Guide to Using kubectl with CB‐Spider Kubeconfig - cloud-barista/cb-spider GitHub Wiki
- CB-Spider enables the creation and management of multi-cloud Kubernetes clusters through a single unified API,
- and provides kubeconfig for accessing clusters.
- Users can leverage Kubernetes management tools such as
kubectl,OpenLens, andHeadLampby configuring the kubeconfig. - This guide explains how to use
kubectlwith theKubeconfigprovided by Spider.
-
Kubeconfig is provided in two types depending on the authentication token method per CSP:
-
Dynamic Token Type:exec-based kubeconfig that automatically refreshes tokens when kubectl is executed- kubectl execution: Spider API call => CSP token issuance request => automatic token refresh => Kubernetes access
-
Static Token Type: Authentication information (certificates, tokens) is directly embedded in the kubeconfig- kubectl execution: Kubernetes access
-
-
For Dynamic Token types (AWS, GCP, NCP), Spider API users can choose between two authentication options:
Option Method Spider Server Required Spider Default
(default)Uses Spider Token API
(~/.cb-spider/.spider-credentialsetup required)O CSP Native
(KubeconfigType=native)Uses CSP authentication plugins
(aws-iam-authenticator,gke-gcloud-auth-plugininstallation required)X
⚠️ NCP (NKS) supports Spider Default only; CSP Native option is not available.
-
Kubeconfig Type by CSP
CSP Kubeconfig Type AWS (EKS) Dynamic Token GCP (GKE) Dynamic Token Azure (AKS) Static Token Alibaba (ACK) Static Token Tencent (TKE) Static Token IBM (IKS) Static Token NCP (NKS) Dynamic Token NHN Cloud Static Token
| Item | Spider Default Dynamic Token | CSP Native Dynamic Token | Static Token |
|---|---|---|---|
| Target CSPs | AWS, GCP, NCP | AWS, GCP | Azure, Alibaba, Tencent, IBM, NHN |
| Spider Server Required | O | X | X |
| CSP Tool Installation Required | X | O | X |
| Local CSP Credentials Required | X | O | X |
| Automatic Token Refresh | O | O | X |
users:
- name: aws-dynamic-token
user:
exec:
apiVersion: client.authentication.k8s.io/v1
interactiveMode: Never
command: sh
args:
- -c
- ". ~/.cb-spider/.spider-credential && curl -s -u \"$SPIDER_USERNAME:$SPIDER_PASSWORD\" \"http://localhost:1024/spider/cluster/my-cluster/token?ConnectionName=aws-connection\""- Sources the credential file (
~/.cb-spider/.spider-credential) viash -c, then calls the Spider Token API withcurl - Automatically obtains a new token each time kubectl is executed
- Spider server access required
users:
- name: ncp-dynamic-token
user:
exec:
apiVersion: client.authentication.k8s.io/v1
interactiveMode: Never
command: sh
args:
- -c
- ". ~/.cb-spider/.spider-credential && curl -s -u \"$SPIDER_USERNAME:$SPIDER_PASSWORD\" \"http://localhost:1024/spider/cluster/my-cluster/token?ConnectionName=ncp-connection\""- Same exec-plugin approach as AWS/GCP Spider Default: sources credential file via
sh -c, then calls Spider Token API - CSP Native option not available — Spider Default only
- Spider server access required
users:
- name: aws-iam-user
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
interactiveMode: Never
command: aws-iam-authenticator
args:
- token
- -i
- my-cluster-
aws-iam-authenticatorgenerates an STS token using local AWS credentials (~/.aws/credentials) - Spider server not required — can be used independently
users:
- name: gcp-gke-user
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
command: gke-gcloud-auth-plugin
installHint: Install gke-gcloud-auth-plugin for use with kubectl by following
https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-access-for-kubectl#install_plugin
provideClusterInfo: true-
gke-gcloud-auth-plugingenerates an OAuth2 token using local GCP credentials (gcloud auth login) - Spider server not required — can be used independently
users:
- name: clusterAdmin_myResourceGroup_my-aks-cluster
user:
client-certificate-data: <Base64-encoded-client-cert>
client-key-data: <Base64-encoded-client-key>- Certificates/tokens provided by the CSP are directly embedded in the kubeconfig
- Spider server not required — can be used independently
- When authentication information expires, re-extract by querying the Cluster again
- kubectl →
sh -c→ Source Spider credential file → Call Spider Token API viacurl→ Obtain token → K8s authentication
sequenceDiagram
participant kubectl
participant sh as sh -c<br/>(Source credential)
participant Spider as CB-Spider<br/>Server
