How to fetch import cluster information?

Problem description

Obtain the configuration required to connect to the import cluster so that the platform can be authorized to access and manage it. This section provides the steps to retrieve the import cluster information.

Prerequisites

A working kubectl environment. For public cloud clusters, it is strongly recommended to use the provider's CloudShell. If CloudShell is not available, Linux or macOS is recommended.
You have obtained the import cluster's KubeConfig file and copied it to the environment where kubectl is installed. To avoid operating on the wrong environment, it is strongly recommended to use one of the following non-destructive approaches:
- Backup approach: Copy your existing kubeconfig to a safe location first: cp "${HOME}/.kube/config" "${HOME}/.kube/config.backup"
- Isolated approach: Set the KUBECONFIG environment variable to point to the imported kubeconfig: export KUBECONFIG="/path/to/imported/kubeconfig"
- Merge approach: Use kubectl's merge/flatten without losing existing contexts:
  1. export KUBECONFIG="/path/to/imported/kubeconfig:${HOME}/.kube/config"
  2. kubectl config view --flatten > "${HOME}/.kube/merged.kubeconfig"
  3. export KUBECONFIG="${HOME}/.kube/merged.kubeconfig"

Get cluster information

Get cluster token

Run the following commands:

# [Important] The following operations support bash only

# Manually create a secret, bind a service account, and generate a non-expiring token
kubectl get ns cpaas-system > /dev/null 2>&1 || kubectl create namespace cpaas-system
kubectl create serviceaccount k8sadmin -n cpaas-system
kubectl create clusterrolebinding k8sadmin --clusterrole=cluster-admin --serviceaccount=cpaas-system:k8sadmin

cat | kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: k8sadmin
  namespace: cpaas-system
  annotations:
    kubernetes.io/service-account.name: "k8sadmin"
type: kubernetes.io/service-account-token
EOF

kubectl -n cpaas-system describe secret \
    $(kubectl -n cpaas-system get secret | (grep k8sadmin || echo "$_") | awk '{print $1}') \
    | grep -F 'token:' | awk '{print $2}'

WARNING

This procedure creates a cluster-admin credential intended to be non-expiring.

Prefer least-privilege RBAC scoped to required resources if possible.
Store the token securely; rotate/revoke when no longer needed.
Limit who can read Secret objects in cpaas-system.

An example of the token obtained in the previous step is shown below.
Validate the token expiration.

Use any tool that supports parsing JWT tokens to analyze the token and confirm its expiration time. If you can find an expiration field in the parsed result (a key containing "exp", as shown below), the platform will be unable to manage the import cluster after that time. In this case, stop and contact technical support.

TIP

The expiration is recorded as "exp": 1684486916, in the original JWT payload. The value is a UNIX timestamp and can be converted to UTC time.

Cleanup (revoke access) when done:

kubectl delete clusterrolebinding k8sadmin
kubectl -n cpaas-system delete secret k8sadmin
kubectl -n cpaas-system delete serviceaccount k8sadmin

Get the import cluster API server address and CA certificate

TIP

If you have already obtained the API server address and CA certificate using the platform's Parse KubeConfig File feature on the import cluster page, skip this step.

Run the following commands:

# View the import cluster API server addresses. There may be multiple addresses; choose the one that fits your environment.
kubectl --kubeconfig "${KUBECONFIG:-${HOME}/.kube/config}" config view --show-managed-fields=false --flatten --raw -ojsonpath='{$.clusters..cluster.server}'
addr_apiserver='<Selected API server address>'

# Get the CA certificate for the API server specified above
kubectl --kubeconfig "${KUBECONFIG:-${HOME}/.kube/config}" config view --show-managed-fields=false --flatten --raw \
    -ojsonpath="{$.clusters[?(@.cluster.server == '${addr_apiserver}')].cluster.certificate-authority-data}" \
    | { base64 -d 2>/dev/null || base64 -D; }

View full docs as PDF

How to fetch import cluster information?

