onectl is a command-line tool provided by Distributed Cloud Container Platform for Kubernetes (ACK One) for registered clusters. You can use onectl to manage registered clusters, cluster components, and Resource Access Management (RAM) users.
Introduction to onectl
onectl provides the following features.
Manage clusters
You can use onectl to create and delete registered clusters, query the status of registered clusters, query all registered clusters managed by the current RAM user, and connect external clusters to registered clusters.
Manage components
You can use onectl to install components, update components, query all components that are installed and can be installed, and delete components.
Manage the RAM user for a cluster component
You can use onectl to grant permissions to a Resource Access Management (RAM) user on a component, revoke permissions from a RAM user on a component, and query the permissions that are granted to a RAM user on a component.
How onectl works
Step 1: Install onectl
Run the following command to install onectl:
onectl supports macOS and Linux.
curl https://ack-one.oss-cn-hangzhou.aliyuncs.com/onectl/get-onectl.sh | bash
Run the following command to check whether onectl is installed:
onectl version
Expected output:
onectl: v1.0.0+774dea0 BuildDate: 2023-07-12T06:10:27Z GitCommit: 774dea0f768569821e101dc44d1cb09cef192fe8 GitTreeState: clean GoVersion: go1.20.4 Compiler: gc Platform: darwin/amd64
Step 2: Grant permissions to the RAM user for onectl
You can use onectl to manage registered clusters only after you log on as a RAM user. onectl uses the AccessKey pair of the RAM user to access Alibaba Cloud services. Therefore, the RAM user must have the following permissions on cloud resources.
The RAM user for onectl and the RAM users for cluster components are different.
ACK administrator permissions provided by the AliyunCSFullAccess system policy.
RAM administrator permissions provided by the AliyunRamFullAccess system policy.
VPC read-only permissions provided by the AliyunVPCReadOnlyAccess system policy.
You can run the following command to specify the AccessKey pair of the RAM user for onectl and the ID of the registered cluster:
onectl configure
Expected output:
Configuring profile default ...
Access Key Id [*********************f7x]:
Access Key Secret [***************************mft]:
Default Kubeconfig Path (default is ~/.kube/config) []:
Saving profile[default] ...
Done.
Parameter | Description |
Access Key Id | The AccessKey pair of the RAM user for onectl. |
Access Key Secret | |
Kubeconfig Path | The path of the kubeconfig file that is used to log on to the external cluster. Default value: ~/.kube/config. |
Step 3: Configure the kubeconfig file to connect to an external cluster
By default, onectl uses the kubeconfig file specified in the KUBECONFIG environment variable to connect to an external cluster. You need to set the KUBECONFIG environment variable before you use onectl. If the KUBECONFIG environment variable is not set, the ~/.kube/config
file is used by default.
What to do next
Manage clusters
You can use onectl to perform the following operations:
Create and connect to a registered cluster.
cluster-id ****
indicates the ID of the registered cluster. For more information, see Use onectl to create a registered cluster.onectl cluster create --region **** --vpc **** --vswitch **** --name **** --eip true onectl cluster connect --cluster-id ****
Query the status of a registered cluster.
onectl cluster describe --cluster-id ****
Query all registered clusters.
onectl cluster list
Delete a registered cluster.
onectl cluster delete --cluster-id ****
Manage components
You can use onectl to perform the following operations: ****
indicates the name of the component that you want to manage.
Install a component.
onectl addon install ****
Update a component.
onectl addon upgrade ****
Query components.
onectl addon list
Query all components that can be installed.
onectl addon catalog
Uninstall a component.
onectl addon uninstall ****
Manage the RAM user for a cluster component
You can use onectl to perform the following operations: ****
indicates the name of the component.
Grant permissions to the RAM user.
onectl ram-user grant --addon ****
Query the permissions of the RAM user.
onectl ram-user describe --detail
Revoke permissions from the RAM user.
onectl ram-user revoke --addon ****
Update the permissions of the RAM user.
onectl ram-user update --addon ****
References
For more information about how to query the installed components, see Manage components.
For more information about how to monitor the status of registered clusters, see Observability.
For more information about the security requirements on registered clusters, see Security management.