https://open-cluster-management.io/blog/ Recent content in Blog on Open Cluster Management Hugo en Wed, 18 Mar 2026 00:00:00 +0000 https://open-cluster-management.io/blog/2026/guided-open-cluster-management-install-with-kubestellar-console/ Wed, 18 Mar 2026 00:00:00 +0000 https://open-cluster-management.io/blog/2026/guided-open-cluster-management-install-with-kubestellar-console/ <p>Installing Open Cluster Management (OCM) involves multiple steps — adding Helm repos, installing the control plane, registering managed clusters, and verifying everything works. <a href="https://console.kubestellar.io?utm_source=ocm-blog&amp;utm_medium=blog&amp;utm_campaign=cncf_outreach&amp;utm_term=open-cluster-management">KubeStellar Console</a> now includes a guided install mission that walks you through the entire process step-by-step, with built-in validation and troubleshooting.</p> <h2 id="what-is-kubestellar-console">What is KubeStellar Console?</h2> <p>KubeStellar Console is a standalone, open-source Kubernetes dashboard with 30+ dashboards and 150+ monitoring cards. It connects to your clusters via kubeconfig and includes an AI-powered mission system that provides guided workflows for installing and managing CNCF projects.</p> https://open-cluster-management.io/blog/2025/cluster-proxy-now-supports-service-proxy-an-easy-way-to-access-services-in-managed-clusters/ Tue, 11 Nov 2025 00:00:00 +0000 https://open-cluster-management.io/blog/2025/cluster-proxy-now-supports-service-proxy-an-easy-way-to-access-services-in-managed-clusters/ <h2 id="introduction">Introduction</h2> <p>Cluster Proxy is an <a href="https://github.com/open-cluster-management-io/cluster-proxy">OCM addon</a> that provides L4 network connectivity between hub and managed clusters through a reverse proxy tunnel. In previous versions, accessing services on managed clusters through cluster-proxy required using a specialized Go package, the <a href="https://github.com/open-cluster-management-io/cluster-proxy/blob/main/examples/test-client.md">konnectivity client</a>.</p> <p>With the new v0.9.0 release, we&rsquo;ve introduced a more convenient approach — &ldquo;Service Proxy&rdquo;. This feature provides an HTTPS service that allows users to access the kube-apiserver and other services in managed clusters through a specific URL structure. Additionally, it introduces a more user-friendly authentication and authorization mechanism using <strong>Impersonation</strong>, enabling users to authenticate and authorize against the managed cluster&rsquo;s kube-apiserver using their hub user token.</p> https://open-cluster-management.io/blog/2025/open-cluster-management-%E7%A4%BE%E5%8C%BA%E8%AF%9A%E9%82%80%E6%82%A8%E5%85%B1%E8%B5%B4-kubecon-china-2025-%E6%8E%A2%E8%AE%A8%E5%A4%9A%E9%9B%86%E7%BE%A4%E7%AE%A1%E7%90%86%E6%96%B0%E6%9C%AA%E6%9D%A5/ Thu, 22 May 2025 00:00:00 +0000 https://open-cluster-management.io/blog/2025/open-cluster-management-%E7%A4%BE%E5%8C%BA%E8%AF%9A%E9%82%80%E6%82%A8%E5%85%B1%E8%B5%B4-kubecon-china-2025-%E6%8E%A2%E8%AE%A8%E5%A4%9A%E9%9B%86%E7%BE%A4%E7%AE%A1%E7%90%86%E6%96%B0%E6%9C%AA%E6%9D%A5/ <p>KubeCon + CloudNativeCon China 2025 即将于6 月 10-11 日在香港盛大举行，这是云原生领域最具影响力的技术盛会之一。作为云原生多集群管理领域的领军项目之一，Open Cluster Management (OCM) 社区将带来三个精彩议题，与您共同探讨多集群管理领域的最新创新和突破。在这里，您将有机会与来自全球的云原生专家面对面交流，深入了解 OCM 如何通过创新的技术方案，帮助企业应对日益复杂的多集群管理挑战，开启云原生多集群管理的新篇章。</p> <img src="./assets/kubecon2025cn.jpg" alt="KubeCon China 2025 Banner" width="80%" style="display: block; margin: 0;"> <h2 id="议题信息">议题信息</h2> <h3 id="闪电演讲使用ocm-addon简化多集群集成"><a href="https://kccncchn2025.sched.com/event/1xjzH/project-lightning-talk-simplifying-multi-cluster-integrations-with-ocm-addon-jian-zhu-maintainer?iframe=no&amp;w=100%25&amp;sidebar=yes&amp;bg=no">闪电演讲：使用OCM Addon简化多集群集成</a></h3> <p><strong>时间</strong>：6 月 10 日 11:42 - 11:47 HKT<br> <strong>地点</strong>：Level 16 | Grand Ballroom I<br> <strong>演讲者</strong>：Jian Zhu (Red Hat)</p> <p>在这个闪电演讲中，Jian Zhu 将介绍 OCM 的 Addon 机制，展示如何通过简单的 YAML 文件实现多集群能力的扩展。主要内容包括：</p> <ul> <li>OCM Addon 机制概述及其在多集群环境中的作用</li> <li>项目集成案例：以 Fluid 为例，展示如何通过 Addon 增强多集群管理能力</li> <li>AddonTemplate API：简化 addon 创建和管理的创新方案</li> <li>实际应用价值：展示 OCM Addons 的效率和可扩展性</li> </ul> <h3 id="解锁-cel-在多集群调度中的强大能力"><a href="https://kccncchn2025.sched.com/event/1x5jG/unlocking-the-power-of-cel-for-advanced-multi-cluster-scheduling-qing-hao-jian-qiu-red-hat?iframe=no&amp;w=100%25&amp;sidebar=yes&amp;bg=no">解锁 CEL 在多集群调度中的强大能力</a></h3> <p><strong>时间</strong>：6 月 10 日 17:00 - 17:30 HKT<br> <strong>地点</strong>：Level 19 | Crystal Court II<br> <strong>演讲者</strong>：Qing Hao (Red Hat)</p> https://open-cluster-management.io/blog/2024/joining-ocm-hub-and-spoke-using-aws-irsa-authentication/ Mon, 02 Dec 2024 00:00:00 +0000 https://open-cluster-management.io/blog/2024/joining-ocm-hub-and-spoke-using-aws-irsa-authentication/ <p>Refer <a href="https://github.com/open-cluster-management-io/ocm/tree/main/solutions/joining-hub-and-spoke-with-aws-auth">this</a> solution.