Skip to content

Access and manage the cluster with kubectl#

In addition to the MKE 4k Dashboard, you can access and manage your MKE 4k cluster using kubectl with a kubeconfig file.

In MKE 4k, the kubeconfig file uses mkectl as an exec-based authentication plugin for the MKE 4k cluster. As such, to access the cluster using kubectl you must have mkectl installed and available in your PATH environment variable.

Run the following command to verify mkectl installation:

mkectl version

The mkectl version must be v4.1.2 or later.

Create a kubeconfig file#

Notes

  • The default kubeconfig path is ~/.mke/mke.kubeconf for all commands.
  • mkectl recognizes the KUBECONFIG environment variable for the kubeconfig path.
  • You can change the kubeconfig path using the --kubeconfig flag or the KUBECONFIG environment variable.

  • The precedence order for the kubeconfig path is:

    (1) --kubeconfig flag

    (2) KUBECONFIG environment variable

    (3) ~/.mke/mke.kubeconf (default value)

  • If you are an admin user who previously provisioned the cluster with the mkectl apply command, your kubeconfig file already exists at ~/.mke/mke.kubeconf.

    To create a kubeconfig file for other cluster users, use the mkectl kubeconfig command with a valid mke4.yaml configuration file:

    mkectl kubeconfig -f mke4.yaml > /path/to/kube.conf

  1. Log in using mkectl:

    mkectl login --cluster-ca-file /path/to/cluster-ca.pem --ca-file /path/to/client-ca.pem

    Tip

    cluster-ca.pem is the CA certificate for the Kube API server and client-ca.pem is the CA certificate for the ingress controller. Once a cluster has been created using the mkectl apply command, an MKE 4k admin can find these certificates at ~/.mke/cluster-ca.pem and ~/.mke/client-ca.pem.

    If your cluster uses custom TLS certificates for ingress and these certificates are trusted by your system, you can omit the --ca-file option.

  2. At the prompt, enter the cluster address. This will cause your browser to open at the MKE 4k login page.

  3. Log in to MKE 4k. On doing so, the kubeconfig file is created at the ~/.mke/mke.kubeconf default location.

  4. Use the kubeconfig file by:

    • Specifying the KUBECONFIG environment variable:

      export KUBECONFIG=~/.mke/mke.kubeconf

    — OR —

    • Using the --kubeconfig flag:

      kubectl --kubeconfig ~/.mke/mke.kubeconf cluster-info

Set kubeconfig file expiration#

For authentication, MKE 4k kubeconfig files use OAuth 2.0 refresh tokens. By default, refresh tokens do not expire; thus, to enhance security, you should set an expiration time for the tokens in the mke4.yaml configuration file.

Once the refresh token expires, users can still run operations on the cluster until the ID token expires. For this reason, Mirantis recommends that you set a very short expiration time for the ID tokens and a longer expiration time for the refresh tokens.

When the refresh token is expired or revoked by the admin, the kubectl command prompts relogin by opening the MKE 4k login page in the browser. Refer to Authentication configuration for more details.

Revoke Access#

Cluster admins can see and revoke the refresh tokens that are issued to users.

To view the list of refresh tokens:

kubectl --kubeconfig ~/.mke/mke.kubeconf get refreshtoken -n mke -o custom-columns="TOKEN ID:.metadata.name,USERNAME:.claims.email,CLIENT:.clientID"

Example output:

TOKEN ID                    USERNAME   CLIENT
seofzsgiah42cyw5vk6qovhe7   alice      mkectl
abcsefcyw5vghkqskb24bzzz8   bob        mkectl
vpqsefld54fpgkqskb24bpeh5   bob        mke-dashboard

To revoke a refresh token, delete the token by its ID:

kubectl --kubeconfig ~/.mke/mke.kubeconf delete refreshtoken <TOKEN ID> -n mke

Following this, the user can only get a new refresh token by logging back into the system.