You can connect to the TKG cluster control plane as the kubernetes-admin user to perform administrative tasks and troubleshoot cluster problems.

A valid kubeconfig file for a provisioned Tanzu Kubernetes cluster is available on the Supervisor as a secret object named TKG-CLUSTER-NAME-kubeconfig. You can use this secret to connect to the cluster control plane as the kubernetes-admin user.


  1. Connect to Supervisor.
  2. Switch context to the vSphere Namespace where the target TKG cluster is provisioned.
    kubectl config use-context VSPHERE-NAMESPACE
  3. View the secret objects in the namespace.
    kubectl get secrets
    The secret is named TKG-CLUSTER-NAME-kubeconfig.
    kubectl config use-context tkg-cluster-ns
    Switched to context "tkg-cluster-ns".
    ubuntu@ubuntu:~$ kubectl get secrets
    NAME                                 TYPE                                 DATA   AGE
    tkg-cluster-1-kubeconfig            Opaque                                1      23h
  4. Decode the secret by running the following command.
    The secret is Base64 encoded. To decode it: on Linux use base64 --decode (or base64 -d); on MacOS, use base64 --Decode (or base64 -D); on Windows, use an online tool.
    kubectl get secret TKG-CLUSTER-NAME-kubeconfig -o jsonpath='{.data.value}' | base64 -d > tkgs-cluster-kubeconfig-admin
    This command decodes the secret and writes it to a local file named tkgs-cluster-kubeconfig-admin. Use the cat command to verify the file contents.
  5. Connect to the TKG cluster as the Kubernetes administrator using the decoded tkg-cluster-kubeconfig-admin file.
    There are two options to do this:
    Option Description
    --kubeconfig <path\to\kubeconfig> Use the --kubeconfig flag and the path to the local kubeconfig file. For example, assuming the kubeconfig file is in the same directory where you are running the command: kubectl --kubeconfig tkg-cluster-kubeconfig-admin get nodes
    KUBECONFIG Set your KUBECONFIG environment variable to point to the decoded kubeconfig file and run kubectl, such as kubectl get nodes.
    You should see the nodes in the cluster.
  6. If you are a devops user with edit permissions on the vSphere Namespace and you want to log in to a TKG cluster as an admin user using the Tanzu CLI, run the following command:
    tanzu cluster kubeconfig get CLUSTER-NAME --admin
    This command will generate a kubeconfig containing the cert/private key for kubernetes-control-plane (which bypasses all authorization). You can then log in to the cluster using this kubeconfig. See .