- Rancher CLI
The Rancher CLI (Command Line Interface) is a unified tool that you can use to interact with Rancher. With this tool, you can operate Rancher using a command line rather than the GUI.
Download Rancher CLI
The binary can be downloaded directly from the UI. The link can be found in the right hand side of the footer in the UI. We have binaries for Windows, Mac, and Linux. You can also check the releases page for our CLI for direct downloads of the binary.
After you download the Rancher CLI, you need to make a few configurations. Rancher CLI requires:
- Your Rancher Server URL, which is used to connect to Rancher Server.
- An API Bearer Token, which is used to authenticate with Rancher. For more information about obtaining a Bearer Token, see Creating an API Key.
Before you can use Rancher CLI to control your Rancher Server, you must authenticate using an API Bearer Token. Log in using the following command (replace
<SERVER_URL> with your information):
$ ./rancher login https://<SERVER_URL> --token <BEARER_TOKEN>
If Rancher Server uses a self-signed certificate, Rancher CLI prompts you to continue with the connection.
Before you can perform any commands, you must select a Rancher project to perform those commands against. To select a project to work on, use the command
./rancher context switch. When you enter this command, a list of available projects displays. Enter a number to choose your project.
./rancher context switch Output
User:rancher-cli-directory user$ ./rancher context switch NUMBER CLUSTER NAME PROJECT ID PROJECT NAME 1 cluster-2 c-7q96s:p-h4tmb project-2 2 cluster-2 c-7q96s:project-j6z6d Default 3 cluster-1 c-lchzv:p-xbpdt project-1 4 cluster-1 c-lchzv:project-s2mch Default Select a Project:
After you enter a number, the console displays a message that you’ve changed projects.
INFO Setting new context to project project-1 INFO Saving config to /Users/markbishop/.rancher/cli2.json
Ensure you can run
rancher kubectl get pods successfully.
The following commands are available for use in Rancher CLI.
||Performs operations on catalog applications (i.e., individual Helm charts) or Rancher charts.|
||Performs operations on catalogs.|
||Performs operations on your clusters.|
||Switches between Rancher projects. For an example, see Project Selection.|
||Displays details about Kubernetes resources or Rancher resources (i.e.: projects and workloads). Specify resources by name or ID.|
||Runs kubectl commands.|
||Logs into a Rancher Server. For an example, see CLI Authentication.|
||Performs operations on namespaces.|
||Performs operations on nodes.|
||Performs operations on projects.|
||Displays workloads in a project.|
||Shows the current settings for your Rancher Server.|
||Connects to one of your cluster nodes using the SSH protocol.|
||Shows a list of commands or help for one command.|
Rancher CLI Help
Once logged into Rancher Server using the CLI, enter
./rancher --help for a list of commands.
All commands accept the
--help flag, which documents each command’s usage.
The Rancher CLI cannot be used to install dashboard apps or Rancher feature charts.
Interact with Rancher using kubectl.
kubectl utility. See install kubectl.
Configure kubectl by visiting your cluster in the Rancher Web UI, clicking on
Kubeconfig, copying contents, and putting them into your
kubectl cluster-info or
kubectl get pods successfully.
Authentication with kubectl and kubeconfig Tokens with TTL
If admins have enforced TTL on kubeconfig tokens, the kubeconfig file requires the Rancher CLI to be present in your PATH when you run
kubectl. Otherwise, you’ll see an error like:
Unable to connect to the server: getting credentials: exec: exec: "rancher": executable file not found in $PATH.
This feature enables kubectl to authenticate with the Rancher server and get a new kubeconfig token when required. The following auth providers are currently supported:
- Active Directory (LDAP only)
- SAML providers: Ping, Okta, ADFS, Keycloak, Shibboleth
When you first run kubectl, for example,
kubectl get pods, it will ask you to pick an auth provider and log in with the Rancher server.
The kubeconfig token is cached in the path where you run kubectl under
./.cache/token. This token is valid until it expires, or gets deleted from the Rancher server.
Upon expiration, the next
kubectl get pods will ask you to log in with the Rancher server again.