MicrosoftDocs
diff --git a/‎articles/kubernetes-fleet/cluster-resource-override.md
Lines changed: 234 additions & 0 deletions b/‎articles/kubernetes-fleet/cluster-resource-override.md
Lines changed: 234 additions & 0 deletions
diff --git a/‎articles/kubernetes-fleet/concepts-choosing-fleet.md
Lines changed: 74 additions & 0 deletions b/‎articles/kubernetes-fleet/concepts-choosing-fleet.md
Lines changed: 74 additions & 0 deletions
diff --git a/‎articles/kubernetes-fleet/concepts-fleet.md
Lines changed: 1 addition & 35 deletions b/‎articles/kubernetes-fleet/concepts-fleet.md
Lines changed: 1 addition & 35 deletions
@@ -0,0 +1,234 @@
+---
+title: "Customize cluster scoped resources in Azure Kubernetes Fleet Manager with cluster resource overrides"
+description: This article provides an overview of how to use the Fleet ClusterResourceOverride API to override cluster scoped resources in Azure Kubernetes Fleet Manager.
+ms.topic: how-to
+ms.date: 05/10/2024
+author: schaffererin
+ms.author: schaffererin
+ms.service: kubernetes-fleet
+ms.custom:
+  - build-2024
+---
+
+# Customize cluster scoped resources in Azure Kubernetes Fleet Manager with cluster resource overrides (preview)
+
+This article provides an overview of how to use the Fleet `ClusterResourceOverride` API to customize cluster scoped resources in Azure Kubernetes Fleet Manager.
+
+[!INCLUDE [preview features callout](./includes/preview/preview-callout.md)]
+
+## Cluster resource override overview
+
+The cluster resource override feature allows you to modify or override specific attributes across cluster-wide resources. With `ClusterResourceOverride`, you can define rules based on cluster labels, specifying changes to be applied to various cluster-wide resources such as namespaces, cluster roles, cluster role bindings, or custom resource definitions (CRDs). These modifications might include updates to permissions, configurations, or other parameters, ensuring consistent management and enforcement of configurations across your Fleet-managed Kubernetes clusters.
+
+## API components
+
+The `ClusterResourceOverride` API consists of the following components:
+
+* **`clusterResourceSelectors`**: Specifies the set of cluster resources selected for overriding.
+* **`policy`**: Specifies the set of rules to apply to the selected cluster resources.
+
+### Cluster resource selectors
+
+A `ClusterResourceOverride` object can include one or more cluster resource selectors to specify which resources to override. The `ClusterResourceSelector` object supports the following fields:
+
+> [!NOTE]
+> If you select a namespace in the `ClusterResourceSelector`, the override will apply to all resources in the namespace.
+
+* `group`: The API group of the resource.
+* `version`: The API version of the resource.
+* `kind`: The kind of the resource.
+* `name`: The name of the resource.
+
+To add a cluster resource selector to a `ClusterResourceOverride` object, use the `clusterResourceSelectors` field with the following YAML format:
+
+```yaml
+apiVersion: placement.kubernetes-fleet.io/v1alpha1
+kind: ClusterResourceOverride
+metadata:
+  name: example-cro
+spec:
+  clusterResourceSelectors:
+    - group: rbac.authorization.k8s.io
+      kind: ClusterRole
+      version: v1
+      name: secret-reader
+```
+
+This example selects a `ClusterRole` named `secret-reader` from the `rbac.authorization.k8s.io/v1` API group for overriding.
+
+## Policy
+
+A `Policy` object consists of a set of rules, `overrideRules`, that specify the changes to apply to the selected cluster resources. Each `overrideRule` object supports the following fields:
+
+* `clusterSelector`: Specifies the set of clusters to which the override rule applies.
+* `jsonPatchOverrides`: Specifies the changes to apply to the selected resources.
