If you want to use API operations to manage an Alibaba Cloud Service Mesh (ASM) instance, you can use the kubectl client to connect to the ASM instance.

Background information

kubectl is a command line tool of Kubernetes. You can use the kubectl client to manage Kubernetes clusters, containerized applications deployed in Kubernetes clusters, and ASM instances.

Based on the role-based access control (RBAC) mode of Kubernetes, ASM provides predefined RBAC roles with different permissions on an ASM instance. You can assign roles with the following permissions to users as required:
  • The permissions to manage namespaces on the control plane, including the permissions to perform the create, delete, get, list, patch, update, and watch operations.
  • The permissions to manage Istio resources, including the permissions to perform the create, delete, get, list, patch, update, and watch operations.
  • The permissions to manage istiogateways.istio.alibabacloud.com resources for deploying ingress gateways, including the permissions to perform the create, delete, get, list, patch, update, and watch operations.
  • Provides the read-only permission on istio.alibabacloud.com resources, including the permissions to perform the get and list operations.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: istio-admin
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: 
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - config.istio.io
  - networking.istio.io
  - authentication.istio.io
  - rbac.istio.io
  - security.istio.io
  resources: ["*"]
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - istio.alibabacloud.com
  resources: ["istiogateways"]
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - istio.alibabacloud.com
  resources: ["*"]
  verbs:
  - get
  - list

Procedure

  1. Select and download a desired version of kubectl from GitHub. Then, install and configure the kubectl client. For more information, see Install and Set Up kubectl.
  2. View the connection configuration of the ASM instance.
    1. Log on to the ASM console.
    2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
    3. On the Mesh Management page, find the target ASM instance and click the instance name or click Manage in the Actions column.
    4. Click Connection in the upper-right corner.
      In the Connection pane that appears, you can view the Internet connection configuration on the Internet Access tab, and the internal connection configuration on the Internal Access tab.
  3. Add the credential for connecting to the ASM instance.
    • If the ASM instance supports Internet access, click the Internet Access tab and copy the content in the code editor to the config file in the $HOME/.kube directory. This is the default file from which kubectl obtains credentials. If the config file does not exist in the specified directory, create one by yourself.
    • If the ASM instance supports internal access, click the Internal Access tab and copy the content in the code editor to the config file in the $HOME/.kube directory. This is the default file from which kubectl obtains credentials. If the config file does not exist in the specified directory, create one by yourself.
  4. Run the following command to check whether you can connect to the ASM instance from the kubectl client. If the namespace information is returned, the connection succeeds.
    kubectl get ns