kubeconfig

references:
* 创建 kubeconfig 文件
创建k8s context
Configure Access to Multiple Clusters
Organizing Cluster Access Using kubeconfig Files
kubectl config
Kubectl Config Set-Context | Tutorial and Best Practices
Checklist: pros and cons of using multiple Kubernetes clusters, and how to distribute workloads between them
kubectl config view
others:
Introducing kubectl
more usage:
imarslo : kubectl config view

step by step

defining clusters

$ kubectl config set-cluster k8s-cluster --server=127.0.0.1:8087

modify server

$ kubectl config set-cluster NAME --server=https://10.69.114.92:6443

# or
$ kubectl config set-cluster $(kubectl config current-context) --server=https://10.69.114.92:6443

defining users

using token

$ kubectl config set-credentials my-user --token=Py93bt12mT

using basic authentication

$ kubectl config set-credentials my-user --username=redhat-username --password=redhat-password

using certificates

$ kubectl config set-credentials my-user --client-certificate=redhat-certificate.crt --client-key=redhat-key.key

defining contexts

$ kubectl config set-context --cluster=k8s-cluster --user=my-user

by namespace

$ kubectl config set-context my-context --cluster=k8s-cluster --user=my-user --namespace=redhat-dev

setup default namespace

$ kubectl config set-context --current --namespace=<my_namespace>

use contexts

$ kubectl config use-context my-context

verify

$ kubectl config get-contexts
CURRENT   NAME            CLUSTER           AUTHINFO      NAMESPACE
*         my-context      172.0.7.2:6443    my-user       redhat-dev
          my-context-2    172.1.8.0:6443    my-user-2

$ kubectl config current-context
my-context

OpenID Connect ( OIDC )

[!NOTE|label:references:]

Option 1 - OIDC Authenticator

$ kubectl config set-credentials USER_NAME \
          --auth-provider=oidc \
          --auth-provider-arg=idp-issuer-url=( issuer url ) \
          --auth-provider-arg=client-id=( your client id ) \
          --auth-provider-arg=client-secret=( your client secret ) \
          --auth-provider-arg=refresh-token=( your refresh token ) \
          --auth-provider-arg=idp-certificate-authority=( path to your ca certificate ) \
          --auth-provider-arg=id-token=( your id_token )

echo "-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
" \ > ca-kubernetes-staging.pem

## set cluster
kubectl config set-cluster kubernetes-staging \
               --server=https://127.0.7.2:6443 \
               --certificate-authority=ca-kubernetes-staging.pem \
               --embed-certs

## set credential
kubectl config set-credentials marslo@kubernetes-staging  \
               --auth-provider=oidc  \
               --auth-provider-arg='idp-issuer-url=https://dex-k8s.domain.com/'  \
               --auth-provider-arg='client-id=dex-k8s-authenticator'  \
               --auth-provider-arg='client-secret=Z**********************0' \
               --auth-provider-arg='refresh-token=C**********************************************************************n' \
               --auth-provider-arg='id-token=e**********************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************A'

## set context
kubectl config set-context kubernetes-staging --cluster=kubernetes-staging --user=marslo@kubernetes-staging

## use context
kubectl config use-context kubernetes-staging

verify

# get id-token
$ kubectl config view -o jsonpath='{.users[?(@.name == "marslo@kubernetes-staging")].user.auth-provider.config.id-token}'

# get the password for the `e2e` user
$ kubectl config view -o jsonpath='{.users[?(@.name == "e2e")].user.password}'

Configure Access to Multiple Clusters

[!TIP] a configuration file describes clusters, users, and contexts

set clusters

# cluster development
$ kubectl config --kubeconfig=config-demo \
                 set-cluster development \
                 --server=https://1.2.3.4 \
                 --certificate-authority=fake-ca-file

# cluster test
$ kubectl config --kubeconfig=config-demo \
                 set-cluster test \
                 --server=https://5.6.7.8 \
                 --insecure-skip-tls-verify

set user

[!NOTE]
To delete a user you can run kubectl --kubeconfig=config-demo config unset users.<name>
To remove a cluster, you can run kubectl --kubeconfig=config-demo config unset clusters.<name>
To remove a context, you can run kubectl --kubeconfig=config-demo config unset contexts.<name>

# with CA
$ kubectl config --kubeconfig=config-demo \
                 set-credentials developer \
                 --client-certificate=fake-cert-file \
                 --client-key=fake-key-seefile

# with basic authentication
$ kubectl config --kubeconfig=config-demo \
                 set-credentials experimenter \
                 --username=exp \
                 --password=some-password

add context

# user developer namespace frontend
$ kubectl config --kubeconfig=config-demo \
                 set-context dev-frontend \
                 --cluster=development \
                 --namespace=frontend \
                 --user=developer

