Use kubectl on the control plane to access Istio resources - Alibaba Cloud Service Mesh

If you want to use API operations to manage an Alibaba Cloud Service Mesh (ASM) instance, you can use the kubectl client to connect to the ASM instance.

Background information

kubectl is a command-line tool of Kubernetes. You can use kubectl to manage Kubernetes clusters, containerized applications deployed in Kubernetes clusters, and ASM instances.

Based on the role-based access control (RBAC) mode of Kubernetes, ASM provides predefined RBAC roles with different permissions on an ASM instance. You can assign roles with the following permissions to users as required:

The permissions to manage namespaces on the control plane, including the permissions to perform the create, delete, get, list, patch, update, and watch operations.
The permissions to manage Istio resources, including the permissions to perform the create, delete, get, list, patch, update, and watch operations.
The permissions to manage istiogateways.istio.alibabacloud.com resources for deploying ingress gateways, including the permissions to perform the create, delete, get, list, patch, update, and watch operations.
The read-only permissions on istio.alibabacloud.com resources, including the permissions to perform the get and list operations.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: istio-admin
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: 
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - config.istio.io
  - networking.istio.io
  - authentication.istio.io
  - rbac.istio.io
  - security.istio.io
  resources: ["*"]
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - istio.alibabacloud.com
  resources: ["istiogateways"]
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - istio.alibabacloud.com
  resources: ["*"]
  verbs:
  - get
  - list

Procedure

Select and download a version of kubectl from GitHub. Then, install and configure the kubectl client. For more information, see Install and Set Up kubectl.
View the connection configuration of the ASM instance.
1. Log on to the ASM console.
2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
4. Click Connection in the upper-right corner.
  In the Connection panel, you can view the Internet connection configuration on the Internet Access tab, and the internal connection configuration on the Internal Access tab.
  Important You can access an ASM instance from the Internet only if an elastic IP address (EIP) is associated with the API server of the ASM instance to expose the API Server to the Internet. Otherwise, the Internet Access tab is not displayed in the Connection panel.
Add the credential for connecting to the ASM instance.
- If the ASM instance supports Internet access, click the Internet Access tab and copy the content in the code editor to the config file in the $HOME/.kube directory. This is the default file from which kubectl obtains credentials. If the config file does not exist in the specified directory, create one by yourself.
- If the ASM instance supports internal access, click the Internal Access tab and copy the content in the code editor to the config file in the $HOME/.kube directory. This is the default file from which kubectl obtains credentials. If the config file does not exist in the specified directory, create one by yourself.
Run the following command to check whether you can connect to the ASM instance from the kubectl client. If the namespace information is returned, the connection succeeds.
```
kubectl get ns
```