There are multiple ways how you can access a vcluster with an external application like
Please make sure to install the vcluster CLI. Create a kubeconfig via:
Depending on if the vcluster was created with the
--expose flag, the CLI will either start port-forwarding or create a kubeconfig that can be used directly.
If you have manually exposed the vcluster, you can specify the domain where the vcluster is reachable via the
By default, vcluster will create a kube config to access the vcluster that contains the default admin client certificate and client key to authenticate to the vcluster. This means that all kube configs generated will have cluster admin access within the vcluster.
Often this might not be desired. Instead of giving a user admin access to the virtual cluster, you can also use service account authentication to the virtual cluster. Let's say we want to create a kube config that only has view access in the virtual cluster. Then you would create a new service account inside the vcluster and assign it the cluster role
view via a cluster role binding. Then we would generate a service account token and use that instead of the client-cert and client-key inside the kube config.
With vcluster version
v0.6.0 and higher you can automatically do this via the CLI:
This will create a kube config similar to this as well as create the needed service account and cluster role binding:
As you can see the service account token is used in this kube config here instead of the client-cert and client-key that is used by default. Trying to create a namespace with this config will yield:
You can replace the token field in the kube config with any other service account token from inside the vcluster to act as this service account against the vcluster. For more information about service accounts and tokens, please refer to the official Kubernetes documentation.
There might be cases where connecting to a vcluster with the CLI is not feasible or the CLI cannot be installed. For such cases, you can retrieve the vcluster kube config from a secret that is created automatically in the vcluster namespace.
The secret is prefixed with
vc- and ends with the vcluster name, so a vcluster called
my-vcluster in namespace
test would create a secret called
vc-my-vcluster in the namespace
test. You can retrieve the kube config after the vcluster has started via:
The secret will hold a kube config in this format:
By default, the server
https://localhost:8443 is used that would work if you port forward the vcluster with:
With the syncer flag
--out-kube-config-secret-namespace you can specify a different namespace where the kube config secret should be created in. Keep in mind that you have to manually apply RBAC permissions for the vcluster to allow creation and retrieving of secrets in that namespace.
If you have exposed the vcluster, you can also tell the vcluster to create the kube config secret with another server endpoint through the
For example, if you want to expose a vcluster at
https://my-domain.org, you can create a
values.yaml like this:
Then you can create or upgrade the vcluster with:
Wait until the vcluster has started and you can retrieve the kube config via: