onectl is a command-line tool provided by Distributed Cloud Container Platform for Kubernetes (ACK One) for managing registered clusters. With onectl, you can create and connect registered clusters, manage cluster components, and configure Resource Access Management (RAM) user permissions for components—all from the terminal.
onectl supports macOS and Linux.
Prerequisites
Before you begin, make sure you have:
A terminal running macOS or Linux
An external Kubernetes cluster with a valid kubeconfig file (default path:
~/.kube/config)A RAM user with the following system policies attached:
AliyunCSFullAccess — ACK administrator permissions
AliyunRamFullAccess — RAM administrator permissions
AliyunVPCReadOnlyAccess — VPC read-only permissions
The AccessKey ID and AccessKey Secret for that RAM user
The RAM user for onectl and the RAM users created for cluster components are separate. The RAM user configured here is used by onectl to call Alibaba Cloud APIs.
How it works
Communicating with the external cluster
When you connect a registered cluster to an external cluster, onectl deploys an ACK One agent in the external cluster. onectl then communicates with the external cluster using the following kubeconfig sources, in order:
The
--kubeconfigparameter passed directly in the command. For example:onectl cluster connect --cluster-id <cluster-id> --kubeconfig ~/.kube/configThe
KUBECONFIGenvironment variable.The
Kubeconfig Pathparameter in~/.onectl/config.json(configured viaonectl configure).~/.kube/configas the default fallback.
Connecting to a registered cluster
When you run onectl cluster connect, onectl performs two steps:
Retrieves the connection information for the registered cluster and saves it to a local file named
agent.yaml.Deploys the ACK One agent in the external cluster based on that connection information.
RAM users for cluster components
Components that run in a registered cluster use the AccessKey pair of a RAM user to access Alibaba Cloud resources. For example, the logtail-ds component requires access to Simple Log Service resources such as projects and Logstores. The AccessKey pair is stored in a Secret named alibaba-addon-secret in the kube-system namespace.
If the Secret already exists, onectl uses the AccessKey pair stored in it.
If the Secret does not exist, onectl automatically creates a RAM user named
ack-one-user-<cluster-id-prefix>and stores the new AccessKey pair in the Secret.
Installing cluster components
Installing a component requires administrator permissions on the registered cluster. onectl checks whether the service account of the ACK One agent has admin permissions before proceeding:
If it does, onectl installs the component directly.
If it does not, onectl automatically creates a temporary ClusterRole (
ack-admin-tmp) and ClusterRoleBinding (ack-admin-binding-tmp), grants admin permissions to the service account, installs the component, and then deletes the temporary role and binding.
The temporary ClusterRole and ClusterRoleBinding use the following definitions:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-admin-tmp
labels:
ack/creator: "ack"
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ack-admin-binding-tmp
namespace: kube-system
labels:
ack/creator: "ack"
subjects:
- kind: ServiceAccount
name: ack
namespace: kube-system
roleRef:
kind: ClusterRole
name: ack-admin-tmp
apiGroup: rbac.authorization.k8s.ioStep 1: Install onectl
Run the following command to install onectl:
curl https://ack-one.oss-cn-hangzhou.aliyuncs.com/onectl/get-onectl.sh | bashVerify the installation:
onectl versionExpected output:
onectl: v1.0.0+774dea0 BuildDate: 2023-07-12T06:10:27Z GitCommit: 774dea0f768569821e101dc44d1cb09cef192fe8 GitTreeState: clean GoVersion: go1.20.4 Compiler: gc Platform: darwin/amd64
Step 2: Configure onectl credentials
Run the following command to configure the AccessKey pair and default kubeconfig path:
onectl configureExpected output:
Configuring profile default ...
Access Key Id [*********************f7x]:
Access Key Secret [***************************mft]:
Default Kubeconfig Path (default is ~/.kube/config) []:
Saving profile[default] ...
Done.| Parameter | Description |
|---|---|
Access Key Id | The AccessKey ID of the RAM user for onectl |
Access Key Secret | The AccessKey Secret of the RAM user for onectl |
Kubeconfig Path | The path to the kubeconfig file for connecting to the external cluster. Default: ~/.kube/config |
Step 3: Set the kubeconfig for your external cluster
By default, onectl uses the kubeconfig file specified in the KUBECONFIG environment variable to connect to the external cluster. If KUBECONFIG is not set, onectl falls back to ~/.kube/config.
If your kubeconfig file is at a non-default path, set the environment variable:
export KUBECONFIG=/path/to/your/kubeconfigWhat's next
The following sections show the key commands for managing clusters, components, and RAM users. Replace the placeholder values with your own before running each command.
Manage clusters
Replace <cluster-id> with the ID of your registered cluster and <region-id>, <vpc-id>, <vswitch-id>, and <cluster-name> with your environment-specific values.
Create a registered cluster and connect an external cluster to it. For more information, see Use onectl to create a registered cluster.
onectl cluster create --region <region-id> --vpc <vpc-id> --vswitch <vswitch-id> --name <cluster-name> --eip true onectl cluster connect --cluster-id <cluster-id>Expected output for
cluster connect:Agent information saved as agent.yaml. Installing ACK One agent using kubeconfig file **** to connect to registered cluster ****. Confirm? [Y/n]: y ACK One agent deployed successfully. Check the running status of deployment ack-cluster-agent to confirm the connection status of registered cluster ****.Query the status of a registered cluster:
onectl cluster describe --cluster-id <cluster-id>List all registered clusters:
onectl cluster listDelete a registered cluster:
onectl cluster delete --cluster-id <cluster-id>
Manage components
Replace <component-name> with the name of the component.
Install a component. If the ACK One agent does not have admin permissions, onectl grants temporary permissions automatically and removes them after installation.
onectl addon install <component-name>Example output when temporary permissions are granted:
Cluster role ack-admin-tmp created. Cluster role binding ack-admin-binding-tmp created. Addon logtail-ds, version **** installed. Cluster role ack-admin-tmp deleted. Cluster role binding ack-admin-binding-tmp deleted.Upgrade a component:
onectl addon upgrade <component-name>List installed components:
onectl addon listList all installable components:
onectl addon catalogUninstall a component:
onectl addon uninstall <component-name>
Manage RAM users for components
Some components need a RAM user with specific permissions to access Alibaba Cloud resources. Grant permissions before installing a component that requires them.
Replace <component-name> with the name of the component.
Grant permissions to the RAM user for a component. If the Secret
alibaba-addon-secretdoes not exist in the cluster, onectl creates a new RAM user and Secret automatically.onectl ram-user grant --addon <component-name>Example output when a new RAM user is created:
Ram user ack-one-user-ce313528c3 created successfully. Ram policy ack-one-registered-cluster-policy-terway-eniip granted to ram user ack-one-user-ce313528c3 successfully. Secret alibaba-addon-secret created under namespace kube-system in the cluster, it stores the access key and secret of ram user ack-one-user-ce313528c3.Query the permissions of the RAM user:
onectl ram-user describe --detailUpdate the permissions of the RAM user:
onectl ram-user update --addon <component-name>Revoke permissions from the RAM user:
onectl ram-user revoke --addon <component-name>