For more information on using kubectl, see Kubernetes Documentation: Overview of kubectl.

You can access and manage your clusters by logging into Rancher and opening the kubectl shell in the UI. No further configuration necessary.

  1. Click Launch kubectl. Use the window that opens to interact with your Kubernetes cluster.

This section describes how to download your cluster’s kubeconfig file, launch kubectl from your workstation, and access your downstream cluster.

This alternative method of accessing the cluster allows you to authenticate with Rancher and manage your cluster without using the Rancher UI.

  1. Log into Rancher. From the Global view, open the cluster that you want to access with kubectl.
  2. Click Kubeconfig File.
  3. Copy the contents displayed to your clipboard.
  4. Paste the contents into a new file on your local computer. Move the file to . Note: The default location that kubectl uses for the kubeconfig file is ~/.kube/config, but you can use any directory and specify it using the --kubeconfig flag, as in this command: kubectl --kubeconfig /custom/path/kube.config get pods

Authenticating Directly with a Downstream Cluster

This section intended to help you set up an alternative method to access an

This method is only available for RKE clusters that have the authorized cluster endpoint enabled. When Rancher creates this RKE cluster, it generates a kubeconfig file that includes additional kubectl context(s) for accessing your cluster. This additional context allows you to use kubectl to authenticate with the downstream cluster without authenticating through Rancher. For a longer explanation of how the authorized cluster endpoint works, refer to

We recommend that as a best practice, you should set up this method to access your RKE cluster, so that just in case you can’t connect to Rancher, you can still access the cluster.

Prerequisites: The following steps assume that you have created a Kubernetes cluster and followed the steps to connect to your cluster with kubectl from your workstation.

To find the name of the context(s) in your downloaded kubeconfig file, run:

In this example, when you use with the first context, my-cluster, you will be authenticated through the Rancher server.

With the second context, my-cluster-controlplane-1, you would authenticate with the authorized cluster endpoint, communicating with an downstream RKE cluster directly.

Now that you have the name of the context needed to authenticate directly with the cluster, you can pass the name of the context in as an option when running kubectl commands. The commands will differ depending on whether your cluster has an FQDN defined. Examples are provided in the sections below.

When kubectl works normally, it confirms that you can access your cluster while bypassing Rancher’s authentication proxy.

If an FQDN is defined for the cluster, a single context referencing the FQDN will be created. The context will be named <CLUSTER_NAME>-fqdn. When you want to use to access this cluster without Rancher, you will need to use this context.

Assuming the kubeconfig file is located at ~/.kube/config:

Directly referencing the location of the kubeconfig file:

If there is no FQDN defined for the cluster, extra contexts will be created referencing the IP address of each node in the control plane. Each context will be named <CLUSTER_NAME>-<NODE_NAME>. When you want to use kubectl to access this cluster without Rancher, you will need to use this context.

Assuming the kubeconfig file is located at ~/.kube/config: