Skip to main content
Version: v0.13.2

get-kubeconfig

Obtain a kubeconfig file that uses ack-ram-tool as the credential plugin.

It has the following features:

  • Automatically obtains a new certificate before the certificate expires.
  • Supports using temporary certificate.
  • Integrate ack-ram-authenticator.

Usage

$ ack-ram-tool credential-plugin get-kubeconfig --cluster-id c5e***

kind: Config
apiVersion: v1
clusters:
- name: kubernetes
cluster:
server: https://106.*.*.*:6443
certificate-authority-data: LS0tL***
contexts:
- name: 272***-c5e***
context:
cluster: kubernetes
user: "272***"
current-context: 272***-c5e***
users:
- name: "272***"
user:
exec:
command: ack-ram-tool
args:
- credential-plugin
- get-credential
- --cluster-id
- c5e***
- --api-version
- v1beta1
- --expiration
- 3h
- --log-level
- error
apiVersion: client.authentication.k8s.io/v1beta1
provideClusterInfo: false
interactiveMode: Never
preferences: {}

$ ack-ram-tool credential-plugin get-kubeconfig --cluster-id c5e*** > kubeconfig
$ kubectl --kubeconfig kubeconfig get ns
NAME STATUS AGE
default Active 6d3h
kube-node-lease Active 6d3h
kube-public Active 6d3h
kube-system Active 6d3h

--mode ram-authenticator-token

$ ack-ram-tool credential-plugin get-kubeconfig --mode ram-authenticator-token --cluster-id c5e***

kind: Config
apiVersion: v1
clusters:
- name: kubernetes
cluster:
server: https://106.*.*.*:6443
certificate-authority-data: LS0t***
contexts:
- name: 272***-c5e***
context:
cluster: kubernetes
user: "272***"
current-context: 272***-c5e***
users:
- name: "272***"
user:
exec:
command: ack-ram-tool
args:
- credential-plugin
- get-token
- --cluster-id
- c5e***
- --api-version
- v1beta1
- --log-level
- error
apiVersion: client.authentication.k8s.io/v1beta1
provideClusterInfo: false
interactiveMode: Never
preferences: {}

Flags

Usage:
ack-ram-tool credential-plugin get-kubeconfig [flags]

Flags:
--api-version string v1 or v1beta1 (default "v1beta1")
-c, --cluster-id string The cluster id to use
--credential-cache-dir string Directory to cache certificate (default "~/.kube/cache/ack-ram-tool/credential-plugin")
--expiration duration The certificate expiration (default 3h0m0s)
-h, --help help for get-kubeconfig
-m, --mode string credential mode: certificate or ram-authenticator-token (default "certificate")
--private-address Use private ip as api-server address

Global Flags:
-y, --assume-yes Automatic yes to prompts; assume "yes" as answer to all prompts and run non-interactively
--ignore-aliyun-cli-credentials don't try to parse credentials from config.json of aliyun cli
--ignore-env-credentials don't try to parse credentials from environment variables
--log-level string log level: info, debug, error (default "info")
--profile-file string Path to credential file (default: ~/.aliyun/config.json or ~/.alibabacloud/credentials)
--profile-name string using this named profile when parse credentials from config.json of aliyun cli
--region-id string The region to use (default "cn-hangzhou")

Descriptions:

FlagDefaultRequiredDescription
-c, --cluster-idYesCluster ID
-m, --modecertificateAuthentication methods in kubeconfig: certificate indicates certificate authentication, and ram-authenticator-token indicates token authentication based on ack-ram-authenticator
--expiration3hWhen --mode is set to certificate, set the certificate expiration time through this parameter. When it is 0, it means not to use a temporary certificate but to use a longer valid certificate (the expiration time is automatically determined by the server).
--private-addressfalseWhether to use the intranet API server address?
--api-versionv1beta1Specify which version of apiVersion to use in the returned data. v1beta1 represents client.authentication.k8s.io/v1beta1, and v1 represents client.authentication.k8s.io/v1.
--credential-cache-dir~/.kube/cache/ack-ram-tool/credential-pluginThe directory used to cache the certificate is only valid when --mode is set to certificate