Connect to the TKG Service Cluster Control Plane as a Kubernetes Administrator

You can connect to the TKG Service cluster control plane as the kubernetes-admin user to perform administrative tasks and troubleshoot cluster problems.

A valid kubeconfig file for a provisioned TKG cluster is available on the Supervisor as a secret object named TKG-CLUSTER-NAME-kubeconfig. You can use this secret to connect to the cluster control plane as the kubernetes-admin user.

Procedure

Connect to Supervisor.
Switch context to the vSphere Namespace where the target TKG cluster is provisioned.
```
kubectl config use-context VSPHERE-NAMESPACE
```

View the secret objects in the namespace.

kubectl get secrets

The secret is named TKG-CLUSTER-NAME-kubeconfig.

kubectl config use-context tkg-cluster-ns
Switched to context "tkg-cluster-ns".
ubuntu@ubuntu:~$ kubectl get secrets
NAME                                 TYPE                                 DATA   AGE
...
tkg-cluster-1-kubeconfig            Opaque                                1      23h
...

Decode the secret by running the following command.
The secret is Base64 encoded. To decode it: on Linux use base64 --decode (or base64 -d); on MacOS, use base64 --Decode (or base64 -D); on Windows, use an online tool.
```
kubectl get secret TKG-CLUSTER-NAME-kubeconfig -o jsonpath='{.data.value}' | base64 -d > tkgs-cluster-kubeconfig-admin
```
This command decodes the secret and writes it to a local file named tkgs-cluster-kubeconfig-admin. Use the cat command to verify the file contents.

Connect to the TKG cluster as the Kubernetes administrator using the decoded tkg-cluster-kubeconfig-admin file.

There are two options to do this:

Option	Description
--kubeconfig <path\to\kubeconfig>	Use the `--kubeconfig` flag and the path to the local kubeconfig file. For example, assuming the kubeconfig file is in the same directory where you are running the command: `kubectl --kubeconfig tkg-cluster-kubeconfig-admin get nodes`
KUBECONFIG	Set your KUBECONFIG environment variable to point to the decoded kubeconfig file and run kubectl, such as `kubectl get nodes`.

You should see the nodes in the cluster.

If you are a devops user with edit permissions on the vSphere Namespace and you want to log in to a TKG cluster as an admin user using the Tanzu CLI, run the following command:
```
tanzu cluster kubeconfig get CLUSTER-NAME --admin
```
This command will generate a kubeconfig containing the cert/private key for kubernetes-control-plane (which bypasses all authorization). You can then log in to the cluster using this kubeconfig. See .