</p> https://open-cluster-management.io/blog/2024/kubecon-na-2024-scheduling-ai-workload-among-multiple-clusters/ Tue, 12 Nov 2024 00:00:00 +0000 https://open-cluster-management.io/blog/2024/kubecon-na-2024-scheduling-ai-workload-among-multiple-clusters/ <p>Read more at <a href="https://kccncna2024.sched.com/event/1iW9B/open-cluster-management-scheduling-ai-workload-among-multiple-clusters-project-lightning-talk">KubeCon NA 2024 - Open Cluster Management: Scheduling AI Workload Among Multiple Clusters | Project Lightning Talk</a> | <a href="https://www.youtube.com/watch?v=bZrjMEzX0rU">video</a>.</p> https://open-cluster-management.io/blog/2024/kubeday-australia-2024-open-sourcing-the-open-cluster-management-project-and-the-lessons-we-can-learn-for-ai/ Tue, 15 Oct 2024 00:00:00 +0000 https://open-cluster-management.io/blog/2024/kubeday-australia-2024-open-sourcing-the-open-cluster-management-project-and-the-lessons-we-can-learn-for-ai/ <p>Read more at <a href="https://kubedayaustralia2024.sched.com/event/1hAUw/open-sourcing-the-open-cluster-management-project-and-the-lessons-we-can-learn-for-ai-august-simonelli-red-hat">KubeDay Australia 2024 - Open Sourcing the Open Cluster Management Project and the Lessons We Can Learn for AI</a> | <a href="https://www.youtube.com/watch?v=SLmJ6yJ6lAI">video</a>.</p> https://open-cluster-management.io/blog/2024/kubecon-cn-2024-boundaryless-computing-optimizing-llm-performance-cost-and-efficiency-in-multi-cloud-architecture-%E6%97%A0%E8%BE%B9%E7%95%8C%E8%AE%A1%E7%AE%97%E5%9C%A8%E5%A4%9A%E4%BA%91%E6%9E%B6%E6%9E%84%E4%B8%AD%E4%BC%98%E5%8C%96llm%E6%80%A7%E8%83%BD%E6%88%90%E6%9C%AC%E5%92%8C%E6%95%88%E7%8E%87/ Wed, 21 Aug 2024 00:00:00 +0000 https://open-cluster-management.io/blog/2024/kubecon-cn-2024-boundaryless-computing-optimizing-llm-performance-cost-and-efficiency-in-multi-cloud-architecture-%E6%97%A0%E8%BE%B9%E7%95%8C%E8%AE%A1%E7%AE%97%E5%9C%A8%E5%A4%9A%E4%BA%91%E6%9E%B6%E6%9E%84%E4%B8%AD%E4%BC%98%E5%8C%96llm%E6%80%A7%E8%83%BD%E6%88%90%E6%9C%AC%E5%92%8C%E6%95%88%E7%8E%87/ <p>Read more at <a href="https://kccncossaidevchn2024.sched.com/event/1eYXG/boundaryless-computing-optimizing-llm-performance-cost-and-efficiency-in-multi-cloud-architecture-yi-dui-dou-zhao-daepnano-llmxia-reyi-jian-zhu-red-hat-kai-zhang-alibaba-cloud-intelligence">KubeCon CN 2024 - Boundaryless Computing: Optimizing LLM Performance, Cost, and Efficiency in Multi-Cloud Architecture</a>.</p> https://open-cluster-management.io/blog/2024/kubecon-cn-2024-connecting-the-dots-towards-a-unified-multi-cluster-ai/ml-experience-%E8%BF%9E%E6%8E%A5%E7%82%B9%E8%B5%B0%E5%90%91%E7%BB%9F%E4%B8%80%E7%9A%84%E5%A4%9A%E9%9B%86%E7%BE%A4ai/ml%E4%BD%93%E9%AA%8C/ Wed, 21 Aug 2024 00:00:00 +0000 https://open-cluster-management.io/blog/2024/kubecon-cn-2024-connecting-the-dots-towards-a-unified-multi-cluster-ai/ml-experience-%E8%BF%9E%E6%8E%A5%E7%82%B9%E8%B5%B0%E5%90%91%E7%BB%9F%E4%B8%80%E7%9A%84%E5%A4%9A%E9%9B%86%E7%BE%A4ai/ml%E4%BD%93%E9%AA%8C/ <p>Read more at <a href="https://kccncossaidevchn2024.sched.com/event/1eYXc/connecting-the-dots-towards-a-unified-multi-cluster-aiml-experience-pu-daepyu-ni-zha-zhong-shi-aimlmo-qing-hao-redhat-chen-yu-microsoft">KubeCon CN 2024 - Connecting the Dots: Towards a Unified Multi-Cluster AI/ML Experience</a>.</p> https://open-cluster-management.io/blog/2024/kubecon-cn-2024-extend-kubernetes-to-edge-using-event-based-transport-%E4%BD%BF%E7%94%A8%E5%9F%BA%E4%BA%8E%E4%BA%8B%E4%BB%B6%E7%9A%84%E4%BC%A0%E8%BE%93%E5%B0%86kubernetes%E6%89%A9%E5%B1%95%E5%88%B0%E8%BE%B9%E7%BC%98/ Wed, 21 Aug 2024 00:00:00 +0000 https://open-cluster-management.io/blog/2024/kubecon-cn-2024-extend-kubernetes-to-edge-using-event-based-transport-%E4%BD%BF%E7%94%A8%E5%9F%BA%E4%BA%8E%E4%BA%8B%E4%BB%B6%E7%9A%84%E4%BC%A0%E8%BE%93%E5%B0%86kubernetes%E6%89%A9%E5%B1%95%E5%88%B0%E8%BE%B9%E7%BC%98/ <p>Read more at <a href="https://kccncossaidevchn2024.sched.com/event/1eYX1/extend-kubernetes-to-edge-using-event-based-transport-zhi-27dzha-lian-kubernetesyi-sui-longlong-cao-meng-yan-red-hat">KubeCon CN 2024 - Extend Kubernetes to Edge Using Event-Based Transport</a>.