tencent cloud

Tencent Kubernetes Engine

Release Notes and Announcements
Release Notes
Announcements
Release Notes
Product Introduction
Overview
Strengths
Architecture
Scenarios
Features
Concepts
Native Kubernetes Terms
Common High-Risk Operations
Regions and Availability Zones
Service Regions and Service Providers
Open Source Components
Purchase Guide
Purchase Instructions
Purchase a TKE General Cluster
Purchasing Native Nodes
Purchasing a Super Node
Getting Started
Beginner’s Guide
Quickly Creating a Standard Cluster
Examples
Container Application Deployment Check List
Cluster Configuration
General Cluster Overview
Cluster Management
Network Management
Storage Management
Node Management
GPU Resource Management
Remote Terminals
Application Configuration
Workload Management
Service and Configuration Management
Component and Application Management
Auto Scaling
Container Login Methods
Observability Configuration
Ops Observability
Cost Insights and Optimization
Scheduler Configuration
Scheduling Component Overview
Resource Utilization Optimization Scheduling
Business Priority Assurance Scheduling
QoS Awareness Scheduling
Security and Stability
TKE Security Group Settings
Identity Authentication and Authorization
Application Security
Multi-cluster Management
Planned Upgrade
Backup Center
Cloud Native Service Guide
Cloud Service for etcd
TMP
TKE Serverless Cluster Guide
TKE Registered Cluster Guide
Use Cases
Cluster
Serverless Cluster
Scheduling
Security
Service Deployment
Network
Release
Logs
Monitoring
OPS
Terraform
DevOps
Auto Scaling
Containerization
Microservice
Cost Management
Hybrid Cloud
AI
Troubleshooting
Disk Full
High Workload
Memory Fragmentation
Cluster DNS Troubleshooting
Cluster kube-proxy Troubleshooting
Cluster API Server Inaccessibility Troubleshooting
Service and Ingress Inaccessibility Troubleshooting
Common Service & Ingress Errors and Solutions
Engel Ingres appears in Connechtin Reverside
CLB Ingress Creation Error
Troubleshooting for Pod Network Inaccessibility
Pod Status Exception and Handling
Authorizing Tencent Cloud OPS Team for Troubleshooting
CLB Loopback
API Documentation
History
Introduction
API Category
Making API Requests
Elastic Cluster APIs
Resource Reserved Coupon APIs
Cluster APIs
Third-party Node APIs
Relevant APIs for Addon
Network APIs
Node APIs
Node Pool APIs
TKE Edge Cluster APIs
Cloud Native Monitoring APIs
Scaling group APIs
Super Node APIs
Other APIs
Data Types
Error Codes
TKE API 2022-05-01
FAQs
TKE General Cluster
TKE Serverless Cluster
About OPS
Hidden Danger Handling
About Services
Image Repositories
About Remote Terminals
Event FAQs
Resource Management
Service Agreement
TKE Service Level Agreement
TKE Serverless Service Level Agreement
Contact Us
Glossary
ドキュメントTencent Kubernetes EngineRelease Notes and AnnouncementsAnnouncementsInstructions on Stopping Delivering the Kubeconfig File to Nodes

Instructions on Stopping Delivering the Kubeconfig File to Nodes

PDF
フォーカスモード
フォントサイズ
最終更新日: 2024-12-13 15:46:01
Note
TKE plans to carry out an operation from 23:00 September 21 (Monday) to 06:00 September 22 (Tuesday), 2020 UTC+8 to stop delivering the Kubeconfig file.

Background

Currently, TKE stores the Kubeconfig file with the admin token in nodes by default. By using this Kubeconfig file, users can easily operate on Kubernetes clusters. However, if users fail to conduct node login permission management carefully, clusters may face security risks. Therefore, we decided to stop delivering the Kubeconfig file.
Existing clusters may use the Kubeconfig file to perform cluster initialization operations in user-defined scripts. To solve this issue, we will provide a client certificate for node initialization with the same permissions as the Kubeconfig file, but with a validity period of only 12 hours. After the certificate expires, the Kubeconfig file will be invalidated. If you still need the file after the expiration, refer to Issues and Solutions.

Issues and Solutions

Symptoms

If you prefer to use the following command to log in to a TKE cluster node for kubectl operations, you will be prompted with the following error message:
$ kubectl get node
The connection to the server localhost:8080 was refused - did you specify the right host or port?
$ kubectl get node
error: You must be logged in to the server (Unauthorized)

Solutions

1. Log in to the TKE console.
2. Obtain the credential Kubeconfig file of the current account. For more information, see Obtaining credentials.
3. After obtaining the Kubeconfig file, you can enable private network access or directly use the service IP address of Kubernetes.
Enabling private network access: on the cluster details page, choose Basic Information in the left sidebar, enable Private Network Access in the Cluster API Server information section, and operate according to the prompt.
Using the service IP address of Kubernetes: on the cluster details page, choose Services and Routes > Service in the left sidebar to obtain the service IP address of Kubernetes in the default namespace. Replace the clusters.cluster.server field in the Kubeconfig file with https://<IP>:443.
4. Copy the content of the Kubeconfig file to $HOME/.kube/config on the new node.
5. Access a Kubeconfig cluster and use kubectl get nodes to test connectivity.

Handling Special Scenarios

Special scenarios

A workload has mounted the /root/.kube/config or /home/ubuntu/.kube/config file of the host for use.

Solutions

Use Kubernetes serviceaccount correctly to access clusters in incluster mode. For more information, see Configure Service Accounts for Pods.
前の記事へ: Starting Charging on Managed Clusters次の記事へ: TKE Kubernetes Version Maintenance Mechanism

ヘルプとサポート

この記事はお役に立ちましたか?

フィードバック