0 0 Share PDF

How to configure `kubectl` to bypass UCP loadbalancer

Article ID: KB000965

Issue

Sometimes it may be necessary to use kubectl to connect directly to the ucp-k8s-apiserver container on a UCP manager node, bypassing the UCP loadbalancer.

How To

  1. Obtain a UCP Client Bundle and extract its contents in your working directory:
unzip -d bundle-bypass ucp-bundle-admin.zip
Archive:  ucp-bundle-admin.zip
 extracting: bundle-bypass/ca.pem
 extracting: bundle-bypass/cert.pem
 extracting: bundle-bypass/key.pem
 extracting: bundle-bypass/cert.pub
 extracting: bundle-bypass/env.sh
 extracting: bundle-bypass/env.ps1
 extracting: bundle-bypass/env.cmd
 extracting: bundle-bypass/kube.yml
  1. Do a search-and-replace on the kube.yml file and the appropriate env file for your shell, and replace your cluster address ucp.domain.com with the IP address of one of your manager nodes:
sed -i 's/ucp.domain.com/172.27.0.1/g' kube.yml
sed -i 's/ucp.domain.com/172.27.0.1/g' env.sh

Verify, from the command line, that our edits were successful. Note that you should expect to see a ucp_ prefix in your kubernetes context:

grep -A5 context kube.yml
    contexts:
    - context:
        cluster: ucp_172.27.0.1:6443_admin
        user: ucp_172.27.0.1:6443_admin
      name: ucp_172.27.0.1:6443_admin
    current-context: ucp_172.27.0.1:6443_admin
    kind: Config
    preferences: {}
    users:
    - name: ucp_172.27.0.1:6443_admin
      user:
    ...

grep "kubectl config" env.sh
    kubectl config set-cluster ucp_172.27.0.1:6443_admin --server https://172.27.0.1:6443 --certificate-authority "$PWD/ca.pem" --embed-certs
    kubectl config set-credentials ucp_172.27.0.1:6443_admin --client-key "$PWD/key.pem" --client-certificate "$PWD/cert.pem" --embed-certs
    kubectl config set-context ucp_172.27.0.1:6443_admin --user ucp_172.27.0.1:6443_admin --cluster ucp_172.27.0.1:6443_admin
  1. Finally, load the client bundle into your shell, and use kubectl --insecure-skip-tls-verify to connect to the apiserver.