</p> https://open-cluster-management.io/blog/2024/the-ha-hub-clusters-solution--multiplehubs/ Sun, 11 Aug 2024 00:00:00 +0000 https://open-cluster-management.io/blog/2024/the-ha-hub-clusters-solution--multiplehubs/ <p>The <code>MultipleHubs</code> is a new feature in Open Cluster Management (OCM) that allows you to configure a list of bootstrap kubeconfigs of multiple hubs. This feature is designed to provide a high availability (HA) solution of hub clusters. In this blog, we will introduce the MultipleHubs feature and how to use it.</p> <p>The high availability of hub clusters means that if one hub cluster is down, the managed clusters can still communicate with other hub clusters. Users can also specify the hub cluster that the managed cluster should connect to by configuring the <code>ManagedCluster</code> resource.</p> https://open-cluster-management.io/blog/2024/using-the-gitops-way-to-deal-with-the-upgrade-challenges-of-multi-cluster-tool-chains/ Fri, 19 Jan 2024 00:00:00 +0000 https://open-cluster-management.io/blog/2024/using-the-gitops-way-to-deal-with-the-upgrade-challenges-of-multi-cluster-tool-chains/ <h2 id="upgrading-challenges-of-tool-chains-in-multi-cluster-environments">Upgrading challenges of tool chains in multi-cluster environments</h2> <p>Open Cluster Management (OCM) is a community-driven project focused on multicluster and multicloud scenarios for Kubernetes applications. It provides functions such as cluster registration, application and workload distribution, and scheduling. Add-on is an extension mechanism based on the foundation components provided by OCM, which allows applications in the Kubernetes ecosystem to be easily migrated to the OCM platform and has the ability to orchestrate and schedule across multiple clusters and multiple clouds. For example, Istio, Prometheus, and Submarine can be expanded to multiple clusters through Add-on. In a multi-cluster environment, how to upgrade the entire tool chain (such as Istio, Prometheus and other tools) gracefully and smoothly is a challenge we encounter in multi-cluster management. A failed upgrade of the tool chain can potentially render thousands of user workloads inaccessible. Therefore, finding an easy and safe upgrade solution across clusters becomes important.</p> https://open-cluster-management.io/blog/2023/open-cluster-management-configuring-your-kubernetes-fleet-with-the-policy-addon/ Wed, 22 Nov 2023 00:00:00 +0000 https://open-cluster-management.io/blog/2023/open-cluster-management-configuring-your-kubernetes-fleet-with-the-policy-addon/ <p>View the video at <a href="https://www.youtube.com/watch?v=ZZH654t5YpI">YouTube</a>.</p> https://open-cluster-management.io/blog/2023/%E4%BB%A5gitops%E6%96%B9%E5%BC%8F%E5%BA%94%E5%AF%B9%E5%A4%9A%E9%9B%86%E7%BE%A4%E5%B7%A5%E5%85%B7%E9%93%BE%E7%9A%84%E5%8D%87%E7%BA%A7%E6%8C%91%E6%88%98/ Fri, 27 Oct 2023 00:00:00 +0000 https://open-cluster-management.io/blog/2023/%E4%BB%A5gitops%E6%96%B9%E5%BC%8F%E5%BA%94%E5%AF%B9%E5%A4%9A%E9%9B%86%E7%BE%A4%E5%B7%A5%E5%85%B7%E9%93%BE%E7%9A%84%E5%8D%87%E7%BA%A7%E6%8C%91%E6%88%98/ <h2 id="多集群环境下工具链的升级挑战">多集群环境下工具链的升级挑战</h2> <p>OCM（open-cluster-management）是一个专注于 Kubernetes 应用跨多集群和多云的管理平台，提供了集群的注册，应用和负载的分发，调度等基础功能。Add-on 插件是 OCM 提供的一种基于基础组件的扩展机制，可以让 Kubernetes 生态的应用很容易迁移到 OCM 平台上，拥有跨多集群多云的编排和调度的能力。如 Istio，Prometheus，Submarine 可以通过 Add-on 的方式扩展至多集群。在多集群环境中，如何优雅、平滑地升级整个工具链（比如 Istio、Prometheus 和其他工具）是我们在多集群管理中遇到的挑战，工具链的升级失败可能会导致数千个用户工作负载无法访问。因此，找到一种简单、安全的跨集群升级解决方案变得非常重要。</p> <p>本文我们将介绍 Open Cluster Management(OCM)如何将工具链升级视为配置文件的变更，使用户能够利用 Kustomize 或 GitOps 实现跨集群的无缝滚动/金丝雀升级。</p> <p>在正式开始前，首先介绍几个 OCM 中的概念。</p> <h2 id="add-on-插件">add-on 插件</h2> <p>在 OCM 平台上，add-on 插件可以实现在不同托管集群（Spoke）上应用不同的配置，也可以实现从控制面（Hub）获取数据到 Spoke 集群上等功能。比如：你可以使用<a href="https://github.com/open-cluster-management-io/managed-serviceaccount">managed-serviceaccount</a> 插件在 Spoke 集群上将指定的 ServiceaCount 信息返回给 Hub 集群，可以使用<a href="https://github.com/open-cluster-management-io/cluster-proxy">cluster-proxy</a>插件建立一个从 spoke 到 hub 的反向代理通道。</p> <p>现阶段 OCM 社区已经有的一些 add-on：</p> <ul> <li><a href="https://github.com/open-cluster-management-io/multicluster-mesh">Multicluster Mesh Addon</a> 可用于管理（发现、部署和联合）OCM 中跨多个集群的服务网格。</li> <li><a href="https://github.com/stolostron/submariner-addon">Submarine Addon</a> 让<a href="https://github.com/submariner-io/submariner">Submarine</a> 和 OCM 方便集成，在 hub cluster 上部署 Submariner Broker，在 managed cluster 上部署所需的 Submariner 组件, 为托管集群提供跨集群的 Pod 和 Service 网络互相访问的能力。</li> <li><a href="https://github.com/open-cluster-management-io/addon-contrib/tree/main/open-telemetry-addon">Open-telemetry add-on</a> 自动在 hub cluster 和 managed cluster 上 安装 otelCollector，并在 hub cluster 上自动安装 jaeger-all-in-one 以处理和存储 traces。