Connect to a TKG Service Cluster as a vCenter Single Sign-On User with Kubectl

Connect to a TKG cluster using the vSphere Plugin for kubectl and authenticate with your vCenter Single Sign-On credentials.

After you log in to the TKG cluster, the vSphere Plugin for kubectl generates the context for the cluster. In Kubernetes, a configuration context contains a cluster, a namespace, and a user. You can view the cluster context in the file .kube/config. This file is commonly called the kubeconfig file.

Note: If you have an existing kubeconfig file, it is appended with each cluster context. The vSphere Plugin for kubectl respects the KUBECONFIG environment variable that kubectl itself uses. Although not required, it can be useful to set this variable before running kubectl vsphere login ... so that the information is written to a new file, instead of being added to your current kubeconfig file.

Prerequisites

Obtain the following information from your vSphere administrator:

Get your vCenter Single Sign-On credentials.
Get the IP address of the Supervisor control plane.
Get the name of the vSphere Namespace.
Install the Kubernetes CLI Tools for vSphere.

Procedure

To view the command syntax and options for logging in, run the following command.
```
kubectl vsphere login --help
```

To connect to the TKG cluster, run the following command.

kubectl vsphere login --server=SUPERVISOR-CLUSTER-CONTROL-PLANE-IP-OR-FQDN 
--tanzu-kubernetes-cluster-name TKG-CLUSTER-NAME 
--tanzu-kubernetes-cluster-namespace VSPHERE-NAMESPACE 
--vsphere-username VCENTER-SSO-USER-NAME

For example:

kubectl vsphere login --server=10.92.42.137 
--tanzu-kubernetes-cluster-name tkg-cluster-01 
--tanzu-kubernetes-cluster-namespace tkg-cluster-ns 
--vsphere-username [email protected]

Or, if Supervisor has been enabled with a fully qualified domain name (FQDN):

kubectl vsphere login --server=wonderland.acme.com 
--tanzu-kubernetes-cluster-name tkg-cluster-01 
--tanzu-kubernetes-cluster-namespace tkg-cluster-ns 
--vsphere-username [email protected]

This action creates a configuration file with the JSON Web Token (JWT) to authenticate to the Kubernetes API.

To authenticate, enter your vCenter Single Sign-On password.
If the operation is successful, you see the message Logged in successfully, and you can run kubectl commands against the cluster. If the command returns Error from server (Forbidden), typically this error means you do not have the required permissions.
To get a list of contexts available to you, run the following command:
```
kubectl config get-contexts
```
This command lists the configuration contexts you have access to. You see a configuration context for the target cluster, such as tkg-cluster-01.
To use the context for the target cluster, run the following command:
```
kubectl config use-context CLUSTER-NAME
```
To list cluster nodes, run the following command:
```
kubectl get nodes
```
You see the control plane and worker nodes in this cluster.
To list all the cluster pods, run the following command:
```
kubectl get pods -A
```
You see all the pods in this cluster across all Kubernetes namespaces that you have access to. If you have not deployed any workloads, you do not see any pods in the default namespace.