kubeconfig

exo compute sks kubeconfig

Description

This command generates a kubeconfig file to be used for authenticating to an SKS cluster API.

The “user” command argument corresponds to the CN field of the generated X.509 client certificate. Optionally, you can specify client certificate groups using the “-g|–group” option: those groups will be set in the “O” field of the certificate. See 1 for more information about Kubernetes authentication certificates.

Example usage:

# Obtain "cluster-admin" credentials
$ exo compute sks kubeconfig my-cluster admin \
 	--zone de-fra-1 \
    -g system:masters \
    -t $((86400 * 7)) > $HOME/.kube/my-cluster.config
$ kubeconfig --kubeconfig=$HOME/.kube/my-cluster.config get pods

Note: if no TTL value is specified, the API applies a default value as a safety measure. Please look up the API documentation for more information.

Using exo CLI as Kubernetes credential plugin

If you wish to avoid leaving sensitive credentials on your system, you can use exo CLI as a Kubernetes client-go credential plugin2 to generate and return a kubeconfig dynamically when invoked by kubectl without storing it on disk.

To achieve this configuration, edit your kubeconfig file so that the “users” section relating to your cluster (“my-sks-cluster” in the following example) looks like:

apiVersion: v1
kind: Config
clusters:
- name: my-sks-cluster
  cluster:
    certificate-authority-data: **BASE64-ENCODED CLUSTER CERTIFICATE**
    server: https://153fcc53-1197-46ae-a8e0-ccf6d09efcb0.sks-ch-gva-2.exo.io:443
users:
- name: exo@my-sks-cluster
  user:
    # The "exec" section replaces "client-certificate-data"/"client-key-data"
    exec:
      apiVersion: "client.authentication.k8s.io/v1beta1"
      command: exo
      args:
      - sks
      - kubeconfig
      - my-sks-cluster
      - --zone=ch-gva-2
      - --exec-credential
      - user
contexts:
- name: my-sks-cluster
  context:
    cluster: my-sks-cluster
    user: exo@my-sks-cluster
current-context: my-sks-cluster

Notes:

The “exo” CLI binary must be installed in a directory listed in your PATH shell environment variable.
You can specify the “–group” flag in the user.exec.args section referencing a non-admin group to restrict the privileges of the operator using kubectl.

exo compute sks kubeconfig CLUSTER-NAME|ID USER [flags]

Options

Option	Description
`--exec-credential, -x`	output an ExecCredential object to use with a kubeconfig user.exec mode
`--group, -g`	client certificate group. Can be specified multiple times. Defaults to system:masters
`--help, -h`	help for kubeconfig
`--ttl, -t`	client certificate validity duration in seconds
`--zone, -z`	SKS cluster zone

Options inherited from parent commands

Option	Description
`--config, -C`	Specify an alternate config file [env EXOSCALE_CONFIG]
`--output-format, -O`	Output format (table\|json\|text), see "exo output –help" for more information
`--output-template`	Template to use if output format is "text"
`--quiet, -Q`	Quiet mode (disable non-essential command output)
`--use-account, -A`	Account to use in config file [env EXOSCALE_ACCOUNT]

Related Commands

sks - Scalable Kubernetes Service management

deprecated-resources list