|
| 1 | +--- |
| 2 | +title: "Access the Kubernetes API of the Fleet resource" |
| 3 | +description: Learn how to access the Kubernetes API of the Fleet resource. |
| 4 | +ms.topic: how-to |
| 5 | +ms.date: 03/20/2024 |
| 6 | +author: shashankbarsin |
| 7 | +ms.author: shasb |
| 8 | +ms.service: kubernetes-fleet |
| 9 | +--- |
| 10 | + |
| 11 | +# Access the Kubernetes API of the Fleet resource with Azure Kubernetes Fleet Manager |
| 12 | + |
| 13 | +If your Azure Kubernetes Fleet Manager resource was created with the hub cluster enabled, then it can be used to centrally control scenarios like Kubernetes resource propagation. In this article, you learn how to access the Kubernetes API of the hub cluster managed by the Fleet resource. |
| 14 | + |
| 15 | +## Prerequisites |
| 16 | + |
| 17 | +[!INCLUDE [free trial note](../../includes/quickstarts-free-trial-note.md)] |
| 18 | + |
| 19 | +* You must have a Fleet resource with a hub cluster and member clusters. If you don't have this resource, follow [Quickstart: Create a Fleet resource and join member clusters](quickstart-create-fleet-and-members.md). |
| 20 | +* The identity (user or service principal) you're using needs to have the Microsoft.ContainerService/fleets/listCredentials/action on the Fleet resource. |
| 21 | + |
| 22 | +## Access the Kubernetes API of the Fleet resource cluster |
| 23 | + |
| 24 | +1. Set the following environment variables for your subscription ID, resource group, and Fleet resource, and set the default Azure subscription to use using the [`az account set`][az-account-set] command. |
| 25 | + |
| 26 | + ```azurecli-interactive |
| 27 | + export SUBSCRIPTION_ID=<subscription-id> |
| 28 | + az account set --subscription ${SUBSCRIPTION_ID} |
| 29 | +
|
| 30 | + export GROUP=<resource-group-name> |
| 31 | + export FLEET=<fleet-name> |
| 32 | + ``` |
| 33 | +
|
| 34 | +2. Get the kubeconfig file of the hub cluster Fleet resource using the [`az fleet get-credentials`][az-fleet-get-credentials] command. |
| 35 | +
|
| 36 | + ```azurecli-interactive |
| 37 | + az fleet get-credentials --resource-group ${GROUP} --name ${FLEET} |
| 38 | + ``` |
| 39 | +
|
| 40 | + Your output should look similar to the following example output: |
| 41 | +
|
| 42 | + ```output |
| 43 | + Merged "hub" as current context in /home/fleet/.kube/config |
| 44 | + ``` |
| 45 | +
|
| 46 | +3. Set the following environment variable for the `id` of the hub cluster Fleet resource: |
| 47 | +
|
| 48 | + ```azurecli-interactive |
| 49 | + export FLEET_ID=/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${GROUP}/providers/Microsoft.ContainerService/fleets/${FLEET} |
| 50 | + ``` |
| 51 | +
|
| 52 | +4. Authorize your identity to the hub cluster Fleet resource's Kubernetes API server using the following commands: |
| 53 | +
|
| 54 | + For the `ROLE` environment variable, you can use one of the following four built-in role definitions as the value: |
| 55 | +
|
| 56 | + * Azure Kubernetes Fleet Manager RBAC Reader |
| 57 | + * Azure Kubernetes Fleet Manager RBAC Writer |
| 58 | + * Azure Kubernetes Fleet Manager RBAC Admin |
| 59 | + * Azure Kubernetes Fleet Manager RBAC Cluster Admin |
| 60 | +
|
| 61 | + ```azurecli-interactive |
| 62 | + export IDENTITY=$(az ad signed-in-user show --query "id" --output tsv) |
| 63 | + export ROLE="Azure Kubernetes Fleet Manager RBAC Cluster Admin" |
| 64 | + az role assignment create --role "${ROLE}" --assignee ${IDENTITY} --scope ${FLEET_ID} |
| 65 | + ``` |
| 66 | +
|
| 67 | + Your output should be similar to the following example output: |
| 68 | +
|
| 69 | + ```output |
| 70 | + { |
| 71 | + "canDelegate": null, |
| 72 | + "condition": null, |
| 73 | + "conditionVersion": null, |
| 74 | + "description": null, |
| 75 | + "id": "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<GROUP>/providers/Microsoft.ContainerService/fleets/<FLEET>/providers/Microsoft.Authorization/roleAssignments/<assignment>", |
| 76 | + "name": "<name>", |
| 77 | + "principalId": "<id>", |
| 78 | + "principalType": "User", |
| 79 | + "resourceGroup": "<GROUP>", |
| 80 | + "roleDefinitionId": "/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69", |
| 81 | + "scope": "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<GROUP>/providers/Microsoft.ContainerService/fleets/<FLEET>", |
| 82 | + "type": "Microsoft.Authorization/roleAssignments" |
| 83 | + } |
| 84 | + ``` |
| 85 | +
|
| 86 | +5. Verify you can access the API server using the `kubectl get memberclusters` command. |
| 87 | +
|
| 88 | + ```bash |
| 89 | + kubectl get memberclusters |
| 90 | + ``` |
| 91 | +
|
| 92 | + If successful, your output should look similar to the following example output: |
| 93 | +
|
| 94 | + ```output |
| 95 | + NAME JOINED AGE |
| 96 | + aks-member-1 True 2m |
| 97 | + aks-member-2 True 2m |
| 98 | + aks-member-3 True 2m |
| 99 | + ``` |
| 100 | +
|
| 101 | +## Next steps |
| 102 | +
|
| 103 | +* Review the [API specifications][fleet-apispec] for all Fleet custom resources. |
| 104 | +* Review our [troubleshooting guide][troubleshooting-guide] to help resolve common issues related to the Fleet APIs. |
| 105 | +
|
| 106 | +<!-- LINKS ---> |
| 107 | +[fleet-apispec]: https://github.com/Azure/fleet/blob/main/docs/api-references.md |
| 108 | +[troubleshooting-guide]: https://github.com/Azure/fleet/blob/main/docs/troubleshooting/README.md |
| 109 | +[az-fleet-get-credentials]: /cli/azure/fleet#az-fleet-get-credentials |
| 110 | +[az-account-set]: /cli/azure/account#az-account-set |
0 commit comments