tencent cloud

masukan

Instructions on Stopping Delivering the Kubeconfig File to Nodes

Terakhir diperbarui:2024-12-13 15:46:01
    Note
    TKE plans to carry out an operation from 23:00 September 21 (Monday) to 06:00 September 22 (Tuesday), 2020 UTC+8 to stop delivering the Kubeconfig file.

    Background

    Currently, TKE stores the Kubeconfig file with the admin token in nodes by default. By using this Kubeconfig file, users can easily operate on Kubernetes clusters. However, if users fail to conduct node login permission management carefully, clusters may face security risks. Therefore, we decided to stop delivering the Kubeconfig file.
    Existing clusters may use the Kubeconfig file to perform cluster initialization operations in user-defined scripts. To solve this issue, we will provide a client certificate for node initialization with the same permissions as the Kubeconfig file, but with a validity period of only 12 hours. After the certificate expires, the Kubeconfig file will be invalidated. If you still need the file after the expiration, refer to Issues and Solutions.

    Issues and Solutions

    Symptoms

    If you prefer to use the following command to log in to a TKE cluster node for kubectl operations, you will be prompted with the following error message:
    $ kubectl get node
    The connection to the server localhost:8080 was refused - did you specify the right host or port?
    $ kubectl get node
    error: You must be logged in to the server (Unauthorized)

    Solutions

    1. Log in to the TKE console.
    2. Obtain the credential Kubeconfig file of the current account. For more information, see Obtaining credentials.
    3. After obtaining the Kubeconfig file, you can enable private network access or directly use the service IP address of Kubernetes.
    Enabling private network access: on the cluster details page, choose Basic Information in the left sidebar, enable Private Network Access in the Cluster API Server information section, and operate according to the prompt.
    Using the service IP address of Kubernetes: on the cluster details page, choose Services and Routes > Service in the left sidebar to obtain the service IP address of Kubernetes in the default namespace. Replace the clusters.cluster.server field in the Kubeconfig file with https://<IP>:443.
    4. Copy the content of the Kubeconfig file to $HOME/.kube/config on the new node.
    5. Access a Kubeconfig cluster and use kubectl get nodes to test connectivity.

    Handling Special Scenarios

    Special scenarios

    A workload has mounted the /root/.kube/config or /home/ubuntu/.kube/config file of the host for use.

    Solutions

    Use Kubernetes serviceaccount correctly to access clusters in incluster mode. For more information, see Configure Service Accounts for Pods.
    Hubungi Kami

    Hubungi tim penjualan atau penasihat bisnis kami untuk membantu bisnis Anda.

    Dukungan Teknis

    Buka tiket jika Anda mencari bantuan lebih lanjut. Tiket kami tersedia 7x24.

    Dukungan Telepon 7x24