</li> <li><a href="https://open-cluster-management.io/zh/getting-started/integration/app-lifecycle/">Application lifecycle management</a> 实现多集群或多云环境中的应用程序生命周期管理。add-on 插件提供了一套通过 Subscriptions 订阅 channel，将 github 仓库，Helm release 或者对象存储仓库的应用分发到指定 Spoke 集群上的机制。</li> <li><a href="https://open-cluster-management.io/getting-started/integration/policy-framework/">Policy framework</a>和<a href="https://open-cluster-management.io/getting-started/integration/policy-controllers/">Policy controllers</a> add-on 插件可以让 Hub 集群管理员很轻松为 Spoke 集群部署安全相关的 policy 策略。</li> <li><a href="https://open-cluster-management.io/getting-started/integration/managed-serviceaccount/">Managed service account</a> add-on 插件可以让 Hub 集群管理员很容易管理 Spoke 集群上 serviceaccount。</li> <li><a href="https://open-cluster-management.io/getting-started/integration/cluster-proxy/">Cluster proxy</a> add-on 插件通过反向代理通道提供了 Hub 和 Spoke 集群之间 L4 网络连接。</li> </ul> <p><strong>更多关于 add-on 插件的介绍可以参考<a href="https://open-cluster-management.io/zh/blog/addon-introduction/">详解 OCM add-on 插件</a>。</strong></p> https://open-cluster-management.io/blog/2023/%E8%AF%A6%E8%A7%A3ocm-add-on%E6%8F%92%E4%BB%B6/ Wed, 24 May 2023 00:00:00 +0000 https://open-cluster-management.io/blog/2023/%E8%AF%A6%E8%A7%A3ocm-add-on%E6%8F%92%E4%BB%B6/ <h2 id="ocm-add-on插件概述">OCM add-on插件概述</h2> <p>OCM （open-cluster-management）是一个专注于Kubernetes应用跨多集群和多云的管理平台， 提供了集群的注册，应用和负载的分发，调度等基础功能。Add-on插件是OCM提供的一种基于基础组建 的扩展机制，可以让Kubernetes生态的应用很容易迁移到OCM平台上，拥有跨多集群多云的编排和调度的能力。</p> <p>在OCM平台上，add-on插件可以实现不同被管理集群（Spoke）上应用的不同的配置，也可以实现从控制面（Hub） 获取数据到Spoke集群上等功能。比如：你可以使用<a href="https://github.com/open-cluster-management-io/managed-serviceaccount">managed-serviceaccount</a> add-on插件在Spoke集群上将指定的ServiceaCount信息返回给Hub集群，可以使用<a href="https://github.com/open-cluster-management-io/cluster-proxy">cluster-proxy</a> add-on插件建立一个从spoke到hub的反向代理通道。</p> <p>现阶段OCM社区已经有的一些add-on：</p> <ul> <li><a href="https://open-cluster-management.io/zh/getting-started/integration/app-lifecycle/">Application lifecycle management</a> add-on插件提供了一套通过Subscriptions订阅channel，将github仓库，Helm release或者对象存储仓库的应用分发到指定Spoke集群上的机制。</li> <li><a href="https://open-cluster-management.io/getting-started/integration/cluster-proxy/">Cluster proxy</a> add-on插件通过反向代理通道提供了Hub和Spoke集群之间L4网络连接。</li> <li><a href="https://open-cluster-management.io/getting-started/integration/managed-serviceaccount/">Managed service account</a> add-on插件可以让Hub集群管理员很容易管理Spoke集群上serviceaccount。</li> <li><a href="https://open-cluster-management.io/getting-started/integration/policy-framework/">Policy framework</a> 和 <a href="https://open-cluster-management.io/getting-started/integration/policy-controllers/">Policy controllers</a> add-on插件可以让Hub集群管理员很轻松为Spoke集群部署安全相关的policy策略。</li> <li><a href="https://github.com/stolostron/submariner-addon">Submarine Addon</a> add-on插件可以让<a href="https://github.com/submariner-io/submariner">Submarine</a> 和OCM方便集成，为被管理集群提供跨集群的Pod和Service网络互相访问的能力。</li> <li><a href="https://github.com/stolostron/multicluster-mesh-addon">Multicluster Mesh Addon</a> add-on插件为OCM被管理集群提供了跨集群Service Mesh服务。</li> </ul> <p>本文将详细介绍add-on插件的实现机制。</p> <h2 id="ocm-add-on-插件实现机制">OCM add-on 插件实现机制</h2> <p>通常情况下一个add-on插件包含2部分组成：</p> <ol> <li><code>Add-on Agent</code> 是运行在Spoke集群上的任何Kubernetes资源，比如可以是一个有访问Hub权限的Pod，可以是一个Operator，等等。</li> <li><code>Add-on Manager</code> 是运行中Hub集群上的一个Kubernetes控制器。这个控制器可以通过<a href="https://open-cluster-management.io/concepts/manifestwork/">ManifestWork</a> 来给不同Spoke集群部署分发<code>Add-on Agent</code>所需要的Kubernetes资源, 也可以管理<code>Add-on Agent</code>所需要的权限等。</li> </ol> <p>在OCM Hub集群上，关于add-on插件有2个主要的API：</p> <ol> <li><code>ClusterManagementAddOn</code>: 这是一个cluster-scoped的API，每个add-on插件必须创建一个同名的实例用来描述add-on插件的名字 和描述信息，以及配置，安装部署策略等。</li> <li><code>ManagedClusterAddOn</code>: 这是一个namespace-scoped的API，部署到spoke集群的namespace下的和add-on同名的实例用来触发 <code>Add-on Agent</code>安装部署到该Spoke集群。我们也可以通过这个API获取这个add-on插件的agent的健康状态信息。</li> </ol> <p>Add-on 插件架构如下：</p> <div style="text-align: center; padding: 20px;"> <img src="./assets/addon-architecture.png" alt="Addon Architecture" style="margin: 0 auto; width: 80%"> </div> <p>创建：</p> https://open-cluster-management.io/blog/2023/%E4%BD%BF%E7%94%A8ocm%E8%AE%A9%E5%A4%9A%E9%9B%86%E7%BE%A4%E8%B0%83%E5%BA%A6%E6%9B%B4%E5%85%B7%E5%8F%AF%E6%89%A9%E5%B1%95%E6%80%A7/ Wed, 10 May 2023 00:00:00 +0000 https://open-cluster-management.io/blog/2023/%E4%BD%BF%E7%94%A8ocm%E8%AE%A9%E5%A4%9A%E9%9B%86%E7%BE%A4%E8%B0%83%E5%BA%A6%E6%9B%B4%E5%85%B7%E5%8F%AF%E6%89%A9%E5%B1%95%E6%80%A7/ <h2 id="背景问题">背景问题</h2> <p>OCM Placement API 可以动态的在多集群环境中选择一组托管集群<code>ManagedCluster</code>，以便将工作负载部署到这些集群上。