Connect to a cluster with kubectl
Get a temporary or long-term kubeconfig from the ACK console for internal or public cluster access.
Prerequisites
Before you begin:
-
kubectl is installed. Verify with
kubectl version --client. -
Access to the ACK console
-
(RAM users) ACK and cluster-level permissions are granted.
Choose a kubeconfig type
A kubeconfig stores cluster access credentials.
By validity period:
| Type | Validity period | Best for |
|---|---|---|
| Temporary kubeconfig | 30 minutes to 3 days (configurable) | Daily O&M, troubleshooting, CI/CD pipelines |
| Long-term kubeconfig | 3 years (default) | Automated systems, long-running monitoring services |
Temporary kubeconfigs auto-expire, reducing credential exposure risk. Use long-term kubeconfig only when frequent rotation is impractical.
By access method:
| Type | Requirement | Best for |
|---|---|---|
| Internal access | Client machine in the same Virtual Private Cloud (VPC) as the cluster | Lower latency, enhanced security |
| Public access | Any machine with internet access; requires an elastic IP address (EIP) on the API server | Local development, remote O&M |
EIP usage incurs charges. See Pay-as-you-go.
Under the shared responsibility model, you are responsible for securing and maintaining your kubeconfig credentials. Regularly rotate your kubeconfig and follow the principle of least privilege.
For ACK dedicated clusters with public access, you can also connect to the master node via SSH to get the kubeconfig.
Get a kubeconfig file and connect to the cluster
-
Log on to the ACK console. In the left navigation pane, click Clusters.
-
On the Clusters page, click the target cluster name or click Details in the Actions column.
-
On the cluster details page, click the Connection Information tab. Select Temporary kubeconfig or Long-term kubeconfig. For temporary, set a validity period.
-
Select the Public Access or Internal Access tab, then click Copy.
-
Paste the content into
$HOME/.kube/configon your client machine and save.NoteIf the file or directory does not exist, create it:
mkdir -p $HOME/.kube touch $HOME/.kube/config -
Verify the connection:
kubectl get namespacesSample output:
NAME STATUS AGE default Active 4h39m kube-node-lease Active 4h39m kube-public Active 4h39m kube-system Active 4h39m
Clean up access
When a user no longer needs cluster access, revoke their kubeconfig. The system does not generate new kubeconfig files for that user. To revoke multiple users at once, use ack-ram-tool.
To restore accidentally revoked kubeconfig, use the kubeconfig recycle bin.
FAQ
How do I find the identity associated with a kubeconfig certificate?
Replace kubeconfig with your file path. kubectl defaults to $HOME/.kube/config. Use the KUBECONFIG variable or --kubeconfig flag for a different file.
grep client-certificate-data kubeconfig | awk '{print $2}' | base64 -d | openssl x509 -noout -text | grep Subject:
Sample output:
Subject: O=system:users, OU=, CN=1***-1673419473
-
O: The Kubernetes user group — in this example,system:users. -
CN: The associated user — in this example,1***-1673419473, where1***is the Alibaba Cloud user ID.
How do I check when a kubeconfig certificate expires?
Replace kubeconfig with your file path:
grep client-certificate-data kubeconfig | awk '{print $2}' | base64 -d | openssl x509 -noout -enddate
Sample output:
notAfter=Jan 10 06:44:34 2026 GMT
In this example, the certificate expires on January 10, 2026. Renew via the console or API within 180 days before expiry, or any time after.
How do I extract the client certificate, private key, and API server address from a kubeconfig?
Replace kubeconfig with your file path:
cat ./kubeconfig | grep client-certificate-data | awk -F ' ' '{print $2}' | base64 -d > ./client-cert.pem
cat ./kubeconfig | grep client-key-data | awk -F ' ' '{print $2}' | base64 -d > ./client-key.pem
APISERVER=`cat ./kubeconfig | grep server | awk -F ' ' '{print $2}'`
Next steps
Use kubectl to deploy workloads, inspect resources, and manage applications.