If you want to use API operations to manage an Alibaba Cloud Service Mesh (ASM) instance, you can use the kubectl client to connect to the ASM instance.
Background information
kubectl is a command-line tool of Kubernetes. You can use kubectl to manage Kubernetes clusters, containerized applications deployed in Kubernetes clusters, and ASM instances.
Based on the role-based access control (RBAC) mode of Kubernetes, ASM provides predefined RBAC roles with different permissions on an ASM instance. You can assign roles with the following permissions to users as required:
- The permissions to manage namespaces on the control plane, including the permissions to perform the create, delete, get, list, patch, update, and watch operations.
- The permissions to manage Istio resources, including the permissions to perform the create, delete, get, list, patch, update, and watch operations.
- The permissions to manage
istiogateways.istio.alibabacloud.com
resources for deploying ingress gateways, including the permissions to perform the create, delete, get, list, patch, update, and watch operations. - The read-only permissions on
istio.alibabacloud.com
resources, including the permissions to perform the get and list operations.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istio-admin
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- config.istio.io
- networking.istio.io
- authentication.istio.io
- rbac.istio.io
- security.istio.io
resources: ["*"]
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- istio.alibabacloud.com
resources: ["istiogateways"]
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- istio.alibabacloud.com
resources: ["*"]
verbs:
- get
- list
Procedure
- Select and download a version of kubectl from GitHub. Then, install and configure the kubectl client. For more information, see Install and Set Up kubectl.
- View the connection configuration of the ASM instance.
- Add the credential for connecting to the ASM instance.
- If the ASM instance supports Internet access, click the Internet Access tab and copy the content in the code editor to the config file in the $HOME/.kube directory. This is the default file from which kubectl obtains credentials. If the config file does not exist in the specified directory, create one by yourself.
- If the ASM instance supports internal access, click the Internal Access tab and copy the content in the code editor to the config file in the $HOME/.kube directory. This is the default file from which kubectl obtains credentials. If the config file does not exist in the specified directory, create one by yourself.
- Run the following command to check whether you can connect to the ASM instance from the kubectl client. If the namespace information is returned, the connection succeeds.
kubectl get ns