participant CSP as CSP API<br/>(EKS/GKE/NKS)
participant K8s as K8s API Server
kubectl->>sh: kubeconfig exec
sh->>Spider: curl + Basic Auth<br/>(Token API)
Spider->>CSP: GenerateClusterToken<br/>(AWS STS / GCP IAM / NCP IAM)
CSP-->>Spider: Token
Spider-->>kubectl: Token
kubectl->>K8s: K8s API call with token
K8s-->>kubectl: Response
- kubectl → CSP authentication plugin → Generate token using local CSP credentials → K8s authentication (No Spider server required)
sequenceDiagram
participant kubectl
participant Plugin as CSP Auth Plugin<br/>(aws-iam-authenticator<br/>gke-gcloud-auth-plugin)
participant CSP as CSP API<br/>(EKS/GKE)
participant K8s as K8s API Server
kubectl->>Plugin: kubeconfig exec
Plugin->>CSP: Generate token<br/>(using local CSP credentials)
CSP-->>Plugin: Token
Plugin-->>kubectl: Token
kubectl->>K8s: K8s API call with token
K8s-->>kubectl: Response
- Authentication information is directly embedded in kubeconfig → kubectl authenticates directly with K8s API (No Spider server required)
sequenceDiagram
participant kubectl
participant K8s as K8s API Server
Note over kubectl: Embedded credentials<br/>(client-certificate-data,<br/>client-key-data)
kubectl->>K8s: Direct K8s API call<br/>with embedded auth credentials
K8s-->>kubectl: Response
# Set Spider access information
export SPIDER_USERNAME=${SPIDER_USERNAME:-admin}
export SPIDER_PASSWORD=${SPIDER_PASSWORD:-change-your-password}
export SPIDER_URL="http://localhost:1024/spider"For Spider Default, create a credential file:
mkdir -p ~/.cb-spider
cat > ~/.cb-spider/.spider-credential << 'EOF'
SPIDER_USERNAME=admin
SPIDER_PASSWORD=change-your-password
EOF
chmod 600 ~/.cb-spider/.spider-credentialFor CSP Native, install the CSP authentication plugins:
# AWS (Ubuntu/Linux)
curl -Lo aws-iam-authenticator https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/v0.6.27/aws-iam-authenticator_0.6.27_linux_amd64
chmod +x aws-iam-authenticator && sudo mv aws-iam-authenticator /usr/local/bin/
# GCP (Ubuntu/Linux)
sudo apt-get install -y google-cloud-sdk-gke-gcloud-auth-pluginExtract the kubeconfig from the AccessInfo.Kubeconfig field in the Cluster query API response.
- API Details: Get Cluster (Swagger)
# Spider Default kubeconfig (default)
curl -s -X GET "$SPIDER_URL/cluster/my-cluster?ConnectionName=aws-connection" \
-u $SPIDER_USERNAME:$SPIDER_PASSWORD \
| jq -r '.AccessInfo.Kubeconfig' > ~/.kube/spider-my-cluster.yaml
# CSP Native kubeconfig (AWS/GCP only)
curl -s -X GET "$SPIDER_URL/cluster/my-cluster?ConnectionName=aws-connection&KubeconfigType=native" \
-u $SPIDER_USERNAME:$SPIDER_PASSWORD \
| jq -r '.AccessInfo.Kubeconfig' > ~/.kube/spider-my-cluster.yamlNote:
KubeconfigType=nativeis only valid for AWS (EKS) and GCP (GKE). It is ignored for other CSPs.
※ Extraction via AdminWeb:
- You can also view and copy the Kubeconfig from the Cluster page of the CB-Spider AdminWeb.
- Click Access Info → View Details in the cluster list to display the Endpoint and Kubeconfig (YAML).
- For Dynamic Token CSPs (AWS, GCP), you can select
Spider DefaultorCSP Nativefrom the dropdown. - Click the copy button at the bottom to copy the Kubeconfig to your clipboard, then save it to a file.
# Method A: --kubeconfig flag
kubectl --kubeconfig ~/.kube/spider-my-cluster.yaml get nodes
# Method B: KUBECONFIG environment variable
export KUBECONFIG=~/.kube/spider-my-cluster.yaml
kubectl get nodes
kubectl get pods -A
# Method C: Merge into default kubeconfig
cp ~/.kube/config ~/.kube/config.bak
KUBECONFIG=~/.kube/config:~/.kube/spider-my-cluster.yaml kubectl config view --flatten > ~/.kube/config.merged
mv ~/.kube/config.merged ~/.kube/config
kubectl config use-context my-clusterEnvironment variables referenced by the CB-Spider server when generating kubeconfig.
| Variable | Description | Default |
|---|---|---|
SERVER_ADDRESS |
Spider server address reflected in the kubeconfig Token API URL | localhost:1024 |
⚠️ If the Spider server is accessible externally,SERVER_ADDRESSmust be set to the external address for the kubeconfig Token API URL to be generated correctly.export SERVER_ADDRESS="10.0.1.50:1024"
- Restrict permissions on kubeconfig and credential files:
chmod 600 ~/.kube/spider-my-cluster.yaml chmod 600 ~/.cb-spider/.spider-credential
- Do not commit kubeconfig files to Git.
- When using CSP Native, configure local CSP credentials with the principle of least privilege.