# user developer namespace storage
$ kubectl config --kubeconfig=config-demo \
                 set-context dev-storage \
                 --cluster=development \
                 --namespace=storage \
                 --user=developer

# user experimenter
$ kubectl config --kubeconfig=config-demo \
                 set-context exp-test \
                 --cluster=test \
                 --namespace=default \
                 --user=experimenter

result

$ kubectl config --kubeconfig=config-demo get-contexts
CURRENT   NAME           CLUSTER       AUTHINFO       NAMESPACE
          dev-frontend   development   developer      frontend
          dev-storage    development   developer      storage
          exp-test       test          experimenter   default

$ kubectl config --kubeconfig=config-demo view
apiVersion: v1
clusters:
- cluster:
    certificate-authority: fake-ca-file
    server: https://1.2.3.4
  name: development
- cluster:
    insecure-skip-tls-verify: true
    server: https://5.6.7.8
  name: test
contexts:
- context:
    cluster: development
    namespace: frontend
    user: developer
  name: dev-frontend
- context:
    cluster: development
    namespace: storage
    user: developer
  name: dev-storage
- context:
    cluster: test
    namespace: default
    user: experimenter
  name: exp-test
current-context: ""
kind: Config
preferences: {}
users:
- name: developer
  user:
    client-certificate: fake-cert-file
    client-key: fake-key-seefile
- name: experimenter
  user:
    password: some-password
    username: exp

use context

$ kubectl config --kubeconfig=config-demo use-context dev-frontend
Switched to context "dev-frontend".

$ kubectl config --kubeconfig=config-demo get-contexts
CURRENT   NAME           CLUSTER       AUTHINFO       NAMESPACE
*         dev-frontend   development   developer      frontend
          dev-storage    development   developer      storage
          exp-test       test          experimenter   default

$ kubectl config --kubeconfig=config-demo view --minify
apiVersion: v1
clusters:
- cluster:
    certificate-authority: fake-ca-file
    server: https://1.2.3.4
  name: development
contexts:
- context:
    cluster: development
    namespace: frontend
    user: developer
  name: dev-frontend
current-context: dev-frontend
kind: Config
preferences: {}
users:
- name: developer
  user:
    client-certificate: fake-cert-file
    client-key: fake-key-seefile

Create a second configuration file

KUBECONFIG environment variable

linux
```
$ export KUBECONFIG_SAVED="$KUBECONFIG"
```
windows
```
> $Env:KUBECONFIG_SAVED=$ENV:KUBECONFIG
```

temporarily append two paths to your kubeconfig environment variable

linux

$ export KUBECONFIG="${KUBECONFIG}:config-demo:config-demo-2"

windows

> $Env:KUBECONFIG=("config-demo;config-demo-2")

Append $HOME/.kube/config to your KUBECONFIG environment variable

linux

$ export KUBECONFIG="${KUBECONFIG}:${HOME}/.kube/config"

windows

> $Env:KUBECONFIG="$Env:KUBECONFIG;$HOME\.kube\config"

Clean up

linux
```
$ export KUBECONFIG="$KUBECONFIG_SAVED"
```
windows
```
> $Env:KUBECONFIG=$ENV:KUBECONFIG_SAVED
```

with Proxy

[!NOTE] references:
cheatsheet : Kubectl context and configuration

$ kubectl config set-cluster <k8s-cluster-name> --proxy-url=<my-proxy-url>

# i.e.
$ kubectl config set-cluster development --proxy-url=http://sample.proxy.com:3128

result

apiVersion: v1
kind: Config

clusters:
- cluster:
    proxy-url: http://proxy.example.org:3128
    server: https://k8s.example.org/k8s/clusters/c-xxyyzz
  name: development

users:
- name: developer

contexts:
- context:
  name: development

get info

[!INFO|label:references:]
* imarslo : jsonpath
jsonpath support
JSONPath 支持

basic view

get contexts list

$ kubectl config --kubeconfig=config-demo get-contexts
CURRENT   NAME           CLUSTER       AUTHINFO       NAMESPACE
*         dev-frontend   development   developer      frontend
          dev-storage    development   developer      storage
          exp-test       test          experimenter   default

get current context

$ kubectl config --kubeconfig=config-demo current-context
dev-frontend

get clusters

$ kubectl config --kubeconfig=config-demo get-clusters
NAME
development
test

get users

$ kubectl config --kubeconfig=config-demo get-users
NAME
developer
experimenter

server IP

by cluster name

# get all cluster name
$ kubectl config --kubeconfig=config-demo view -o jsonpath="{.clusters[*].name}"
development test

$ kubectl config --kubeconfig=config-demo view \
                 -o jsonpath='{.clusters[?(@.name == "development")].cluster.server}'
https://1.2.3.4

current in-use via --minify

[!NOTE]