+
+To add an override rule to a `ClusterResourceOverride` object, use the `policy` field with the following YAML format:
+
+```yaml
+apiVersion: placement.kubernetes-fleet.io/v1alpha1
+kind: ClusterResourceOverride
+metadata:
+  name: example-cro
+spec:
+  clusterResourceSelectors:
+    - group: rbac.authorization.k8s.io
+      kind: ClusterRole
+      version: v1
+      name: secret-reader
+  policy:
+    overrideRules:
+      - clusterSelector:
+          clusterSelectorTerms:
+            - labelSelector:
+                matchLabels:
+                  env: prod
+        jsonPatchOverrides:
+          - op: remove
+            path: /rules/0/verbs/2
+```
+
+This example removes the verb "list" in the `ClusterRole` named `secret-reader` on clusters with the label `env: prod`.
+
+### Cluster selector
+
+You can use the `clusterSelector` field in the `overrideRule` object to specify the clusters to which the override rule applies. The `ClusterSelector` object supports the following field:
+
+* `clusterSelectorTerms`: A list of terms that specify the criteria for selecting clusters. Each term includes a `labelSelector` field that defines a set of labels to match.
+
+> [!IMPORTANT]
+> Only `labelSelector` is supported in the `clusterSelectorTerms` field.
+
+### JSON patch overrides
+
+You can use `jsonPatchOverrides` in the `overrideRule` object to specify the changes to apply to the selected resources. The `JsonPatch` object supports the following fields:
+
+* `op`: The operation to perform.
+  * Supported operations include `add`, `remove`, and `replace`.
+    * `add`: Adds a new value to the specified path.
+    * `remove`: Removes the value at the specified path.
+    * `replace`: Replaces the value at the specified path.
+* `path`: The path to the field to modify.
+  * Guidance on specifying paths includes:
+    * Must start with a `/` character.
+    * Can't be empty or contain an empty string.
+    * Can't be a `TypeMeta` field ("/kind" or "/apiVersion").
+    * Can't be a `Metadata` field ("/metadata/name" or "/metadata/namespace") except the fields "/metadata/labels" and "/metadata/annotations".
+    * Can't be any field in the status of the resource.
+    * Examples of valid paths include:
+      * `/metadata/labels/new-label`
+      * `/metadata/annotations/new-annotation`
+      * `/spec/template/spec/containers/0/resources/limits/cpu`
+      * `/spec/template/spec/containers/0/resources/requests/memory`
+* `value`: The value to add, remove, or replace.
+  * If the `op` is `remove`, you can't specify a `value`.
+
+### Use multiple override patches
+
+You can add multiple `jsonPatchOverrides` to an `overrideRule` to apply multiple changes to the select cluster resources, as shown in the following example:
+
+```yaml
+apiVersion: placement.kubernetes-fleet.io/v1alpha1
+kind: ClusterResourceOverride
+metadata:
+  name: cro-1
+spec:
+  clusterResourceSelectors:
+    - group: rbac.authorization.k8s.io
+      kind: ClusterRole
+      version: v1
+      name: secret-reader
+  policy:
+    overrideRules:
+      - clusterSelector:
+          clusterSelectorTerms:
+            - labelSelector:
+                matchLabels:
+                  env: prod
+        jsonPatchOverrides:
+          - op: remove
+            path: /rules/0/verbs/2
+          - op: remove
+            path: /rules/0/verbs/1
+```
+
+This example removes the verbs "list" and "watch" in the `ClusterRole` named `secret-reader` on clusters with the label `env: prod`.
+
+`jsonPatchOverrides` apply a JSON patch on the selected resources following [RFC 6902](https://datatracker.ietf.org/doc/html/rfc6902).
+
+## Apply the cluster resource override
+
+1. Create a `ClusterResourcePlacement` resource to specify the placement rules for distributing the cluster resource overrides across the cluster infrastructure, as shown in the following example. Make sure you select the appropriate resource.