Problem description

Prerequisites

A working kubectl environment. For public cloud clusters, it is strongly recommended to use the provider's CloudShell. If CloudShell is not available, Linux or macOS is recommended.
You have obtained the import cluster's KubeConfig file and copied it to the environment where kubectl is installed. To avoid operating on the wrong environment, it is strongly recommended to use one of the following non-destructive approaches:
- Backup approach: Copy your existing kubeconfig to a safe location first: cp "${HOME}/.kube/config" "${HOME}/.kube/config.backup"
- Isolated approach: Set the KUBECONFIG environment variable to point to the imported kubeconfig: export KUBECONFIG="/path/to/imported/kubeconfig"
- Merge approach: Use kubectl's merge/flatten without losing existing contexts:
  1. export KUBECONFIG="/path/to/imported/kubeconfig:${HOME}/.kube/config"
  2. kubectl config view --flatten > "${HOME}/.kube/merged.kubeconfig"
  3. export KUBECONFIG="${HOME}/.kube/merged.kubeconfig"

Get cluster information

Get cluster token

Run the following commands:

# [Important] The following operations support bash only

# Manually create a secret, bind a service account, and generate a non-expiring token
kubectl get ns cpaas-system > /dev/null 2>&1 || kubectl create namespace cpaas-system
kubectl create serviceaccount k8sadmin -n cpaas-system
kubectl create clusterrolebinding k8sadmin --clusterrole=cluster-admin --serviceaccount=cpaas-system:k8sadmin

cat | kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: k8sadmin
  namespace: cpaas-system
  annotations:
    kubernetes.io/service-account.name: "k8sadmin"
type: kubernetes.io/service-account-token
EOF

kubectl -n cpaas-system describe secret \
    $(kubectl -n cpaas-system get secret | (grep k8sadmin || echo "$_") | awk '{print $1}') \
    | grep -F 'token:' | awk '{print $2}'

WARNING

This procedure creates a cluster-admin credential intended to be non-expiring.

Prefer least-privilege RBAC scoped to required resources if possible.
Store the token securely; rotate/revoke when no longer needed.
Limit who can read Secret objects in cpaas-system.

An example of the token obtained in the previous step is shown below.
Validate the token expiration.

Use any tool that supports parsing JWT tokens to analyze the token and confirm its expiration time. If you can find an expiration field in the parsed result (a key containing "exp", as shown below), the platform will be unable to manage the import cluster after that time. In this case, stop and contact technical support.

TIP

The expiration is recorded as "exp": 1684486916, in the original JWT payload. The value is a UNIX timestamp and can be converted to UTC time.

Cleanup (revoke access) when done:

kubectl delete clusterrolebinding k8sadmin
kubectl -n cpaas-system delete secret k8sadmin
kubectl -n cpaas-system delete serviceaccount k8sadmin

Get the import cluster API server address and CA certificate

TIP

If you have already obtained the API server address and CA certificate using the platform's Parse KubeConfig File feature on the import cluster page, skip this step.

Run the following commands:

# View the import cluster API server addresses. There may be multiple addresses; choose the one that fits your environment.
kubectl --kubeconfig "${KUBECONFIG:-${HOME}/.kube/config}" config view --show-managed-fields=false --flatten --raw -ojsonpath='{$.clusters..cluster.server}'
addr_apiserver='<Selected API server address>'

# Get the CA certificate for the API server specified above
kubectl --kubeconfig "${KUBECONFIG:-${HOME}/.kube/config}" config view --show-managed-fields=false --flatten --raw \
    -ojsonpath="{$.clusters[?(@.cluster.server == '${addr_apiserver}')].cluster.certificate-authority-data}" \
    | { base64 -d 2>/dev/null || base64 -D; }

Node Management

Managed Clusters

Import Clusters

Public Cloud Cluster Initialization

Network Initialization

Storage Initialization

How to

How to

Backup Management

Recovery Management

Architecture

Concepts

Guides

How To

Trouble Shooting

Concepts

Guides

How To

Troubleshooting

Install

Concepts

Guides

How To

Disaster Recovery

Concepts

Guides

How To

Guides

Compliance

Install

API Refiner

User

Guides

Group

Guides

Role

Guides

IDP

Guides

Troubleshooting

User Policy

Guides

Overview

Images

Guides

How To

Virtual Machine

Guides

How To

Troubleshooting

Network

Guides

How To

Storage

Guides

Backup and Recovery

Guides

Concepts

Concepts

Guides

Namespaces

Pre-Application-Creation Preparation

Creating Applications

Post-Application-Creation Configuration

Operation and Maintenance

Application Observability

Workloads

Pod

Container

How To

Install

How To

Install

Guides

How To

Concepts

Guides

Argo CD Concept

Alauda Container Platform GitOps Concepts

Creating GitOps Application