Hello and welcome to this lesson on setting up cluster access. My name is Mahendra Mehra and I am a Senior Training lead and evangelist with Oracle University. Kubeconfig organizes information regarding clusters, namespaces, users, and authentication techniques. By default, it is located in the dark Kube directory under the home directory of user with defined name config. If there is any other Kubeconfig file, then you can refer it by setting its path to the environment variable kubeconfig. There are three sections in this file, namely cluster, users, and contexts. Let's understand each of them one by one. The clusters is a list of cluster objects that holds the information regarding various clusters the user would like to operate upon using these kubeconfig file. Each cluster object is composed of details about the server and one of the possible authentication details. The users is a list of user object that holds the information regarding different users of the cluster and their authentication details. Users can authenticate themselves by using certificates, authentication tokens or basic authentication like username and password. Contexts are the list of contexts, objects with the combination of cluster, username, and namespace. In the example, the context staging hyphen admin means use the credential of admin user to access the OCI staged names pace of staging cluster. It is important to have defined the cluster and the user object under the respective sections of the kubeconfig file so that they are successfully referred. Finally, that is one field in the kubeconfig file called the current hyphen contexts that sets the default context to be used. Let's understand the kubeconfig file in more detail. The authentication token generated by the OCI CLI command in the kubeconfig file, are appropriate to authenticate individual users accessing the cluster using Kubectl. The authentication tokens generated by the OCI CLI command in the kubeconfig file are short-lived plus Tesco, and specific to individual users. As a result, you cannot share kubeconfig files between users to access Kubernetes cluster. The OCI CLI command in the kubeconfig file uses your current CLI profile when generating an authentication token. If you have defined multiple profiles in different tendencies in the CLI configuration file, you need to set the OCI_CLI_PROFILE environment variable with the name of the profile defined in the CLI configuration file before running the Kubectl commands. The generated authentication tokens are unsuitable if you want other processes and tools to access the cluster, such as continuous integration and continuous delivery tools. In this case, consider creating a Kubernetes service account and adding its associated authentication token to the kubeconfig file. An IAM policy might have been defined to restrict cluster access to only users that have been verified with multi-factor authentication. If such a policy exists, you have to add the hyphen, hyphen profile EN hyphen hyphen ought arguments to the kubeconfig file to enable multi-factor authentication verified user to access the cluster using Kubectl. Container Engine for Kubernetes currently support kubeconfig version 2.0.0 files and no longer supports kubeconfig version 1.0.0 files. Enhancement in kubeconfig version 2.0.0 files provide security improvements for your Kubernetes environment, including short-lived clusters, scoped tokens with automated refreshing and support, for instance, principles to access Kubernetes cluster. Let's also understand the Kubectl tool. You've been at his command line tool. Kubectl is used to perform operations on a cluster. Before you can use Kubectl to access a cluster, you have to specify the cluster on which to perform operations by setting up the clusters kubeconfig file. You can use the Kubectl installation included in the Cloud Shell or you can use a local installation of Kubectl. The version of Kubectl you use must be compatible with the version of Kubernetes running on the cluster. In case of the Cloud Shell, Kubectl is regularly updated, so it is always compatible with the version of Kubernetes currently supported by Container Engine for Kubernetes. You must configure a bastion host to access a cluster with a private Kubernetes API endpoint. Setting up a cluster access can be done using two methods. The first one is setting up Cloud Shell to access the cluster where you need to run an Oracle Cloud infrastructure CLI command in the Cloud Shell window to set up the kubeconfig file, you need to set up the kubeconfig file and verify that the Kubectl can access the cluster. Here, most of the things are preconfigured. The other approach would be to set up local access to the cluster. Here, you need to generate an API signing key pair and upload the public key of the API signing key pair. You need to install and configure the Oracle Cloud infrastructure command line interface. Later set up the kubeconfig file and verify that the Kubectl can access the cluster. To wrap up, in this lesson, we covered the structure of kubeconfig file. Then we discussed the kubeconfig file and Kubectl tool and finally, we saw the two methods using which we can control our Kubernetes cluster. I hope you liked the video. See you in the next one. Thanks for watching.
