You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -164,7 +169,7 @@ Items marked with (R) are required *prior to targeting to a milestone / release*
164
169
-[ ] (R) Design details are appropriately documented
165
170
-[ ] (R) Test plan is in place, giving consideration to SIG Architecture and SIG Testing input (including test refactors)
166
171
-[ ] e2e Tests for all Beta API Operations (endpoints)
167
-
-[ ] (R) Ensure GA e2e tests meet requirements for [Conformance Tests](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/conformance-tests.md)
172
+
-[ ] (R) Ensure GA e2e tests meet requirements for [Conformance Tests](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/conformance-tests.md)
168
173
-[ ] (R) Minimum Two Week Window for GA e2e tests to prove flake free
169
174
-[ ] (R) Graduation criteria is in place
170
175
-[ ] (R) [all GA Endpoints](https://github.com/kubernetes/community/pull/1806) must be hit by [Conformance Tests](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/conformance-tests.md)
@@ -249,7 +254,7 @@ management. Examples of consumers includes:
249
254
this area.
250
255
* GitOps tools (ArgoCD, flux etc) are having the requirement to deploy
251
256
workload to multiple clusters. They either need to build the cluster
252
-
concept by themselves or understand cluster API from each different
257
+
concept by themselves or understand APIs representing a cluster from each
253
258
cluster management project. A common ClusterProfile API can provide
254
259
a thin compatible layer for different projects.
255
260
* Operation tools or customized external consumers: this API gives a
@@ -288,6 +293,7 @@ and make progress.
288
293
* Provide a standard reference implementation.
289
294
* Define specific implementation details beyond general API behavior.
290
295
* Offering functionalities related to multi-cluster orchestration.
296
+
* Define the Consumer registration API
291
297
292
298
293
299
## Proposal
@@ -319,14 +325,14 @@ the API proposed by this KEP aims to
319
325
-**Member Cluster**: A kubernetes cluster that is part of a cluster inventory.
320
326
321
327
-**Cluster Manager**: An entity that creates the ClusterProfile API object per member cluster,
322
-
and keeps their status up-to-date. Each cluster manager MUST be identified with a unique name.
323
-
Each ClusterProfile resource SHOULD be managed by only one cluster manager. A cluster manager SHOULD
328
+
and keeps their status up-to-date. Each cluster manager MUST be identified with a unique name.
329
+
Each ClusterProfile resource SHOULD be managed by only one cluster manager. A cluster manager SHOULD
324
330
have sufficient permission to access the member cluster to fetch the information so it can update the status
325
331
of the ClusterProfile API resource.
326
332
327
-
-**ClusterProfile API Consumer**: the person running the cluster managers
328
-
or the person developing extensions for cluster managers for the purpose of
329
-
workload distribution, operation management etc.
333
+
-**ClusterInventory Consumer**: Controllers or tools that leverage the ClusterProfile for the purpose of
334
+
workload distribution, operation management etc. Their name must be unique for a single inventory. They
335
+
might need to register themselves with the Cluster Manager which is not defined in this KEP.
330
336
331
337
### User Stories (Optional)
332
338
@@ -401,19 +407,19 @@ if all its member clusters adhere to the [namespace sameness](https://github.com
401
407
Note that a cluster can only be in one ClusterSet while there is not such restriction for a cluster inventory.
402
408
403
409
#### How should the API be consumed?
404
-
We recommend that all ClusterProfile objects within the same cluster inventory reside on
410
+
We recommend that all ClusterProfile objects within the same cluster inventory reside on
405
411
a dedicated Kubernetes cluster (aka. the hub cluster). This approach allows consumers to have a single integration
406
412
point to access all the information within a cluster inventory. Additionally, a multi-cluster aware
407
413
controller can be run on the dedicated cluster to offer high-level functionalities over this inventory of clusters.
408
414
409
415
#### How should we organize ClusterProfile objects on a hub cluster?
410
-
While there are no strict requirements, we recommend making the ClusterProfile API a namespace-scoped object.
416
+
While there are no strict requirements, we recommend making the ClusterProfile API a namespace-scoped object.
411
417
This approach allows users to leverage Kubernetes' native namespace-based RBAC if they wish to restrict access to
412
-
certain clusters within the inventory.
418
+
certain clusters within the inventory.
