Now, all kinds of cloud vendors provide managed services k8s service , And there is a visual front end to access the resources in the cluster , Again tke The same is true of clusters , But as a k8s Users of , use kubectl To access the cluster is essential ,tke The console does not display all resource types , Like some custom crd You can only view it by command , And there is a console to check in time , Many big men are still used to command . However, the permissions on the cloud are generally strictly controlled , You may only have console permissions , You do not have permission to log in to the machine , Or your cluster does not have public network access enabled , Only intranet access , How to pass this time kubectl To access the cluster ？

Now let's go through tke Deploy a... Within the cluster kubectl Of pod, To access the cluster as a client apiserver, The premise is that you can operate on the console tke colony .

1. adopt configmap Mount cluster kubeconfig

1.1 The console gets kubeconfig

If you can operate the console tke The cluster describes the... Under your account kubeconfig There is authority , Access the basic information page of the cluster kubeconfig

1.2 Get clusters apiserver Internal visits ip Address

the reason being that kubectl In the cluster pod, So we went through apiserver Of cluserip Just visit , Get next default Under the namespace kubernetes This service Of clusterip, The port is 443.

1.3 establish configmap

Refer to the following modification yaml, adopt configmap Put our revised kubeconfig Mount to pod, What needs to be noted here is that the console will get Kubeconfig In file clusters.cluster.server Replace the field with https://<kubernetes svc Of clusterip>:443 that will do .

apiVersion: v1
data:
  config: |-
    apiVersion: v1
    clusters:
    - cluster:
        certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZ
        server: https://172.16.0.1:443
      name: cls-xxxx
    contexts:
    - context:
        cluster: cls-xxxx
        user: "xxxxx"
      name: cls-xxxxx-xxxxx-context-default
    current-context: cls-xxxx-xxxxx-context-default
    kind: Config
    preferences: {}
    users:
    - name: "xxxxxx"
      user:
        client-certificate-data: LS0tLS1CRUdJTiBDRVJU
        client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVk
kind: ConfigMap
metadata:
  name: config
  namespace: tke-test

2. Deploy kubectl The workload

Here we deploy the workload , And mount the configmap, Give Way kubectl It can be read directly by default kubeconfig, because kubectl The image has no resident process , So here's a sleep As pod Resident process , visit pod I can't get up .

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    k8s-app: kubectl
    qcloud-app: kubectl
  name: kubectl
  namespace: tke-test
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: kubectl
      qcloud-app: kubectl
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
    type: RollingUpdate
  template:
    metadata:
      labels:
        k8s-app: kubectl
        qcloud-app: kubectl
    spec:
      containers:
      - args:
        - 3600d
        command:
        - sleep
        image: mohamedltaief/kubctl-helm:latest
        imagePullPolicy: Always
        name: kubectl
        resources:
          limits:
            cpu: 500m
            memory: 1Gi
          requests:
            cpu: 250m
            memory: 256Mi
        securityContext:
          privileged: false
        volumeMounts:
        - mountPath: /root/.kube/config
          name: vol
          subPath: config
      dnsPolicy: ClusterFirst
      imagePullSecrets:
      - name: qcloudregistrykey
      restartPolicy: Always
      volumes:
      - configMap:
          defaultMode: 420
          name: config
        name: vol

3. Test access cluster

pod After successful startup , Sign in pod perform kubectl If the cluster information can be viewed, the access is successful .