How to access a Kubernetes Cluster

In this article we’ll look at the currently available mechanisms for any user to access a Kubernetes Cluster.

One of the fundamental requirement is to have a way to provide the cluster and relevant authentication details. Before looking at the Kubernetes cluster access mechanisms that are available to a user, we need to understand how the cluster and related authentication details are provided.

In a previous article we saw the various authentication mechanisms available in Kubernetes. Authentication mechanisms can differ for users as well as Kubernetes components like kubelet, kubeproxy etc.

Kubernetes provides ‘kubeconfig’ file to make it easier to switch between multiple users and clusters with different credentials. This file contains details on the cluster information and related authentication mechanisms.

An example kubeconfig file is shown below:

apiVersion: v1
kind: Config
current-context: pradipta-to-prod-cluster
preferences: {}
clusters:
- cluster:
    certificate-authority-data: VlJSkFKR0xpa2NLdEFKdU1Bd0dBMVVkRXdRRk1BTUJBZjh3Q3dZRApWUjBQQkFRREFnRUdNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFCb0Z3VHVJUW9uSXkwemN3ajkzci8vMUorClNrT0JCS2lHdUZocUk0VllUaEdHZ1NTbGFqSU1GSTdxQkhPNnBvdGtZU01mZXFBSUFtUVBGNjJsaVBpZkdqcG8KdkZOOXVMYUZ1TEhlT1B5MW01eU91blZXdGtwSlVnS1ZVbStFZlhmN2VwMDA4aEM0UWYyNXExekQ3S0Q3a3VnNwpuREZNYldnUDZ0TnBVQy9EZWdpMzJiUG1WYUxuRlRFZHFCamM4ODc3eUlnMWI2ZGV6bmlaVXpVTTIwTFE3dTVlCmIxL3dmb0FRR1RTbnNMdDIzWW9BQnMzR1ZneDdwblk2MjhQMzdTZXNQN081c3NtRUV1ZFZnUnY4OGF3OHZNV04KYmkrT3RjRmhCM09WLzNqL1ROZlFJYWNLVU12UFo2bTl5OGNqQW1leDVuWGdNWlN0TS9WYVNWQXBZZUlECi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    server: https://kube-prod-cluster:443
  name: prod-cluster
- cluster:
    certificate-authority: /path/to/ca_crt_file
    server: https://kube-dev-cluster:443
  name: dev-cluster
contexts:
- context:
    cluster: prod-cluster
    user: pradipta
  name: pradipta-to-prod-cluster
- context:
    cluster: dev-cluster
    user: pradipta-dev
  name: pradipta-to-dev-cluster
users:
- name: pradipta
  user:
    password: password
    username: pradipta
- name: pradipta-dev
  user:
      token: 4P0kIskwZcK5nQKL4zTTGT9O3VRIPbth

A context defines a specific cluster,user,namespace tuple and is used to send requests to the specified cluster using the provided authentication details. In the above example the current context is set to ‘pradipta-to-prod-cluster’ which means that requests will be sent to ‘prod-cluster’ using ‘pradipta’ as the user.
The certificate-authority-data is base64 encoding of the ca.crt. Think of it as the output of ‘cat ca.crt | base64’.

More details on kubeconfig file can be found in the kubernetes user guide.

Using kubectl Command Line Interface (CLI)
If you prefer CLI access to the cluster, then you need to use the kubectl binary. Depending on your platform, kubectl binary can be downloaded from the following locations:

For Linuxhttps://storage.googleapis.com/kubernetes-release/release/v1.2.4/bin/linux/amd64/kubectl
For Mac  – https://storage.googleapis.com/kubernetes-release/release/v1.2.4/bin/darwin/amd64/kubectl
For Windowshttps://storage.googleapis.com/kubernetes-release/release/v1.2.4/bin/windows/amd64/kubectl.exe

Cluster access details to the kubectl binary can be either provided via the –kubeconfig= option or via $HOME_DIR/.kube/config file

Using Kubernetes Web UI (dashboard)
If you prefer web UI access to the cluster, then you need to use the Kubernetes dashboard program. Docker image for multiple architectures are available from Google registry.
Additionally latest dashboard release as of this writing (v1.1.0) allows one to specify the kubeconfig file that needs to be used for cluster access. Previous versions used to work with unauthenticated port (http) only.

For example on my PowerPC LE environment, the following command is used to run the kubernetes-dashboard image for admin user having full access to the cluster.

# docker run -itd -v /etc/kubernetes/kubectl.kubeconfig:/etc/kubeconfig -e KUBECONFIG=/etc/kubeconfig -p 80:9090 gcr.io/google_containers/kubernetes-dashboard-ppc64le:v1.1.0

The admin dashboard will be available at http://<master-host-ip-or-fqdn>:80

If you are using Intel environment, then the command will look like this

# docker run -itd -v /etc/kubernetes/kubectl.kubeconfig:/etc/kubeconfig -e KUBECONFIG=/etc/kubeconfig -p 80:9090 gcr.io/google_containers/kubernetes-dashboard:v1.1.0

Futher, the following command is used to run the kubernetes-dashboard image for regular users

# docker run -itd -v /etc/kubernetes/pradipta.kubeconfig:/etc/kubeconfig -e KUBECONFIG=/etc/kubeconfig -p 81:9090 gcr.io/google_containers/kubernetes-dashboard-ppc64le:v1.1.0

The user dashboard will be available at http://<master-host-ip-or-fqdn>:81

So in summary, a user need atleast two basic ingredients for accessing a Kubernetes cluster   – a kubeconfig file from the administrator and either the kubectl binary or kubernetes-dashboard web URL.

Happy Kubernetting :-)

Pradipta Kumar Banerjee

I'm a Cloud and Linux/ OpenSource enthusiast, with 16 years of industry experience at IBM. You can find more details about me here - Linkedin

You may also like...