Skip to content

Access and manage the cluster with kubectl#

In addition to the MKE 4k Dashboard, you can access and manage your MKE 4k cluster using kubectl with a kubeconfig file.

In MKE 4k, the kubeconfig file uses mkectl as an exec-based authentication plugin for the MKE 4k cluster. As such, to access the cluster using kubectl you must have mkectl installed and available in your PATH environment variable.

Run the following command to verify mkectl installation:

mkectl version

The mkectl version must be v4.1.3 or later.

Notes

  • The default kubeconfig path is ~/.mke/mke.kubeconf for all commands.
  • mkectl recognizes the KUBECONFIG environment variable for the kubeconfig path.
  • You can change the kubeconfig path using the --kubeconfig flag or the KUBECONFIG environment variable.

  • The precedence order for the kubeconfig path is:

    (1) --kubeconfig flag

    (2) KUBECONFIG environment variable

    (3) ~/.mke/mke.kubeconf (default value)

  • If you are an admin user who previously provisioned the cluster with the mkectl apply command, your kubeconfig file already exists at ~/.mke/mke.kubeconf.

    To create a kubeconfig file for other cluster users, use the mkectl kubeconfig command with a valid mke4.yaml configuration file:

    mkectl kubeconfig -f mke4.yaml > /path/to/kube.conf

Obtain the kubeconfig file#

To generate the kubeconfig file for use with kubectl, you can:

  • Log in to MKE 4k using mkectl
  • Download the kubeconfig file from the MKE 4k Dashboard

Use mkectl to generate the kubeconfig file:#

  1. Log in using mkectl:

    mkectl login --cluster-ca-file /path/to/cluster-ca.pem --ca-file /path/to/client-ca.pem

    Tip

    cluster-ca.pem is the CA certificate for the Kube API server and client-ca.pem is the CA certificate for the ingress controller. Once a cluster has been created using the mkectl apply command, an MKE 4k admin can find these certificates at ~/.mke/cluster-ca.pem and ~/.mke/client-ca.pem.

    If your cluster uses custom TLS certificates for ingress and these certificates are trusted by your system, you can omit the --ca-file option.

  2. At the prompt, enter the cluster address. This will cause your browser to open at the MKE 4k login page.

  3. Log in to MKE 4k. Doing so will create the kubeconfig file at the ~/.mke/mke.kubeconf default location.

  4. Use the kubeconfig file by:

    • Specifying the KUBECONFIG environment variable:

      export KUBECONFIG=~/.mke/mke.kubeconf

    — OR —

    • Using the --kubeconfig flag:

      kubectl --kubeconfig ~/.mke/mke.kubeconf cluster-info

Download the kubeconfig file using the MKE 4k Dashboard:#

  1. Log in to the MKE 4k Dashboard.

  2. Click your username in top right corner to display the dropdown menu.

  3. Select Download Kubeconfig from the dropdown menu.

The kubeconfig file downloads as mke.kubeconfig, with an accompanying notification that contains user instruction.

Example generated mke.kubeconfig file:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: <base64-encoded-cluster-ca>
    server: https://<cluster-external-address>:6443
  name: mke
contexts:
- context:
    cluster: mke
    user: mkectl
  name: mke
current-context: mke
kind: Config
users:
- name: mkectl
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1
      args:
      - get-token
      - --address=<cluster-external-address>
      - --ca-data=<base64-encoded-ingress-ca>
      command: mkectl
      env: null
      interactiveMode: Never
      provideClusterInfo: false

Set kubeconfig file expiration#

For authentication, MKE 4k kubeconfig files use OAuth 2.0 refresh tokens. By default, refresh tokens do not expire; thus, to enhance security, you should set an expiration time for the tokens in the mke4.yaml configuration file.

Once the refresh token expires, users can still run operations on the cluster until the ID token expires. For this reason, Mirantis recommends that you set a very short expiration time for the ID tokens and a longer expiration time for the refresh tokens.

When the refresh token is expired or revoked by the admin, the kubectl command prompts relogin by opening the MKE 4k login page in the browser. Refer to Authentication configuration for more details.

Revoke Access#

Cluster admins can see and revoke the refresh tokens that are issued to users.

To view the list of refresh tokens:

kubectl --kubeconfig ~/.mke/mke.kubeconf get refreshtoken -n mke -o custom-columns="TOKEN ID:.metadata.name,USERNAME:.claims.email,CLIENT:.clientID"

Example output:

TOKEN ID                    USERNAME   CLIENT
seofzsgiah42cyw5vk6qovhe7   alice      mkectl
abcsefcyw5vghkqskb24bzzz8   bob        mkectl
vpqsefld54fpgkqskb24bpeh5   bob        mke-dashboard

To revoke a refresh token, delete the token by its ID:

kubectl --kubeconfig ~/.mke/mke.kubeconf delete refreshtoken <TOKEN ID> -n mke

Following this, the user can only get a new refresh token by logging back into the system.