Skip to content

KubeCTL CLI

Authorized users may wish to perform KubeCTL operations on their fleet of clusters in their Project(s) using the KubeCTL CLI. The "Kube API Server Proxy" in the Rafay Controller provides conveniences for users to perform this quickly and securely. Depending on the user's role, they are provided multiple ways by which they can download the Kubeconfig.

Important

The downloaded Kubeconfigs will allow the users to securely access the fleet of clusters they are authorized to access using KubeCTL CLI unless user access is revoked OR if the Kubeconfig is revoked OR if the Kubeconfig credentials expire.


Infrastructure Admins

  • Login into the Rafay Console and navigate to the Project
  • Click on "Download Kubeconfig" on the top of the Clusters page

Download Kubeconfig for Infra Admins

This will provide the user with a "consolidated" Kubeconfig file for all the clusters the user is authorized to access as per their configured Role in the Rafay Org.


Project Admins

  • Login into the Rafay Console
  • Click on "My Tools"
  • Click on "Download Kubeconfig" on the top of the Clusters page

Download Kubeconfig for Project Admins

This will provide the user with a "consolidated" Kubeconfig file for all the clusters the user is authorized to access as per their configured Role in the Rafay Org.


Namespace Admins

  • Login into the Rafay Console
  • Click on "My Tools"
  • Click on "Download Kubeconfig" on the top of the Clusters page

Download Kubeconfig for Namespace Admins

This will provide the user with a "consolidated" Kubeconfig file for all the clusters the user is authorized to access as per their configured Role in the Rafay Org.


Revoke Kubeconfig

Project admins are provided the means to revoke their Kubeconfigs. They may wish to perform this if they believe that their Kubeconfig file has been compromised (e.g lost/stolen laptop).

  • Login into the Rafay Console
  • Click on "My Tools"
  • Click on "Revoke Kubeconfig"

Revoke Kubeconfig for Project Admins


RCTL and Kubeconfig

In some environments, automation is critical and foundational. As a result, users and 3rd party systems may need to access the managed cluster's Kube API Server programmatically or via scripts. These systems may also not have the ability to download the Kubeconfig via a web browser. For scenarios like this, Rafay's RCTL CLI can be used to download the Kubeconfig files.

Representative examples: - A Jenkins based CI system that needs to use KubeCTL to securely interact with remote clusters. - A 3rd party SaaS Application such as "Service Now" that needs to securely access the fleet of Kubernetes clusters for inventory and governance purposes.

Once RCTL has been downloaded and initialized (i.e. it is now authorized to communicate with the customer's Org in the Rafay Controller), use RCTL to download the Kubeconfig file. The downloaded Kubeconfig file will be a unified Kubeconfig that will provide access to all clusters in the Project the RCTL user is authorized to access.

./rctl kubeconfig download -h
Download the generated kubeconfig

Usage:
  rctl kubeconfig download [flags]

Flags:
      --cluster string     Set the cluster to get kubeconfig for a specific cluster
  -h, --help               help for download
  -n, --namespace string   Set the default namespace for the kubeconfig
  -f, --to-file string     File location to download the kubeconfig to

Global Flags:
  -c, --config string    Customize cli config file
  -d, --debug            Enable debug logs
  -o, --output string    Using json or yaml output
  -p, --project string   Using json or yaml output
  -v, --verbose          Verbose mode. A lot more information output.