</p> <p>在上一篇<a href="https://mp.weixin.qq.com/s/_k2MV4b3hfTrLUCCOKOG8g">CNCF 沙箱项目 OCM Placement 多集群调度指南</a>中，我们详细介绍了 Placement 的基本概念，提供的调度功能以及调度流程。同时还通过示例展示了如何在不同的应用场景下使用 Placement API。建议首次接触 Placement 的读者先阅读此文。</p> <p>Placement 提供了通过标签选择器<code>labelSelector</code>或声明选择器<code>claimSelector</code>过滤集群，同时也提供了一些内置的优选器<code>prioritizer</code>，可对过滤后的集群进行打分排序和优先选择。 内置的<code>prioritizer</code>中包括了最大可分配 CPU 资源(ResourceAllocatableCPU)和最大可分配内存资源(ResourceAllocatableMemory)，它们提供了根据集群的可分配 CPU 和内存进行调度的能力。但是，由于集群的&quot;AllocatableCPU&quot;和&quot;AllocatableMemory&quot;是静态值，即使&quot;集群资源不足&quot;，它们也不会改变。这导致在实际使用中，这两个<code>prioritizer</code>不能满足基于实时可用 CPU 或内存进行调度的需求。此外，使用者还可能需要根据从集群中获取的资源监控数据进行调度，这些都是内置的<code>prioritizer</code>无法满足的需求。</p> <p>以上这些需求要求 Placement 能够更灵活的根据第三方数据来进行调度。为此，我们实现了一种更具扩展性的方式来支持基于第三方数据的调度，使用者可以使用自定义的分数来选择集群。</p> <p>本文将介绍 OCM 是如何让多集群调度更具可扩展性，并通过实例展示如何实现一个第三方数据控制器<code>controller</code>来扩展 OCM 的多集群调度功能。</p> <h2 id="ocm-如何让调度具有可扩展性">OCM 如何让调度具有可扩展性</h2> <p>为了实现基于第三方数据的调度，OCM 引入了 API <code>AddOnPlacementScore</code>，它支持存储自定义的集群分数，使用者可以在 Placement 中指定使用此分数选择集群。</p> <p>如下是一个<code>AddOnPlacementScore</code>的例子，更多关于 API 的细节可访问<a href="https://github.com/open-cluster-management-io/api/blob/main/cluster/v1alpha1/types_addonplacementscore.go" title="types_addonplacementscore.go">types_addonplacementscore.go</a>。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#204a87;font-weight:bold">apiVersion</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#000">cluster.open-cluster-management.io/v1alpha1</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"></span><span style="color:#204a87;font-weight:bold">kind</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#000">AddOnPlacementScore</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"></span><span style="color:#204a87;font-weight:bold">metadata</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#204a87;font-weight:bold">name</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#000">default</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#204a87;font-weight:bold">namespace</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#000">cluster1</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"></span><span style="color:#204a87;font-weight:bold">status</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#204a87;font-weight:bold">conditions</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span>- <span style="color:#204a87;font-weight:bold">lastTransitionTime</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#4e9a06">&#34;2021-10-28T08:31:39Z&#34;</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#204a87;font-weight:bold">message</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#000">AddOnPlacementScore updated successfully</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#204a87;font-weight:bold">reason</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#000">AddOnPlacementScoreUpdated</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#204a87;font-weight:bold">status</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#4e9a06">&#34;True&#34;</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#204a87;font-weight:bold">type</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#000">AddOnPlacementScoreUpdated</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#204a87;font-weight:bold">validUntil</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#4e9a06">&#34;2021-10-29T18:31:39Z&#34;</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#204a87;font-weight:bold">scores</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span>- <span style="color:#204a87;font-weight:bold">name</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#4e9a06">&#34;cpuAvailable&#34;</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#204a87;font-weight:bold">value</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#0000cf;font-weight:bold">66</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span>- <span style="color:#204a87;font-weight:bold">name</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#4e9a06">&#34;memAvailable&#34;</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#204a87;font-weight:bold">value</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#0000cf;font-weight:bold">55</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span></code></pre></div><p><code>AddOnPlacementScore</code>的主要内容都在<code>status</code>中，因为我们不希望使用者更新它。<code>AddOnPlacementScore</code>的生命周期维护及<code>scores</code>的更新应该由第三方<code>controller</code>负责。