|
| 1 | +# Kubeconfig Provider Example |
| 2 | + |
| 3 | +This example demonstrates how to use the kubeconfig provider to manage multiple Kubernetes clusters using kubeconfig secrets. |
| 4 | + |
| 5 | +## Overview |
| 6 | + |
| 7 | +The kubeconfig provider allows you to: |
| 8 | +1. Discover and connect to multiple Kubernetes clusters using kubeconfig secrets |
| 9 | +2. Run controllers that can operate across all discovered clusters |
| 10 | +3. Manage cluster access through RBAC rules and service accounts |
| 11 | + |
| 12 | +## Directory Structure |
| 13 | + |
| 14 | +``` |
| 15 | +examples/kubeconfig/ |
| 16 | +├── controllers/ # Example controller that simply lists pods |
| 17 | +│ ├── pod_lister.go |
| 18 | +├── scripts/ # Utility scripts |
| 19 | +│ └── create-kubeconfig-secret.sh |
| 20 | +└── main.go # Example operator implementation |
| 21 | +``` |
| 22 | + |
| 23 | +## Usage |
| 24 | + |
| 25 | +### 1. Setting Up Cluster Access |
| 26 | + |
| 27 | +Before creating a kubeconfig secret, ensure that: |
| 28 | +1. The remote cluster has a service account with the necessary RBAC permissions for your operator |
| 29 | +2. The service account exists in the namespace where you want to create the kubeconfig secret |
| 30 | + |
| 31 | +Use the `create-kubeconfig-secret.sh` script to create a kubeconfig secret for each cluster you want to manage: |
| 32 | + |
| 33 | +```bash |
| 34 | +./scripts/create-kubeconfig-secret.sh \ |
| 35 | + --name cluster1 \ |
| 36 | + -n default \ |
| 37 | + -c prod-cluster \ |
| 38 | + -a my-service-account |
| 39 | +``` |
| 40 | + |
| 41 | +The script will: |
| 42 | +- Use the specified service account from the remote cluster |
| 43 | +- Generate a kubeconfig using the service account's token |
| 44 | +- Store the kubeconfig in a secret in your local cluster |
| 45 | + |
| 46 | +Command line options: |
| 47 | +- `-c, --context`: Kubeconfig context to use (required) |
| 48 | +- `--name`: Name for the secret (defaults to context name) |
| 49 | +- `-n, --namespace`: Namespace to create the secret in (default: "default") |
| 50 | +- `-a, --service-account`: Service account name to use from the remote cluster (default: "default") |
| 51 | + |
| 52 | +### 2. Customizing RBAC Rules |
| 53 | + |
| 54 | +The service account in the remote cluster must have the necessary RBAC permissions for your operator to function. Edit the RBAC templates in the `rbac/` directory to define the permissions your operator needs: |
| 55 | + |
| 56 | +```yaml |
| 57 | +# rbac/clusterrole.yaml |
| 58 | +apiVersion: rbac.authorization.k8s.io/v1 |
| 59 | +kind: ClusterRole |
| 60 | +metadata: |
| 61 | + name: ${SECRET_NAME}-role |
| 62 | +rules: |
| 63 | +# Add permissions for your operator <-------------------------------- |
| 64 | +- apiGroups: [""] |
| 65 | + resources: ["pods"] |
| 66 | + verbs: ["list", "get", "watch"] # watch is needed for controllers that observe resources |
| 67 | +``` |
| 68 | +
|
| 69 | +Important RBAC considerations: |
| 70 | +- Use `watch` verb if your controller needs to observe resource changes |
| 71 | +- Use `list` and `get` for reading resources |
| 72 | +- Use `create`, `update`, `patch`, `delete` for modifying resources |
| 73 | +- Consider using `Role` instead of `ClusterRole` if you only need namespace-scoped permissions |
| 74 | + |
| 75 | +### 3. Implementing Your Operator |
| 76 | + |
| 77 | +Add your controllers to `main.go`: |
| 78 | + |
| 79 | +```go |
| 80 | +func main() { |
| 81 | + // Import your controllers here <-------------------------------- |
| 82 | + "sigs.k8s.io/multicluster-runtime/examples/kubeconfig/controllers" |
| 83 | +
|
| 84 | + //... |
| 85 | +
|
| 86 | + // Run your controllers here <-------------------------------- |
| 87 | + podWatcher := controllers.NewPodWatcher(mgr) |
| 88 | + if err := mgr.Add(podWatcher); err != nil { |
| 89 | + entryLog.Error(err, "Unable to add pod watcher") |
| 90 | + os.Exit(1) |
| 91 | + } |
| 92 | +} |
| 93 | +``` |
| 94 | + |
| 95 | +Your controllers can then use the manager to access any cluster and view the resources that the RBAC permissions allow. |
| 96 | + |
| 97 | +## How It Works |
| 98 | + |
| 99 | +1. The kubeconfig provider watches for secrets with a specific label in a namespace |
| 100 | +2. When a new secret is found, it: |
| 101 | + - Extracts the kubeconfig data |
| 102 | + - Creates a new controller-runtime cluster |
| 103 | + - Makes the cluster available to your controllers |
| 104 | +3. Your controllers can access any cluster through the manager |
| 105 | +4. RBAC rules ensure your operator has the necessary permissions in each cluster |
| 106 | + |
| 107 | +## Labels and Configuration |
| 108 | + |
| 109 | +The provider uses the following labels and keys by default: |
| 110 | +- Label: `sigs.k8s.io/multicluster-runtime-kubeconfig: "true"` |
| 111 | +- Secret data key: `kubeconfig` |
| 112 | + |
| 113 | +You can customize these in the provider options when creating it. |
0 commit comments