Guide to Using kubectl with CB‐Spider Kubeconfig - cloud-barista/cb-spider GitHub Wiki

Guide to Using kubectl with CB-Spider Kubeconfig

Language: English | 한국어

Overview

  • CB-Spider enables the creation and management of multi-cloud Kubernetes clusters through a single unified API,
  • and provides kubeconfig for accessing clusters.
  • Users can leverage Kubernetes management tools such as kubectl, OpenLens, and HeadLamp by configuring the kubeconfig.
  • This guide explains how to use kubectl with the Kubeconfig provided by Spider.

Kubeconfig Types

  • Kubeconfig is provided in two types depending on the authentication token method per CSP:

    • Dynamic Token Type: exec-based kubeconfig that automatically refreshes tokens when kubectl is executed
      • kubectl execution: Spider API call => CSP token issuance request => automatic token refresh => Kubernetes access
    • Static Token Type: Authentication information (certificates, tokens) is directly embedded in the kubeconfig
      • kubectl execution: Kubernetes access
  • For Dynamic Token types (AWS, GCP, NCP), Spider API users can choose between two authentication options:

    Option Method Spider Server Required
    Spider Default
    (default)
    Uses Spider Token API
    (~/.cb-spider/.spider-credential setup required)
    O
    CSP Native
    (KubeconfigType=native)
    Uses CSP authentication plugins
    (aws-iam-authenticator, gke-gcloud-auth-plugin installation required)
    X

⚠️ NCP (NKS) supports Spider Default only; CSP Native option is not available.

  • Kubeconfig Type by CSP

    CSP Kubeconfig Type
    AWS (EKS) Dynamic Token
    GCP (GKE) Dynamic Token
    Azure (AKS) Static Token
    Alibaba (ACK) Static Token
    Tencent (TKE) Static Token
    IBM (IKS) Static Token
    NCP (NKS) Dynamic Token
    NHN Cloud Static Token

Comparison

Item Spider Default Dynamic Token CSP Native Dynamic Token Static Token
Target CSPs AWS, GCP, NCP AWS, GCP Azure, Alibaba, Tencent, IBM, NHN
Spider Server Required O X X
CSP Tool Installation Required X O X
Local CSP Credentials Required X O X
Automatic Token Refresh O O X

Kubeconfig Structure

Dynamic Token — Spider Default

users:
- name: aws-dynamic-token
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1
      interactiveMode: Never
      command: sh
      args:
      - -c
      - ". ~/.cb-spider/.spider-credential && curl -s -u \"$SPIDER_USERNAME:$SPIDER_PASSWORD\" \"http://localhost:1024/spider/cluster/my-cluster/token?ConnectionName=aws-connection\""
  • Sources the credential file (~/.cb-spider/.spider-credential) via sh -c, then calls the Spider Token API with curl
  • Automatically obtains a new token each time kubectl is executed
  • Spider server access required

Dynamic Token — Spider Default (NCP)

users:
- name: ncp-dynamic-token
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1
      interactiveMode: Never
      command: sh
      args:
      - -c
      - ". ~/.cb-spider/.spider-credential && curl -s -u \"$SPIDER_USERNAME:$SPIDER_PASSWORD\" \"http://localhost:1024/spider/cluster/my-cluster/token?ConnectionName=ncp-connection\""
  • Same exec-plugin approach as AWS/GCP Spider Default: sources credential file via sh -c, then calls Spider Token API
  • CSP Native option not available — Spider Default only
  • Spider server access required

Dynamic Token — CSP Native (AWS)

users:
- name: aws-iam-user
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      interactiveMode: Never
      command: aws-iam-authenticator
      args:
      - token
      - -i
      - my-cluster
  • aws-iam-authenticator generates an STS token using local AWS credentials (~/.aws/credentials)
  • Spider server not required — can be used independently

Dynamic Token — CSP Native (GCP)

users:
- name: gcp-gke-user
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      command: gke-gcloud-auth-plugin
      installHint: Install gke-gcloud-auth-plugin for use with kubectl by following
        https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-access-for-kubectl#install_plugin
      provideClusterInfo: true
  • gke-gcloud-auth-plugin generates an OAuth2 token using local GCP credentials (gcloud auth login)
  • Spider server not required — can be used independently

Static Token (e.g., Azure AKS)

users:
- name: clusterAdmin_myResourceGroup_my-aks-cluster
  user:
    client-certificate-data: <Base64-encoded-client-cert>
    client-key-data: <Base64-encoded-client-key>
  • Certificates/tokens provided by the CSP are directly embedded in the kubeconfig
  • Spider server not required — can be used independently
  • When authentication information expires, re-extract by querying the Cluster again

kubectl Execution Flow

Dynamic Token — Spider Default (AWS, GCP, NCP)

  • kubectl → sh -c → Source Spider credential file → Call Spider Token API via curl → Obtain token → K8s authentication
sequenceDiagram
    participant kubectl
    participant sh as sh -c<br/>(Source credential)
    participant Spider as CB-Spider<br/>Server
    participant CSP as CSP API<br/>(EKS/GKE/NKS)
    participant K8s as K8s API Server

    kubectl->>sh: kubeconfig exec
    sh->>Spider: curl + Basic Auth<br/>(Token API)
    Spider->>CSP: GenerateClusterToken<br/>(AWS STS / GCP IAM / NCP IAM)
    CSP-->>Spider: Token
    Spider-->>kubectl: Token
    kubectl->>K8s: K8s API call with token
    K8s-->>kubectl: Response
Loading