+
+    ```yaml
+    apiVersion: placement.kubernetes-fleet.io/v1beta1
+    kind: ClusterResourcePlacement
+    metadata:
+      name: crp
+    spec:
+      resourceSelectors:
+        - group: rbac.authorization.k8s.io
+          kind: ClusterRole
+          version: v1
+          name: secret-reader
+      policy:
+        placementType: PickAll
+        affinity:
+          clusterAffinity:
+            requiredDuringSchedulingIgnoredDuringExecution:
+              clusterSelectorTerms:
+                - labelSelector:
+                    matchLabels:
+                      env: prod
+    ```
+
+    This example distributes resources across all clusters labeled with `env: prod`. As the changes are implemented, the corresponding `ClusterResourceOverride` configurations will be applied to the designated clusters, triggered by the selection of matching cluster role resource, `secret-reader`.
+
+2. Apply the `ClusterResourcePlacement` using the `kubectl apply` command.
+
+    ```bash
+    kubectl apply -f cluster-resource-placement.yaml
+    ```
+
+3. Verify the `ClusterResourceOverride` object applied to the selected resources by checking the status of the `ClusterResourcePlacement` resource using the `kubectl describe` command.
+
+    ```bash
+    kubectl describe clusterresourceplacement crp
+    ```
+
+    Your output should resemble the following example output:
+
+    ```output
+    Status:
+      Conditions:
+        ...
+        Last Transition Time:   2024-04-27T04:18:00Z
+        Message:                The selected resources are successfully overridden in the 10 clusters
+        Observed Generation:    1
+        Reason:                 OverriddenSucceeded
+        Status:                 True
+        Type:                   ClusterResourcePlacementOverridden
+        ...
+      Observed Resource Index:  0
+      Placement Statuses:
+        Applicable Cluster Resource Overrides:
+          example-cro-0
+        Cluster Name:  member-50
+        Conditions:
+          ...
+          Message:               Successfully applied the override rules on the resources
+          Observed Generation:   1
+          Reason:                OverriddenSucceeded
+          Status:                True
+          Type:                  Overridden
+         ...
+    ```
+
+    The `ClusterResourcePlacementOverridden` condition indicates whether the resource override was successfully applied to the selected resources in the clusters. Each cluster maintains its own `Applicable Cluster Resource Overrides` list, which contains the cluster resource override snapshot if relevant. Individual status messages for each cluster indicate whether the override rules were successfully applied.
+
+## Next steps
+
+To learn more about Fleet, see the following resources:
+
+* [Upstream Fleet documentation](https://github.com/Azure/fleet/tree/main/docs)
+* [Azure Kubernetes Fleet Manager overview](./overview.md)
@@ -0,0 +1,74 @@
+---
+title: "Choose an Azure Kubernetes Fleet Manager option"
+description: This article provides a conceptual overview of the various Azure Kubernetes Fleet Manager options and why you may choose a specific configuration.
+ms.date: 05/01/2024
+author: shashankbarsin
+ms.author: shasb
+ms.service: kubernetes-fleet
+ms.topic: conceptual
+---
+
+# Choosing an Azure Kubernetes Fleet Manager option
+
+This article provides an overview of the various Azure Kubernetes Fleet Manager (Fleet) options and the considerations you should use to guide your selection of a specific configuration.
+
+## Fleet types
+
+A Kubernetes Fleet resource can be created with or without a hub cluster. A hub cluster is a managed Azure Kubernetes Service (AKS) cluster that acts as a hub to store and propagate Kubernetes resources. 
+
+The following table compares the scenarios enabled by the hub cluster:
+
+| Capability | Kubernetes Fleet resource without hub cluster | Kubernetes Fleet resource with hub cluster |
+|----|----|----|
+|**Hub cluster hosting**|<span class='red-x'>&#10060;</span>|<span class='green-check'>&#9989;</span>|
+|**Member cluster limit**|Up to 100 clusters|Up to 20 clusters|
+|**Update orchestration**|<span class='green-check'>&#9989;</span>|<span class='green-check'>&#9989;</span>|
+|**Workload orchestration**|<span class='red-x'>&#10060;</span>|<span class='green-check'>&#9989;</span>|
+|**Layer 4 load balancing**|<span class='red-x'>&#10060;</span>|<span class='green-check'>&#9989;</span>|
+|**Billing considerations**|No cost|You pay cost associated with the hub, which is a standard-tier AKS-cluster.|
+|**Converting fleet types**|Can be upgraded to a Kubernetes Fleet resource with a hub cluster.|Can't be downgraded to a Kubernetes Fleet resource without a hub cluster.|
+
+## Kubernetes Fleet resource without hub clusters
+
+Without a hub cluster, Kubernetes Fleet acts solely as a grouping entity in Azure Resource Manager (ARM). Certain scenarios, such as update runs, don't require a Kubernetes API and thus don't require a hub cluster. To take full advantage of all the features available, you need a Kubernetes Fleet resource with a hub cluster.