</p> https://open-cluster-management.io/blog/2023/how-to-distribute-workloads-using-open-cluster-management/ Thu, 19 Jan 2023 00:00:00 +0000 https://open-cluster-management.io/blog/2023/how-to-distribute-workloads-using-open-cluster-management/ <p>Read more at <a href="https://developers.redhat.com/articles/2023/01/19/how-distribute-workloads-using-open-cluster-management">Red Hat Developers</a>.</p> https://open-cluster-management.io/blog/2022/kubecon-na-2022-ocm-multicluster-app-config-management/ Wed, 26 Oct 2022 00:00:00 +0000 https://open-cluster-management.io/blog/2022/kubecon-na-2022-ocm-multicluster-app-config-management/ <p>Read more at <a href="https://open-cluster-management.io/kubecon-na-2022-ocm-multicluster-app-and-config-management.pdf">KubeCon NA 2022 - OCM Multicluster App &amp; Config Management</a>.</p> https://open-cluster-management.io/blog/2022/kubecon-na-2022-ocm-workload-distribution-with-placement-api/ Wed, 26 Oct 2022 00:00:00 +0000 https://open-cluster-management.io/blog/2022/kubecon-na-2022-ocm-workload-distribution-with-placement-api/ <p>Read more at <a href="https://open-cluster-management.io/kubecon-na-2022-ocm-workload-distribution-with-placement-api.pdf">KubeCon NA 2022 - OCM Workload distribution with Placement API</a>.</p> https://open-cluster-management.io/blog/2022/karmada-and-open-cluster-management-two-new-approaches-to-the-multicluster-fleet-management-challenge/ Mon, 26 Sep 2022 00:00:00 +0000 https://open-cluster-management.io/blog/2022/karmada-and-open-cluster-management-two-new-approaches-to-the-multicluster-fleet-management-challenge/ <p>Read more at <a href="https://www.cncf.io/blog/2022/09/26/karmada-and-open-cluster-management-two-new-approaches-to-the-multicluster-fleet-management-challenge/">CNCF Blog</a>.</p> https://open-cluster-management.io/blog/2022/extending-the-multicluster-scheduling-capabilities-with-open-cluster-management-placement/ Thu, 15 Sep 2022 00:00:00 +0000 https://open-cluster-management.io/blog/2022/extending-the-multicluster-scheduling-capabilities-with-open-cluster-management-placement/ <p>Read more at <a href="https://cloud.redhat.com/blog/extending-the-multicluster-scheduling-capabilities-with-open-cluster-management-placement">Red Hat Cloud Blog</a>.</p> https://open-cluster-management.io/blog/2022/%E8%AF%A6%E8%A7%A3ocm-klusterlet%E7%A7%98%E9%92%A5%E7%AE%A1%E7%90%86%E6%9C%BA%E5%88%B6/ Mon, 25 Apr 2022 00:00:00 +0000 https://open-cluster-management.io/blog/2022/%E8%AF%A6%E8%A7%A3ocm-klusterlet%E7%A7%98%E9%92%A5%E7%AE%A1%E7%90%86%E6%9C%BA%E5%88%B6/ <h2 id="概述">概述</h2> <p>在<code>open-cluster-management</code>中，为了使控制面有更好的可扩展性，我们使用了<code>hub-spoke</code>的架构：即集中的控制面（hub只 负责处理控制面的资源和数据而无需访问被管理的集群；每个被管理集群（spoke）运行一个称为<code>klusterlet</code>的agent访问控制面获取 需要执行的任务。在这个过程中，<code>klusterlet</code>需要拥有访问<code>hub</code>集群的秘钥才能和<code>hub</code>安全通信。确保秘钥的安全性是非常重要的， 因为如果这个秘钥被泄露的话有可能导致对hub集群的恶意访问或者窃取敏感信息，特别是当<code>ocm</code>的被管理集群分布在不同的公有云中的时候。 为了保证秘钥的安全性，我们需要满足一些特定的需求：</p> <ol> <li>尽量避免秘钥在公有网络中的传输</li> <li>秘钥的刷新和废除</li> <li>细粒度的权限控制</li> </ol> <p>本文将详细介绍<code>ocm</code>是如何实现秘钥的管理来保证控制面板和被管理集群之间的安全访问的。</p> <h2 id="架构和机制">架构和机制</h2> <p>在ocm中我们采用了以下几个机制来确保控制面和被管理集群之间访问的安全性：</p> <ol> <li>基于<code>CertificateSigniningRequest</code>的mutual tls</li> <li>双向握手协议和动态<code>klusterlet</code>ID</li> <li>认证和授权的分离</li> </ol> <h3 id="基于certificatesigniningrequest的mutual-tls">基于<code>CertificateSigniningRequest</code>的mutual tls</h3> <p>使用<code>kubernetes</code>的<code>CertificateSigniningRequest</code>（<a href="https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/">CSR</a>）API可以方便的生成客户认证证书。这个机制可以让<code>klusterlet</code>在第一次 启动访问<code>hub</code>集群时使用一个权限很小的秘钥来创建CSR。当CSR返回了生成的证书后，<code>klusterlet</code>就可以用后续生成的带有更大访问权限的 证书来访问<code>hub</code>集群。在使用csr的过程中，<code>klusterlet</code>的私钥不会在网络中传输而是一直保存在被管理集群中；只有CSR的公钥和初始阶段需要的 小权限秘钥（bootstrap secret）会在不同集群间传输。这就最大程度的保证秘钥不会在传输过程中被泄露出去。</p> <h3 id="双向握手协议和动态klusterletid">双向握手协议和动态<code>klusterlet</code>ID</h3> <p>那么如果初始阶段的bootstrap secret被泄露了会怎么样呢？这就牵涉到OCM中的双向握手协议。当被管理集群中的<code>klusterlet</code>使用bootstrap secret 发起了第一次请求的时候, hub集群不会立刻为这个请求创建客户证书和对应的访问权限。这个请求将处在<code>Pending</code>状态，直到hub集群拥有特定管理权限的管理员 同意了<code>klusterlet</code>的接入请求后，客户证书和特定权限才会被创建出来。这个请求中包含了<code>klusterlet</code>启动阶段生成的动态ID，管理员需要确保这个ID和被 管理集群上<code>klusterlet</code>的ID一致才能同意<code>klusterlet</code>的接入。这也就确保了如果bootstrap secret被不慎泄露后，CSR也不会被管理员轻易的接受。</p> <p><code>klusterlet</code>使用的客户证书是有过期时间的，<code>klusterlet</code>需要在证书过期之前使用现有的客户证书发起新的<code>CSR</code>请求来获取新的客户证书。<code>hub</code>集群会检验 更新证书的<code>CSR</code>请求是否合法并自动签署新的客户证书。需要注意的是由于<code>klusterlet</code>使用了动态ID的机制，只有<code>klusterlet</code>本身发起的<code>CSR</code>请求才会 被自动签署。如果<code>klusterlet</code>在集群中被卸载然后重新部署后，它必须重新使用bootstrap secret流程来获取客户证书。