Chapter 10. ManagedClusterSets
A ManagedClusterSet
is a group of managed clusters. With a ManagedClusterSet
, you can manage access to all of the managed clusters in the group together. You can also create a ManagedClusterSetBinding resource to bind a ManagedClusterSet resource to a namespace.
10.1. Creating a ManagedClusterSet
You can group managed clusters together in a ManagedClusterSet to limit the user access on managed clusters.
Required access: Cluster administrator
A ManagedClusterSet
is a cluster-scoped resource, so you must have cluster administration permissions for the cluster where you are creating the ManagedClusterSet
. A managed cluster cannot be included in more than one ManagedClusterSet
. Complete the following steps to create a ManagedClusterSet
:
Add the following definition of the
ManagedClusterSet
to youryaml
file:apiVersion: cluster.open-cluster-management.io/v1alpha1 kind: ManagedClusterSet metadata: name: <clusterset1>
Replace clusterset1 with the name of your
ManagedClusterSet
.
10.2. Adding clusters to a ManagedClusterSet
After your ManagedClusterSet
is created, you must add one or more managed clusters. Complete the following steps to add managed clusters:
Ensure that there is an RBAC
ClusterRole
entry that allows you toCreate
on a virtual subresource ofmanagedclustersets/join
. Without this permission, you cannot assign a managed cluster to aManagedClusterSet
.If this entry does not exist, add it to your
yaml
file. A sample entry resembles the following content:kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: clusterrole1 rules: - apiGroups: ["cluster.open-cluster-management.io"] resources: ["managedclustersets/join"] resourceNames: ["clusterset1"] verbs: ["create"]
Replace clusterset1 with the name of your
ManagedClusterSet
.Note: If you are moving a managed cluster from one
ManagedClusterSet
to another, you must have that permission available on bothManagedClusterSets
.Find the definition of the managed cluster in the
yaml
file. The section of the managed cluster definition where you add a label resembles the following content:apiVersion: cluster.open-cluster-management.io/v1 kind: ManagedCluster metadata: name: cluster1 spec: hubAcceptsClient: true
In this example, cluster1 is the name of the managed cluster.
Add a label that specifies the name of the
ManagedClusterSet
in the format:cluster.open-cluster-management.io/clusterset: clusterset1
.Your code resembles the following example:
apiVersion: cluster.open-cluster-management.io/v1 kind: ManagedCluster metadata: name: cluster1 labels: cluster.open-cluster-management.io/clusterset: clusterset1 spec: hubAcceptsClient: true
In this example, cluster1 is the cluster that is added to the clusterset1
ManagedClusterSet
.Note: If the managed cluster was previously assigned to a
ManagedClusterSet
that was deleted, the managed cluster might have aManagedClusterSet
already specified to a cluster set that does not exist. If so, replace the name with the new one.
10.3. Removing a managed cluster from a ManagedClusterSet
You might want to remove a managed cluster from a ManagedClusterSet
to move it to a different ManagedClusterSet
, or remove it from the management settings of the set.
To remove a managed cluster from a ManagedClusterSet
, complete the following steps:
Run the following command to display a list of managed clusters in the
ManagedClusterSet
:kubectl get managedclusters -l cluster.open-cluster-management.io/clusterset=<clusterset1>
Replace clusterset1 with the name of the
ManagedClusterSet
.- Locate the entry for the cluster that you want to remove.
Remove the label from the the
yaml
entry for the cluster that you want to remove. See the following code for an example of the label:labels: cluster.open-cluster-management.io/clusterset: clusterset1
Note: If you are moving a managed cluster from one
ManagedClusterSet
to another, you must have the RBAC permission available on bothManagedClusterSets
.
10.4. ManagedClusterSetBinding resource
Create a ManagedClusterSetBinding resource to bind a ManagedClusterSet resource to a namespace. Application and policies that are created in the same namespace can only access managed clusters that are included in the bound ManagedClusterSet resource.
When you create a ManagedClusterSetBinding, the name of the ManagedClusterSetBinding must match the name of the ManagedClusterSet to bind.
Your ManagedClusterSetBinding resource might resemble the following information:
apiVersion: cluster.open-cluster-management.io/v1alpha1 kind: ManagedClusterSetBinding metadata: namespace: project1 name: clusterset1 spec: clusterSet: clusterset1
You must have the bind permission on the target ManagedClusterSet. View the following example of a ClusterRole resource, which contain rules that allow the user to bind to clusterset1
:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: clusterrole1 rules: - apiGroups: ["cluster.open-cluster-management.io"] resources: ["managedclustersets/bind"] resourceNames: ["clusterset1"] verbs: ["create"]
For more information about role actions, see Role-based access control.