karmada-io
/
karmada
mirror of https://github.com/karmada-io/karmada.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Improve aggregated-api-endpoint 

Signed-off-by: xin.li <xin.li@daocloud.io>
This commit is contained in:
xin.li 2022-06-18 14:14:07 +08:00
parent 4c496a3a98
commit 73309c3c31
1 changed files with 19 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
docs/userguide/aggregated-api-endpoint.md
View File

@ -12,9 +12,9 @@ To quickly experience this feature, we experimented with karmada-apiserver certi
### Step1: Obtain the karmada-apiserver Certificate
For karmada deployed using `hack/local-up-karmada.sh`, you can directly copy it from the `/root/.kube/` directory.
For Karmada deployed using `hack/local-up-karmada.sh`, you can directly copy it from the `/root/.kube/` directory.
```
```shell
cp /root/.kube/karmada.config karmada-apiserver.config
```
@ -62,7 +62,7 @@ subjects:
</details>
```
```shell
kubectl --kubeconfig /root/.kube/karmada.config --context karmada-apiserver apply -f cluster-proxy-rbac.yaml
```
@ -70,21 +70,21 @@ kubectl --kubeconfig /root/.kube/karmada.config --context karmada-apiserver appl
Run the below command (replace `{clustername}` with your actual cluster name):
```
```shell
kubectl --kubeconfig karmada-apiserver.config get --raw /apis/cluster.karmada.io/v1alpha1/clusters/{clustername}/proxy/api/v1/nodes
```
Or append `/apis/cluster.karmada.io/v1alpha1/clusters/{clustername}/proxy ` to the server address of karmada-apiserver.config, and then you can directly use:
```
```shell
kubectl --kubeconfig karmada-apiserver.config get node
```
> Note: For a member cluster that joins karmada in pull mode and allows only cluster-to-karmada access, we can [deploy apiserver-network-proxy (ANP)](../working-with-anp.md) to access it.
> Note: For a member cluster that joins Karmada in pull mode and allows only cluster-to-karmada access, we can [deploy apiserver-network-proxy (ANP)](../working-with-anp.md) to access it.
## Unified authentication
For one or a group of user subjects (users, groups, or service accounts) in a member cluster, we can import them into karmada control plane and grant them the `clusters/proxy` permission, so that we can access the member cluster with permission of the user subject through karmada.
For one or a group of user subjects (users, groups, or service accounts) in a member cluster, we can import them into Karmada control plane and grant them the `clusters/proxy` permission, so that we can access the member cluster with permission of the user subject through Karmada.
In this section, we use a serviceaccount named `tom` for the test.
@ -94,13 +94,13 @@ If the serviceaccount has been created in your environment, you can skip this st
Create a serviceaccount that does not have any permission:
```
```shell
kubectl --kubeconfig /root/.kube/members.config --context member1 create serviceaccount tom
```
### Step2: Create ServiceAccount in karmada control plane
```
```shell
kubectl --kubeconfig /root/.kube/karmada.config --context karmada-apiserver create serviceaccount tom
```
@ -148,7 +148,7 @@ subjects:
</details>
```
```shell
kubectl --kubeconfig /root/.kube/karmada.config --context karmada-apiserver apply -f cluster-proxy-rbac.yaml
```
@ -156,7 +156,7 @@ kubectl --kubeconfig /root/.kube/karmada.config --context karmada-apiserver appl
Obtain token of serviceaccount `tom`:
```
```shell
kubectl get secret `kubectl get sa tom -oyaml | grep token | awk '{print $3}'` -oyaml | grep token: | awk '{print $2}' | base64 -d
```
@ -184,13 +184,13 @@ users:
Run the command below to access member1 cluster:
```
```shell
kubectl --kubeconfig tom.config get --raw /apis/cluster.karmada.io/v1alpha1/clusters/member1/proxy/apis
```
We can found that we were able to access, but run the command below:
```
```shell
kubectl --kubeconfig tom.config get --raw /apis/cluster.karmada.io/v1alpha1/clusters/member1/proxy/api/v1/nodes
```
@ -206,7 +206,7 @@ member1-rbac.yaml
<summary>unfold me to see the yaml</summary>
```
```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
@ -235,22 +235,22 @@ subjects:
</details>
```
```shell
kubectl --kubeconfig /root/.kube/members.config --context member1 apply -f member1-rbac.yaml
```
Run the command that failed in the previous step again:
```
```shell
kubectl --kubeconfig tom.config get --raw /apis/cluster.karmada.io/v1alpha1/clusters/member1/proxy/api/v1/nodes
```
The access will be successful.
Or we can append `/apis/cluster.karmada.io/v1alpha1/clusters/member1/proxy ` to the server address of tom.config , and then you can directly use:
Or we can append `/apis/cluster.karmada.io/v1alpha1/clusters/member1/proxy ` to the server address of tom.config, and then you can directly use:
```
```shell
kubectl --kubeconfig tom.config get node
```
> Note: For a member cluster that joins karmada in pull mode and allows only cluster-to-karmada access, we can [deploy apiserver-network-proxy (ANP)](../working-with-anp.md) to access it.
> Note: For a member cluster that joins Karmada in pull mode and allows only cluster-to-karmada access, we can [deploy apiserver-network-proxy (ANP)](../working-with-anp.md) to access it.