Connect to a TKG cluster using the Tanzu CLI and authenticate with your OIDC provider.
Prerequisites
DevOps User Workflow
As a DevOps user with edit permissions on the target vSphere Namespace, you use the Tanzu CLI to generate a shareable kubeconfig file that you then distribute to TKG clusters users. In Kubernetes, a configuration context contains a cluster, a namespace, and a user. You can view the cluster context in the file .kube/config. This file is commonly called the kubeconfig file.
- Verify that the Tanzu CLI context is set to Supervisor.
See Connect to Supervisor Using the Tanzu CLI and an External IDP.
- Verify that the vSphere Administrator has configured user permissions for the target vSphere Namespace.
External OIDC users and groups are mapped directly to vSphere Namespace roles. Cluster users should be added to the vSphere Namespace before you generate the shareable kubeconfig.
See Configure vSphere Namespace Permissions for External Identity Provider Users and Groups.
- List the TKG clusters provisioned in the target vSphere Namespace.
tanzu cluster list --namespace VSPHERE-NAMESPACE
- Generate a shareable kubeconfig file for the target TKG cluster.
tanzu cluster kubeconfig get CLUSTER-NAME --namespace=NAMESPACE
- Distribute the shared kubeconfig file to cluster users so they can login to the TKG cluster.
Cluster User Workflow
Complete these steps to log in to a TKG cluster as a cluster user.
- Obtain the kubeconfig file from the DevOps user.
- Log in to the TKGS cluster using the kubeconfig file and kubectl.
kubectl --kubeconfig
- Complete the browser authentication process.
- When the challenge is issued, visit the link using your browser.
- Copy/paste the authorization code into the CLI.
- Use
kubectl
to interact with the cluster.