--minify=false:
         Remove all information not used by current-context from the output

$ kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}'
https://1.2.3.4
# or
$ kubectl config view --minify -o jsonpath="{.clusters[].cluster.server}"
https://1.2.3.4

# more info
$ kubectl config view --minify -o jsonpath="{.clusters[*].name}"
development
# or
$ kubectl config view --minify -o jsonpath="{.clusters[].name}"
development

current in-use via current-context

# or get current cluster IP
$ kubectl config --kubeconfig=config-demo current-context
development
$ kubectl config --kubeconfig=config-demo view \
                 -o jsonpath="{.clusters[?(@.name == \"$(kubectl config --kubeconfig=config-demo current-context)\")].cluster.server}"

get user

$ kubectl config --kubeconfig=config-demo view -o jsonpath='{.users[*].name}'
developer experimenter

get password

$ kubectl config --kubeconfig=config-demo view -o jsonpath='{.users[?(@.name == "experimenter")]}'
{"name":"experimenter","user":{"password":"some-password","username":"exp"}}

$ kubectl config --kubeconfig=config-demo view -o jsonpath='{.users[?(@.name == "experimenter")].user.password}'
some-password

get key

$ kubectl config --kubeconfig=config-demo view -o jsonpath='{.users[?(@.name == "developer")]}'
{"name":"developer","user":{"client-certificate":"fake-cert-file","client-key":"fake-key-seefile"}}
# or via base64 decoding
$ kubectl config --kubeconfig=config-demo view -o jsonpath='{.users[?(@.name == "developer")]}' | base64 -d
    --minify=false:
  Remove all information not used by current-context from the output
$ kubectl config --kubeconfig=config-demo view -o jsonpath='{.users[?(@.name == "developer")].user.client-key}'
fake-key-seefile
# or via base64 decoding
$ kubectl config --kubeconfig=config-demo view -o jsonpath='{.users[?(@.name == "developer")].user.client-key}' | base64 -d

kubeadm-cfg.yml

[!NOTE|label:references:]
Certificate Management with kubeadm

$ kubectl get cm kubeadm-config -n kube-system -o=jsonpath="{.data.ClusterConfiguration}"

have fun

view config details

exec >/tmp/output &&
CONTEXT_NAME=kubernetes-admin@kubernetes \
CONTEXT_CLUSTER=$(kubectl config view -o=jsonpath="{.contexts[?(@.name==\"${CONTEXT_NAME}\")].context.cluster}") \
CONTEXT_USER=$(kubectl config view -o=jsonpath="{.contexts[?(@.name==\"${CONTEXT_NAME}\")].context.user}") && \
echo "[" && \
kubectl config view -o=json | jq -j --arg CONTEXT_NAME "$CONTEXT_NAME" '.contexts[] | select(.name==$CONTEXT_NAME)' && \
echo "," && \
kubectl config view -o=json | jq -j --arg CONTEXT_CLUSTER "$CONTEXT_CLUSTER" '.clusters[] | select(.name==$CONTEXT_CLUSTER)' && \
echo "," && \
kubectl config view -o=json | jq -j --arg CONTEXT_USER "$CONTEXT_USER" '.users[] | select(.name==$CONTEXT_USER)' && \
echo -e "\n]\n" && \
exec >/dev/tty && \
cat /tmp/output | jq && \
rm -rf /tmp/output

$ kubectl config view -o json |
  jq '. as $o
        | ."current-context" as $current_context_name
        | $o.contexts[] | select(.name == $current_context_name) as $context
        | $o.clusters[] | select(.name == $context.context.cluster) as $cluster
        | $o.users[] | select(.name == $context.context.user) as $user
        | {"current-context-name": $current_context_name, context: $context, cluster: $cluster, user: $user}'

Previousevents Nextkubelet

Last updated 1 year ago

hashtagstep by step

hashtagdefining clusters

hashtagdefining users

hashtagdefining contexts

hashtagsetup default namespacearrow-up-right

hashtaguse contexts

hashtagOpenID Connect ( OIDC )

hashtagConfigure Access to Multiple Clustersarrow-up-right

hashtagCreate a second configuration filearrow-up-right

hashtagClean uparrow-up-right

hashtagwith Proxyarrow-up-right

hashtagget info

hashtagbasic view

hashtagserver IP

hashtagget user

hashtagget password

hashtagget key

hashtagkubeadm-cfg.yml

hashtaghave fun