Aggregated Kubernetes API Endpoint

The newly introduced karmada-aggregated-apiserver component aggregates all registered clusters and allows users to access member clusters through Karmada by the proxy endpoint.

For detailed discussion topic, see here.

Here’s a quick start.

Quick start

To quickly experience this feature, we experimented with karmada-apiserver certificate.

Step1: Obtain the karmada-apiserver Certificate

For Karmada deployed using hack/local-up-karmada.sh, you can directly copy it from the $HOME/.kube/ directory.

  1. cp $HOME/.kube/karmada.config karmada-apiserver.config

Step2: Grant permission to user system:admin

system:admin is the user for karmada-apiserver certificate. We need to grant the clusters/proxy permission to it explicitly.

Apply the following yaml file:

cluster-proxy-rbac.yaml:

unfold me to see the yaml

  1. apiVersion: rbac.authorization.k8s.io/v1
  2. kind: ClusterRole
  3. metadata:
  4.   name: cluster-proxy-clusterrole
  5. rules:
  6. - apiGroups:
  7.   - 'cluster.karmada.io'
  8.   resources:
  9.   - clusters/proxy
  10.   resourceNames:
  11.   - member1
  12.   - member2
  13.   - member3
  14.   verbs:
  15.   - '*'
  16. ---
  17. apiVersion: rbac.authorization.k8s.io/v1
  18. kind: ClusterRoleBinding
  19. metadata:
  20.   name: cluster-proxy-clusterrolebinding
  21. roleRef:
  22.   apiGroup: rbac.authorization.k8s.io
  23.   kind: ClusterRole
  24.   name: cluster-proxy-clusterrole
  25. subjects:
  26.   - kind: User
  27.     name: "system:admin"
  1. kubectl --kubeconfig $HOME/.kube/karmada.config --context karmada-apiserver apply -f cluster-proxy-rbac.yaml

Step3: Access member clusters

Run the below command (replace {clustername} with your actual cluster name):

  1. kubectl --kubeconfig karmada-apiserver.config get --raw /apis/cluster.karmada.io/v1alpha1/clusters/{clustername}/proxy/api/v1/nodes

Or append /apis/cluster.karmada.io/v1alpha1/clusters/{clustername}/proxy to the server address of karmada-apiserver.config, and then you can directly use:

  1. kubectl --kubeconfig karmada-apiserver.config get node

Note: For a member cluster that joins Karmada in pull mode and allows only cluster-to-karmada access, we can deploy apiserver-network-proxy (ANP) to access it.