We plan to carry out an operation from 23:00 September 21,2020 (Monday) to 06:00 September 22,2020 (Tuesday) UTC+8 to stop delivering the Kubeconfig file.
Currently, TKE stores the Kubeconfig file with the admin token in nodes by default. By using this Kubeconfig file, users can easily operate on Kubernetes clusters. However, if users fail to conduct node login permission management carefully, clusters may face security risks. Therefore, we decided to stop delivering the Kubeconfig file.
Existing clusters may use the Kubeconfig file to perform cluster initialization operations in user-defined scripts. To solve this issue, we will provide a client certificate for node initialization with the same permissions as the Kueconfig file, but with a validity period of only 12 hours. After the certificate expires, the Kubeconfig file will be invalidated. If you still need the file after the expiration, refer to Issues and Solutions.
If you still require default long-term admin permissions instead of a Kubeconfig file whose validity period is only 12 hours for some special scenarios, or if you encounter any other issues, submit a ticket to contact us.
If you prefer to use the following command to log in to a TKE cluster node for kubectl operations, you will be prompted with the following error message:
$ kubectl get node The connection to the server localhost:8080 was refused - did you specify the right host or port?
$ kubectl get node error: You must be logged in to the server (Unauthorized)
$HOME/.kube/configon the new node.
kubectl get nodesto test connectivity.
A workload has mounted the
/home/ubuntu/.kube/config file of the host for use.
Use Kubernetes serviceaccount correctly to access clusters in incluster mode. For more information, see Configure Service Accounts for Pods.