413
419
414
420
However, if a cluster inventory represents a ClusterSet, all its ClusterProfile objects MUST be part of the same clusterSet
415
421
and namespace must be used as the grouping mechanism. In addition, the namespace must have a label with the key "clusterset.multicluster.x-k8s.io"
416
-
and the value as the name of the clusterSet.
422
+
and the value as the name of the clusterSet.
417
423
418
424
#### Uniqueness of the ClusterProfile object
419
425
While there are no strict requirements, we recommend that there is only one ClusterProfile object representing any member cluster
@@ -451,21 +457,22 @@ represent a cluster and support the above use case at the minimum scope.
451
457
452
458
The target consumers of the API are users who manage the clusters and
453
459
other tools to understand the clusters concept from the API for
454
-
multicluster scheduling, workload distribution and cluster management.
460
+
multi-cluster scheduling, workload distribution and cluster management.
455
461
The API aims to provide the information for the consumers to answer the
456
462
below questions:
457
463
458
464
* Is the cluster under management?
459
465
* How can I select a cluster?
460
466
* Is the cluster healthy?
467
+
* How to access the cluster?
461
468
* Does the cluster have certain capabilities or properties?
462
469
* Does the cluster have sufficient resources?
463
470
464
471
### Cluster Name
465
472
466
473
It is required that cluster name is unique for each cluster, and it
467
474
should also be unique among different providers (cluster manager). It
468
-
is cluster managers's responsibility to ensure the name uniqueness.
475
+
is cluster manager's responsibility to ensure the name uniqueness.
469
476
470
477
It's the responsibility of the cluster manager platform administrator
471
478
to ensure cluster name uniqueness.
@@ -552,6 +559,39 @@ Predefined condition types:
552
559
The status of the cluster SHOULD be updated by the cluster manager under
553
560
this condition.
554
561
562
+
### Cluster Access
563
+
There are multiple methods for a ClusterInventory Consumer to gain access to the cluster represented by a ClusterProfile API.
564
+
This KEP does not define the exact mechanism for each approach, but it is recommended that ClusterInventory Consumers avoid
565
+
using a secret if possible. Here are the three approaches:
566
+
567
+
#### Pull Model with Work API
568
+
The ClusterInventory Consumer can leverage the [Work API](https://multicluster.sigs.k8s.io/concepts/work-api/) so that
569
+
the work API agent on the Member Cluster can *pull* the necessary objects from the management cluster where the ClusterInventory
570
+
Consumer operates to the Member Cluster. This approach allows the Cluster Manager to manage the RBAC for each Consumer on the
571
+
management cluster, ensuring that their access is restricted to the corresponding namespaces of the ClusterProfile objects.
572
+
573
+
#### Push Model with Identity Federation (Recommended)
574
+
The ClusterInventory consumer can utilize identity federation mechanisms, such as [Azure Workload Identity Federation](https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation)
575
+
or [GCP Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation). This allows the
576
+
ClusterInventory Consumer to use an identity that already has access to the clusters in the Cluster Inventory.
577
+
While the Cluster Manager can assist in setting up the federation, it is not a mandatory requirement.
578
+
579
+
#### Push Model via Credentials in Secret (Not Recommended)
580
+
The ClusterInventory Consumer can obtain credentials to access the cluster represented by a ClusterProfile object by reading
581
+
from a secret. In this approach, the Cluster Manager generates secrets containing the necessary credentials within the namespace
582
+
accessible to the ClusterInventory Consumer. For this to function correctly, Cluster Managers must be aware of the following details
583
+
about the consumer: their name, whether credentials are required, and the preferred unique namespace for reading credentials as secrets.
584
+
Those information can be obtained during the "registering" process but this is out of the scope of this KEP.
585
+
586
+
##### Secret format
587
+
- The secret *MUST* reside in the namespace with the label `x-k8s.io/cluster-inventory-consumer` with the value being the name of the ClusterInventory Consumer.
588
+
- The secret *MUST* contain the label `x-k8s.io/cluster-profile` with the value being the name of the ClusterProfile object that the secret is associated with.
589
+
- The access information in the secret must contain the following fields
590
+
-**Config**: This field contains cluster access information compatible with the
- Since a single [Kubeconfig](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) supports access to multiple clusters, the Cluster manager *MUST* ensure that each secret contains access information for only a single consumer.
0 commit comments