diff --git a/solutions/access-remote-api/README.md b/solutions/access-remote-api/README.md
new file mode 100644
index 000000000..48ad601e1
--- /dev/null
+++ b/solutions/access-remote-api/README.md
@@ -0,0 +1,57 @@
+# Access APIServer of managed cluster
+
+## Prerequisite
+
+- Set up the dev environment in your local machine following [setup dev environment](../setup-dev-environment).
+- helm is installed
+- Add ocm helm repo with `helm repo add ocm https://openclustermanagement.blob.core.windows.net/releases/`
+
+## Install cluster-proxy and managed-serviceaccount addon on the clusters
+
+Install cluster-proxy addon:
+
+```
+helm install \
+    -n open-cluster-management-addon --create-namespace \
+    cluster-proxy ocm/cluster-proxy 
+```
+
+Check the status of the cluster-proxy addon
+
+```
+clusteradm get addon cluster-proxy
+```
+
+Install managed-serviceaccount addon:
+
+```
+helm install \
+    -n open-cluster-management-addon --create-namespace \
+    managed-serviceaccount ocm/managed-serviceaccount
+```
+
+Check the status of the managed-serviceaccount addon
+
+```
+clusteradm get addon managed-serviceaccount
+```
+
+## Create a managed service account and set rbac
+
+Create managed-service account on hub
+
+```
+kubectl apply -f manifests/managed-sa.yaml
+```
+
+create a clusterrolebinding on managed cluster to set permission for this service account
+
+```
+clusteradm create work rbac -f manifests/clusterrolebinding.yaml --cluster cluster1
+```
+
+## Use the clusteradm proxy command
+
+```
+clusteradm proxy kubectl --cluster=cluster1 --sa=test --args="get nodes"
+```
\ No newline at end of file
diff --git a/solutions/access-remote-api/manifests/clusterrolebinding.yaml b/solutions/access-remote-api/manifests/clusterrolebinding.yaml
new file mode 100644
index 000000000..98879cb54
--- /dev/null
+++ b/solutions/access-remote-api/manifests/clusterrolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: managed-sa-test
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: test
+    namespace: open-cluster-management-managed-serviceaccount
diff --git a/solutions/access-remote-api/manifests/managed-sa.yaml b/solutions/access-remote-api/manifests/managed-sa.yaml
new file mode 100644
index 000000000..1b18a2a70
--- /dev/null
+++ b/solutions/access-remote-api/manifests/managed-sa.yaml
@@ -0,0 +1,7 @@
+apiVersion: authentication.open-cluster-management.io/v1alpha1
+kind: ManagedServiceAccount
+metadata:
+  name: test
+  namespace: cluster1
+spec:
+  rotation: {}