+
+For more information, see [Create a Kubernetes Fleet resource without a hub cluster][create-fleet-without-hub].
+
+## Kubernetes Fleet resource with hub clusters
+
+A Kubernetes Fleet resource with a hub cluster has an associated AKS-managed cluster, which is used to store the configuration for workload orchestration and layer-4 load balancing.
+
+Upon the creation of a Kubernetes Fleet resource with a hub cluster, a hub AKS cluster is automatically created in the same subscription under a managed resource group that begins with `FL_`. To improve reliability, hub clusters are locked down by denying any user-initiated mutations to the corresponding AKS clusters (under the Fleet-managed resource group `FL_`) and their underlying Azure resources (under the AKS-managed resource group `MC_FL_*`), such as virtual machines (VMs), via Azure deny assignments. Control plane operations, such as changing the hub cluster's configuration through Azure Resource Manager (ARM) or deleting the cluster entirely, are denied. Data plane operations, such as connecting to the hub cluster's Kubernetes API server in order to configure workload orchestration, are not denied.
+
+Hub clusters are exempted from [Azure policies][azure-policy-overview] to avoid undesirable policy effects upon hub clusters.
+
+### Network access modes for hub cluster
+
+For a Kubernetes Fleet resource with a hub cluster, there are two network access modes:
+
+- **Public hub clusters** expose the hub cluster to the internet. This means that with the right credentials, anyone on the internet can connect to the hub cluster. This configuration can be useful during the development and testing phase, but represents a security concern, which is largely undesirable in production.
+
+For more information, see [Create a Kubernetes Fleet resource with a public hub cluster][create-public-hub-cluster].
+
+- **Private hub clusters** use a [private AKS cluster][aks-private-cluster] as the hub, which prevents open access over the internet. All considerations for a private AKS cluster apply, so review the prerequisites and limitations to determine whether a Kubernetes Fleet resource with a private hub cluster meets your needs.
+
+Some other details to consider:
+
+- Whether you choose a public or private hub, the type can't be changed after creation.
+- When using an AKS private cluster, you have the ability to configure fully qualified domain names (FQDNs) and FQDN subdomains. This functionality doesn't apply to the private hub cluster of the Kubernetes Fleet resource.
+- When you connect to a private hub cluster, you can use the same methods that you would use to [connect to any private AKS cluster][aks-private-cluster-connect]. However, connecting using AKS command invoke and private endpoints aren't currently supported.
+- When you use private hub clusters, you're required to specify the subnet in which the Kubernetes Fleet hub cluster's node VMs reside. This process differs slightly from the AKS private cluster equivalent. For more information, see [create a Kubernetes Fleet resource with a private hub cluster][create-private-hub-cluster].
+
+
+## Next steps
+
+Now that you understand the different types of Kubernetes fleet resources, see [Create an Azure Kubernetes Fleet Manager resource and join member clusters][quickstart-create-fleet].
