I'm unsure how kubectl is able to communicate with the master node despite being local to the workstation filesystem.
How is this implemented?
kubectl has a configuration file that specifies the location of the Kubernetes apiserver and the client credentials to authenticate to the master. All of the commands issued by kubectl are over the HTTPS connection to the apiserver.
When you run the scripts to bring up a cluster, they typically generate this local configuration file with the parameters necessary to access the cluster you just created. By default, the file is located at ~/.kube/config.
In addition to what Robert said: the connection between your local CLI and the cluster is controlled through kubectl config set, see the docs.
The Getting started with Vagrant section of the docs should contain everything you need.