</p> <h3 id="认证和授权的分离">认证和授权的分离</h3> <p>在<code>klusterlet</code>的<code>CSR</code>请求被接受后，它获得了被<code>hub</code>集群认证通过的客户证书，但是它在这个时候还没有对<code>hub</code>集群上特定资源访问的权限。 <code>ocm</code>中还有一个单独的授权流程。每个被管理集群的<code>klusterlet</code>时候有权限访问<code>hub</code>集群的特定资源是被对应<code>ManagedCluster</code>API上的 <code>hubAcceptsClient</code>域来控制的。只有当这个域被置位<code>true</code>时，<code>hub</code>集群的控制器才会为对应<code>klusterlet</code>赋予权限。而设置这个域需要用户 在<code>hub</code>集群中对<code>managedcluster/accept</code>具有<code>update</code>权限才可以。如下面的<code>clusterrole</code>的例子表示用户只能对<code>cluster1</code>这个 <code>ManagedCluster</code>上的<code>klusterlet</code>赋予权限。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#204a87;font-weight:bold">apiVersion</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#000">rbac.authorization.k8s.io/v1</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"></span><span style="color:#204a87;font-weight:bold">kind</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#000">ClusterRole</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"></span><span style="color:#204a87;font-weight:bold">metadata</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#204a87;font-weight:bold">name</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#000">open-cluster-management:hub</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"></span><span style="color:#204a87;font-weight:bold">rules</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"></span>- <span style="color:#204a87;font-weight:bold">apiGroups</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#000;font-weight:bold">[</span><span style="color:#4e9a06">&#34;register.open-cluster-management.io&#34;</span><span style="color:#000;font-weight:bold">]</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#204a87;font-weight:bold">resources</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#000;font-weight:bold">[</span><span style="color:#4e9a06">&#34;managedclusters/accept&#34;</span><span style="color:#000;font-weight:bold">]</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#204a87;font-weight:bold">verbs</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#000;font-weight:bold">[</span><span style="color:#4e9a06">&#34;update&#34;</span><span style="color:#000;font-weight:bold">]</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#204a87;font-weight:bold">resourceNames</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#000;font-weight:bold">[</span><span style="color:#4e9a06">&#34;cluster1&#34;</span><span style="color:#000;font-weight:bold">]</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span></code></pre></div><p>将认证和授权的流程分开的原因是通常情况下<code>hub</code>集群具有<code>approve CSR</code>权限的用户和&quot;允许klusterlet接入hub&quot;集群的用户并不完全一致。以上 机制就可以保证即使用户拥有<code>approve CSR</code>的权限也不能给任意的<code>klusterlet</code>赋予接入<code>hub</code>集群的权限。</p> <h2 id="实现细节">实现细节</h2> <p>所有认证授权和秘钥管理的代码实现都在<a href="https://github.com/open-cluster-management-io/ocm/tree/main/cmd/registration">registration</a>组件中。大概的流程 如下图所示</p> <p><img src="https://open-cluster-management.io/blog/2022/%E8%AF%A6%E8%A7%A3ocm-klusterlet%E7%A7%98%E9%92%A5%E7%AE%A1%E7%90%86%E6%9C%BA%E5%88%B6/assets/registration-process.png" alt=""></p> https://open-cluster-management.io/blog/2022/%E9%80%9A%E8%BF%87ocm%E8%AE%BF%E9%97%AE%E4%B8%8D%E5%90%8Cvpc%E4%B8%8B%E7%9A%84%E9%9B%86%E7%BE%A4/ Wed, 20 Apr 2022 00:00:00 +0000 https://open-cluster-management.io/blog/2022/%E9%80%9A%E8%BF%87ocm%E8%AE%BF%E9%97%AE%E4%B8%8D%E5%90%8Cvpc%E4%B8%8B%E7%9A%84%E9%9B%86%E7%BE%A4/ <h2 id="问题背景">问题背景</h2> <p>当我们拥有多个集群时，一个很常见的需求是：不同的用户希望能访问位于不同VPC下的集群。比如，开发人员希望能够在测试集群部署应用，或者运维人员希望能够在生产集群上进行故障排查。</p> <p>作为多个集群的管理员，为了实现该需求，需要在各个集群为用户：</p> <ol> <li>绑定Role。</li> <li>提供访问配置（证书或Token）。</li> <li>提供访问入口。</li> </ol> <p>但是，这种方式有以下几个问题：</p> <ul> <li>网络隔离：集群位于私有数据中心，那么管理员就需要为集群用户进行特殊的网络配置，比如建立VPN或者跳板机。</li> <li>网络安全：为用户暴露的集群端口，会增加集群的安全风险。</li> <li>配置过期：证书中的秘钥和Token都有过期时间，管理员需要定期为用户做配置更新。</li> </ul> <p>而通过安装OCM以及cluster-proxy，managed-serviceaccount两个插件，管理员则可以在不暴露集群端口的情况下，为不同用户提供统一访问入口，并方便地管理不同用户的访问权限。</p> <h2 id="基本概念">基本概念</h2> <p>以下，我们通过一个简单的例子来解释OCM以及cluster-proxy，managed-serviceaccount的基本概念。</p> <p>假设我们有3个集群，分别位于两个不同的VPC中，其中VPC-1中的集群可以被所有用户访问，而VPC-2中的2个集群只能被管理员访问。</p> <p>管理员希望通过VPC-1中的集群（后文称“管理集群”）为用户提供统一的访问入口，使用户可以访问VPC-2中的集群（后文称“受管集群”）。</p> <p><img src="https://open-cluster-management.io/blog/2022/%E9%80%9A%E8%BF%87ocm%E8%AE%BF%E9%97%AE%E4%B8%8D%E5%90%8Cvpc%E4%B8%8B%E7%9A%84%E9%9B%86%E7%BE%A4/assets/diagram-1.png" alt=""></p> <h3 id="ocm是什么">OCM是什么？</h3> <p>OCM 全称为 Open Cluster Management，旨在解决多集群场景下的集群注册管理，工作负载分发，以及动态的资源配置等功能。</p> <p>安装OCM之后，我们可以将受管集群注册加入管理集群，完成注册后，在管理集群中会创建一个与受管集群注册名相同的命名空间。