use kubectl to connect to an ASM instance - Alibaba Cloud Service Mesh

If you want to use API operations to manage a Service Mesh (ASM) instance, you can use a kubectl client to connect to the ASM instance.

Background information

kubectl is a command-line tool of Kubernetes. You can use kubectl to manage Kubernetes clusters, containerized applications deployed in Kubernetes clusters, and ASM instances.

Based on the role-based access control (RBAC) mode of Kubernetes, ASM provides predefined RBAC roles with different permissions on an ASM instance. You can assign roles with the following permissions to users as required:

The permissions to manage namespaces on the control plane, including the permissions to perform the create, delete, get, list, patch, update, and watch operations.
The permissions to manage Istio resources, including the permissions to perform the create, delete, get, list, patch, update, and watch operations.
The permissions to manage istiogateways.istio.alibabacloud.com resources for deploying ingress gateways, including the permissions to perform the create, delete, get, list, patch, update, and watch operations.
The read-only permissions on istio.alibabacloud.com resources, including the permissions to perform the get and list operations.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: istio-admin
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: 
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - config.istio.io
  - networking.istio.io
  - authentication.istio.io
  - rbac.istio.io
  - security.istio.io
  resources: ["*"]
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - istio.alibabacloud.com
  resources: ["istiogateways"]
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - istio.alibabacloud.com
  resources: ["*"]
  verbs:
  - get
  - list

Procedure

Select and download a version of kubectl from GitHub. Then, install and configure the kubectl client. For more information, see Install and Set Up kubectl.
Add the credentials for connecting to the ASM instance.
1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Instance > Base Information.
3. In the upper-right corner of the Base Information page, click Connection. In the Connection panel, click Internet Access or Internal Access tab based on your requirements, and then click Copy Kubeconfig File to copy the content in the code editor to the config file in the $HOME/.kube directory on your on-premises machine. This is the default file from which kubectl obtains credentials.
  If the config file does not exist in the specified directory, create one by yourself.
  Important
  You can access an ASM instance from the Internet only if an elastic IP address (EIP) is associated with the API server of the ASM instance to expose the API Server to the Internet. Otherwise, the Internet Access tab is not displayed in the Connection panel.
Run the following command to check whether you can connect to the ASM instance from the kubectl client:
```
kubectl get ns
```
If the namespace information is returned, the connection succeeds.