Dynamic Token — CSP Native (AWS, GCP)

  • kubectl → CSP authentication plugin → Generate token using local CSP credentials → K8s authentication (No Spider server required)
sequenceDiagram
    participant kubectl
    participant Plugin as CSP Auth Plugin<br/>(aws-iam-authenticator<br/>gke-gcloud-auth-plugin)
    participant CSP as CSP API<br/>(EKS/GKE)
    participant K8s as K8s API Server

    kubectl->>Plugin: kubeconfig exec
    Plugin->>CSP: Generate token<br/>(using local CSP credentials)
    CSP-->>Plugin: Token
    Plugin-->>kubectl: Token
    kubectl->>K8s: K8s API call with token
    K8s-->>kubectl: Response
Loading

Static Token (Azure, Alibaba, Tencent, IBM, NHN Cloud)

  • Authentication information is directly embedded in kubeconfig → kubectl authenticates directly with K8s API (No Spider server required)
sequenceDiagram
    participant kubectl
    participant K8s as K8s API Server

    Note over kubectl: Embedded credentials<br/>(client-certificate-data,<br/>client-key-data)
    kubectl->>K8s: Direct K8s API call<br/>with embedded auth credentials
    K8s-->>kubectl: Response
Loading

Quick Start

1. Prerequisites

# Set Spider access information
export SPIDER_USERNAME=${SPIDER_USERNAME:-admin}
export SPIDER_PASSWORD=${SPIDER_PASSWORD:-change-your-password}
export SPIDER_URL="http://localhost:1024/spider"

For Spider Default, create a credential file:

mkdir -p ~/.cb-spider
cat > ~/.cb-spider/.spider-credential << 'EOF'
SPIDER_USERNAME=admin
SPIDER_PASSWORD=change-your-password
EOF
chmod 600 ~/.cb-spider/.spider-credential

For CSP Native, install the CSP authentication plugins:

# AWS (Ubuntu/Linux)
curl -Lo aws-iam-authenticator https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/v0.6.27/aws-iam-authenticator_0.6.27_linux_amd64
chmod +x aws-iam-authenticator && sudo mv aws-iam-authenticator /usr/local/bin/

# GCP (Ubuntu/Linux)
sudo apt-get install -y google-cloud-sdk-gke-gcloud-auth-plugin

2. Extract Kubeconfig

Extract the kubeconfig from the AccessInfo.Kubeconfig field in the Cluster query API response.

# Spider Default kubeconfig (default)
curl -s -X GET "$SPIDER_URL/cluster/my-cluster?ConnectionName=aws-connection" \
  -u $SPIDER_USERNAME:$SPIDER_PASSWORD \
  | jq -r '.AccessInfo.Kubeconfig' > ~/.kube/spider-my-cluster.yaml

# CSP Native kubeconfig (AWS/GCP only)
curl -s -X GET "$SPIDER_URL/cluster/my-cluster?ConnectionName=aws-connection&KubeconfigType=native" \
  -u $SPIDER_USERNAME:$SPIDER_PASSWORD \
  | jq -r '.AccessInfo.Kubeconfig' > ~/.kube/spider-my-cluster.yaml

Note: KubeconfigType=native is only valid for AWS (EKS) and GCP (GKE). It is ignored for other CSPs.

※ Extraction via AdminWeb:

  • You can also view and copy the Kubeconfig from the Cluster page of the CB-Spider AdminWeb.
  • Click Access InfoView Details in the cluster list to display the Endpoint and Kubeconfig (YAML).
  • For Dynamic Token CSPs (AWS, GCP), you can select Spider Default or CSP Native from the dropdown.
  • Click the copy button at the bottom to copy the Kubeconfig to your clipboard, then save it to a file.

3. Using kubectl

# Method A: --kubeconfig flag
kubectl --kubeconfig ~/.kube/spider-my-cluster.yaml get nodes

# Method B: KUBECONFIG environment variable
export KUBECONFIG=~/.kube/spider-my-cluster.yaml
kubectl get nodes
kubectl get pods -A

# Method C: Merge into default kubeconfig
cp ~/.kube/config ~/.kube/config.bak
KUBECONFIG=~/.kube/config:~/.kube/spider-my-cluster.yaml kubectl config view --flatten > ~/.kube/config.merged
mv ~/.kube/config.merged ~/.kube/config
kubectl config use-context my-cluster

Server Environment Variables (Dynamic Token Only)

Environment variables referenced by the CB-Spider server when generating kubeconfig.

Variable Description Default
SERVER_ADDRESS Spider server address reflected in the kubeconfig Token API URL localhost:1024

⚠️ If the Spider server is accessible externally, SERVER_ADDRESS must be set to the external address for the kubeconfig Token API URL to be generated correctly.

export SERVER_ADDRESS="10.0.1.50:1024"

Security Notes

  • Restrict permissions on kubeconfig and credential files:
    chmod 600 ~/.kube/spider-my-cluster.yaml
    chmod 600 ~/.cb-spider/.spider-credential
  • Do not commit kubeconfig files to Git.
  • When using CSP Native, configure local CSP credentials with the principle of least privilege.

⚠️ **GitHub.com Fallback** ⚠️