• Cloud Container Engine

  1. Help Center
  2. Cloud Container Engine
  3. API Reference
  4. Appendix
  5. Using kubectl to Access a Container Cluster

Using kubectl to Access a Container Cluster

This section describes how to access container clusters using the native kubectl.


The native kubectl is run on an ECS and can access container clusters only if all of the following conditions are met:

  • The ECS that runs the native kubectl and the container cluster that will be accessed belong to the same VPC, as shown in Figure 1.
  • The security group rules listed in Table 1 have been defined for the ECS.
Figure 1 Internet users accessing the Kubernetes master
Table 1 Security group rules for the ECS that runs the native kubectl


Transfer Direction

Port Range

Source IP Address




Private IP address of the Kubernetes master





For more information about security groups and security group rules, see Help Center > Virtual Private Cloud > User Guide > Security > Security Group on the management console.


  • The binary file of the native kubectl is available.

    For details on how to obtain the binary file, visit https://kubernetes.io/docs/tasks/tools/install-kubectl. The kubectl version 1.5 or later is recommended.

  • The ECS that meets the requirements described in Background has been created.

    For more information about creating an ECS, choose Help Center > Elastic Cloud Server > User Guide > Getting Started > Creating an ECS on the management console.


  1. Obtain a token.

    For details, see section "Obtaining User Token" in Identity and Access Management API Reference. After the request is processed, a response is returned. The value of X-Subject-Token in the response header is the token value.

  2. Log in to the CCE console. Click Cluster Manager in the navigation pane.
  3. On the Cluster Manager page, select a target container cluster, view the basic cluster information, and obtain the Cluster UUID.
  4. Obtain the endpoint information (such as the service address and port) as well as certificates cacrtclientcrt, and clientkey by referring to Obtaining Certificates for Accessing a Container Cluster. You need to save the values of the cacrtclientcrt, and clientkey fields returned by the API as three different files respectively.

    Convert \n contained in the values of the three fields into a linefeed. It is advisable to run the echo -e 'xxxxxxxxx'>filename command to save files. In this command, "xxxxxxxxx" indicates the value of the cacrtclientcrt, or clientkey field.

  5. Log in to the ECS server.
  6. Copy the certificates obtained in 4 to the ECS server.


    Select a directory according to actual needs to save the binary file.

  7. Copy the binary file of the native kubectl to the ECS that will run the native kubectl.


    Select a directory according to actual needs to save the binary file.

  8. Go to the directory where the kubectl binary file is stored.
  9. Run the following commands to configure kubectl so that kubectl can access the container cluster.

    ./kubectl config set-cluster {cluster name} --server={endpoint} --certificate-authority={cacrt file}

    ./kubectl config set-credentials {user name} --certificate-authority={cacrt file} --client-key={clientkey file} --client-certificate={clientcrt file}

    ./kubectl config set-context {context name} --cluster={cluster name} --user={user name}

    ./kubectl config set current-context {context name}


    ./kubectl config set-cluster default-cluster --server= --certificate-authority=cacrt 
    ./kubectl config set-credentials default-admin --certificate-authority=cacrt --client-key=kubekey --client-certificate=kubecrt 
    ./kubectl config set-context default-context --cluster=default-cluster --user=default-admin 
    ./kubectl config set current-context default-context

    In these commands:

    • Set {endpoint} to the value that you obtained in 4.
    • Respectively set {cacrt file}{clientcrt file}{clientkey file} as the paths to the three certificate files cacrtclientcrt, and clientkey that you have saved in 4.
    • Configure {cluster name}{user name}, and {context name} based on the actual situations.

  10. Run the following command to check whether kubectl is correctly configured:

    ./kubectl get nodes

    If all nodes of the container cluster are displayed in the command output, kubectl has successfully interconnected with the container cluster.