+
+<!-- LINKS -->
+[aks-private-cluster]: /azure/aks/private-clusters
+[aks-private-cluster-connect]: /azure/aks/private-clusters?tabs=azure-portal#options-for-connecting-to-the-private-cluster
+[azure-policy-overview]: /azure/governance/policy/overview
+[quickstart-create-fleet]: quickstart-create-fleet-and-members.md
+[create-fleet-without-hub]: quickstart-create-fleet-and-members.md?tabs=without-hub-cluster#create-a-fleet-resource
+[create-public-hub-cluster]: quickstart-create-fleet-and-members.md?tabs=with-hub-cluster#public-hub-cluster
+[create-private-hub-cluster]: quickstart-create-fleet-and-members.md?tabs=with-hub-cluster#private-hub-cluster
@@ -14,7 +14,7 @@ This article provides a conceptual overview of fleets, member clusters, and hub
 
 ## What are fleets?
 
-A fleet resource acts as a grouping entity for multiple AKS clusters. You can use them to manage multiple AKS clusters as a single entity, orchestrate updates across multiple clusters, propagate Kubernetes resources across multiple clusters, and provide a single pane of glass for managing multiple clusters. You can create a fleet with or without a [hub cluster](#what-is-a-hub-cluster-preview).
+A fleet resource acts as a grouping entity for multiple AKS clusters. You can use them to manage multiple AKS clusters as a single entity, orchestrate updates across multiple clusters, propagate Kubernetes resources across multiple clusters, and provide a single pane of glass for managing multiple clusters. You can create a fleet with or without a [hub cluster](concepts-choosing-fleet.md).
 
 A fleet consists of the following components:
 
@@ -41,40 +41,6 @@ Once a `MemberCluster` is tainted, it lets the [scheduler](./concepts-scheduler-
 
 For more information, see [the upstream Fleet documentation](https://github.com/Azure/fleet/blob/main/docs/concepts/MemberCluster/README.md).
 
-## What is a hub cluster (preview)?
-
-[!INCLUDE [preview features note](./includes/preview/preview-callout.md)]
-
-Certain scenarios of fleet such as update runs don't require a Kubernetes API and thus don't require a hub cluster. Fleet can be created without the hub cluster for such scenarios. In this mode, Fleet just acts as a grouping entity in Azure Resource Manager.
-
-For other scenarios such as Kubernetes resource propagation, a hub cluster is required. This hub cluster is a special AKS cluster whose lifecycle (creation, upgrades, deletion) is managed by the fleet resource. Any Kubernetes objects provided to the hub cluster are only stored as configurations on this cluster. Pod creation is disabled on this locked down hub cluster. Thus Fleet doesn't allow running any user workloads on the hub cluster and instead only allows using hub cluster for storing configurations that need to be propagated to other clusters or configurations that control cross-cluster orchestration.
-
-The following table lists the differences between a fleet without hub cluster and a fleet with hub cluster:
-
-| Feature dimension | Without hub cluster | With hub cluster (preview) |
-|-|-|-|
-| Hub cluster hosting (preview) | :x: | :white_check_mark: |
-| Member cluster limit | Up to 100 clusters | Up to 20 clusters |
-| Update orchestration across multiple clusters | :white_check_mark: | :white_check_mark: |
-| Kubernetes resource object propagation (preview) | :x: | :white_check_mark: |
-| Multi-cluster L4 load balancing (preview) | :x: | :white_check_mark: |
-
-Upon the creation of a fleet, a hub cluster is automatically created in the same subscription as the fleet under a managed resource group named as `FL_*`.
-
-To improve reliability, hub clusters are locked down by denying any user initiated mutations to the corresponding AKS clusters (under the Fleet-managed resource group `FL_*`) and their underlying Azure resources like VMs (under the AKS-managed resource group `MC_FL_*`) via Azure deny assignments.
-
-Hub clusters are exempted from Azure policies to avoid undesirable policy effects upon hub clusters.
-
-## Billing
-
-The fleet resource without hub cluster is currently free of charge. If your fleet contains a hub cluster, the hub cluster is a standard tier AKS cluster created in the fleet subscription and paid by you.
-
-## FAQs
-
-### Can I change a fleet without hub cluster to a fleet with hub cluster?
-
-Not during hub cluster preview. This is planned to be supported once hub clusters become generally available.
-
 ## Next steps
 
 * [Create a fleet and join member clusters](./quickstart-create-fleet-and-members.md).