Access spoke api using cluster-proxy (#49)

* Access spoke api using cluster-proxy Signed-off-by: Jian Qiu <jqiu@redhat.com> * Add remote access scenario Signed-off-by: Jian Qiu <jqiu@redhat.com>
2026-02-14 18:09:57 +00:00 · 2022-05-19 17:44:18 +08:00
parent d4da5acfcf
commit 4b3cb4f45b
3 changed files with 76 additions and 0 deletions
--- a/solutions/access-remote-api/README.md
+++ b/solutions/access-remote-api/README.md
@@ -0,0 +1,57 @@
+# Access APIServer of managed cluster
+
+## Prerequisite
+
+- Set up the dev environment in your local machine following [setup dev environment](../setup-dev-environment).
+- helm is installed
+- Add ocm helm repo with `helm repo add ocm https://openclustermanagement.blob.core.windows.net/releases/`
+
+## Install cluster-proxy and managed-serviceaccount addon on the clusters
+
+Install cluster-proxy addon:
+
+```
+helm install \
+    -n open-cluster-management-addon --create-namespace \
+    cluster-proxy ocm/cluster-proxy 
+```
+
+Check the status of the cluster-proxy addon
+
+```
+clusteradm get addon cluster-proxy
+```
+
+Install managed-serviceaccount addon:
+
+```
+helm install \
+    -n open-cluster-management-addon --create-namespace \
+    managed-serviceaccount ocm/managed-serviceaccount
+```
+
+Check the status of the managed-serviceaccount addon
+
+```
+clusteradm get addon managed-serviceaccount
+```
+
+## Create a managed service account and set rbac
+
+Create managed-service account on hub
+
+```
+kubectl apply -f manifests/managed-sa.yaml
+```
+
+create a clusterrolebinding on managed cluster to set permission for this service account
+
+```
+clusteradm create work rbac -f manifests/clusterrolebinding.yaml --cluster cluster1
+```
+
+## Use the clusteradm proxy command
+
+```
+clusteradm proxy kubectl --cluster=cluster1 --sa=test --args="get nodes"
+```
--- a/solutions/access-remote-api/manifests/clusterrolebinding.yaml
+++ b/solutions/access-remote-api/manifests/clusterrolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: managed-sa-test
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: test
+    namespace: open-cluster-management-managed-serviceaccount
--- a/solutions/access-remote-api/manifests/managed-sa.yaml
+++ b/solutions/access-remote-api/manifests/managed-sa.yaml
@@ -0,0 +1,7 @@
+apiVersion: authentication.open-cluster-management.io/v1alpha1
+kind: ManagedServiceAccount
+metadata:
+  name: test
+  namespace: cluster1
+spec:
+  rotation: {}