比如，受管集群以cluster1注册到管理集群，那么就会对应创建一个名为cluster1的命名空间。在管理集群上，我们可以通过这些不同的命令空间来区分多个受管集群的资源。</p> <p>注册过程不要求受管集群向管理集群暴露访问接口。</p> <p><img src="https://open-cluster-management.io/blog/2022/%E9%80%9A%E8%BF%87ocm%E8%AE%BF%E9%97%AE%E4%B8%8D%E5%90%8Cvpc%E4%B8%8B%E7%9A%84%E9%9B%86%E7%BE%A4/assets/diagram-2.png" alt=""></p> <p>更多有关于OCM的架构细节，请参考<a href="https://open-cluster-management.io/docs/concepts/architecture/">官方文档</a>。</p> <h3 id="cluster-proxy是什么">cluster-proxy是什么？</h3> <p>cluster-proxy是使用OCM的<a href="https://github.com/open-cluster-management-io/addon-framework">addon-framework</a>实现的一个基于 <a href="https://github.com/kubernetes-sigs/apiserver-network-proxy">apiserver-network-proxy</a>（后文简写为：ANP）的插件。插件安装后，会在管理集群上安装ANP的组件proxy-server，在受管集群上安装ANP的组件proxy-agent。</p> <p>接着proxy-agent通过管理集群上暴露的端口，向proxy-server发送注册请求，并建立一条全双工通信的GRPC管道。</p> <p>需要注意的是，cluster-proxy建立的GRPC通道只是保证了管理集群到被管理集群的网络连通性，如果用户想访问被管理集群的APIServer或者其他服务，仍需要从被管理集群获得相应的认证秘钥和权限。</p> <p><img src="https://open-cluster-management.io/blog/2022/%E9%80%9A%E8%BF%87ocm%E8%AE%BF%E9%97%AE%E4%B8%8D%E5%90%8Cvpc%E4%B8%8B%E7%9A%84%E9%9B%86%E7%BE%A4/assets/diagram-3.png" alt=""></p> <p>更多有关cluster-proxy的信息，请参考<a href="https://open-cluster-management.io/docs/getting-started/integration/cluster-proxy/">官方文档</a>。</p> <h3 id="managed-serviceaccount是什么">managed-serviceaccount是什么？</h3> <p>Managed-serviceaccount（后文简写为：MSA）也是利用OCM的<a href="https://github.com/open-cluster-management-io/addon-framework">addon-framework</a>实现的插件。</p> <p>安装该插件后，可以在管理集群上配置<code>ManagedServiceAcccount</code>的CR，插件会根据此CR的<code>spec</code>配置，在目标受管集群的<code>open-cluster-management-managed-serviceaccount</code>命名空间内，创建一个与CR同名的<code>ServiceAccount</code>。</p> <p>接着插件会将此<code>ServiceAccount</code>生成的对应token数据同步回管理集群，并在受管集群的命令空间中创建一个同名的<code>Secret</code>，用于保存该token。整个token的数据同步都是在OCM提供的MTLS连接中进行，从而确保token不会被第三方探查到。</p> <p>由此集群管理员可以在hub上通过MSA来获得访问被管理集群APIServer的token。当然这个token现在还没有被赋予权限，只要管理员为该token绑定相应的Role，就可以实现访问被管理集群的权限控制。</p> <p><img src="https://open-cluster-management.io/blog/2022/%E9%80%9A%E8%BF%87ocm%E8%AE%BF%E9%97%AE%E4%B8%8D%E5%90%8Cvpc%E4%B8%8B%E7%9A%84%E9%9B%86%E7%BE%A4/assets/diagram-4.png" alt=""></p> <p>更多有关managed-serviceaccount的信息，请参考<a href="https://open-cluster-management.io/docs/getting-started/integration/managed-serviceaccount/">官方文档</a>。</p> <h2 id="样例">样例</h2> <p>接下来通过一个简单的例子来演示如何使用OCM，cluster-proxy，managed-serviceaccount来实现跨VPC访问集群。</p> <p>首先从管理员视角，我们通过脚本快速创建一个基于<a href="https://kind.sigs.k8s.io/">kind</a>的多集群环境，其中具有一个管理集群（hub），以及两个受管集群（cluster1, cluster2）。并且 cluster1, cluster2 会通过 OCM 注册到了 hub。</p> <p>该脚本还会为我们安装OCM的CLI工具<a href="https://github.com/open-cluster-management-io/clusteradm">clusteradm</a>。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>curl -L &lt;https://raw.githubusercontent.com/open-cluster-management-io/OCM/main/solutions/setup-dev-environment/local-up.sh&gt; <span style="color:#000;font-weight:bold">|</span> bash </span></span></code></pre></div><p>然后，管理员还需要安装两个插件：</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#8f5902;font-style:italic"># 安装 cluster-proxy</span> </span></span><span style="display:flex;"><span>helm install <span style="color:#4e9a06">\\</span> </span></span><span style="display:flex;"><span> -n open-cluster-management-addon --create-namespace <span style="color:#4e9a06">\\</span> </span></span><span style="display:flex;"><span> cluster-proxy ocm/cluster-proxy </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#8f5902;font-style:italic"># 安装 managed-service</span> </span></span><span style="display:flex;"><span>helm install <span style="color:#4e9a06">\\</span> </span></span><span style="display:flex;"><span> -n open-cluster-management-addon --create-namespace <span style="color:#4e9a06">\\</span> </span></span><span style="display:flex;"><span> managed-serviceaccount ocm/managed-serviceaccount </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#8f5902;font-style:italic"># 验证 cluster-proxy 已安装</span> </span></span><span style="display:flex;"><span>clusteradm get addon cluster-proxy </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#8f5902;font-style:italic"># 验证 managed-serviceaccount 已安装</span> </span></span><span style="display:flex;"><span>clusteradm get addon managed-serviceaccount </span></span></code></pre></div><p>完成安装后，管理员希望给用户能够访问cluster1，他需要通过以下命令创建一个在hub的命令空间cluster1中，创建一个MSA的CR：</p> https://open-cluster-management.io/blog/2022/using-the-open-cluster-management-placement-for-multicluster-scheduling/ Wed, 12 Jan 2022 00:00:00 +0000 https://open-cluster-management.io/blog/2022/using-the-open-cluster-management-placement-for-multicluster-scheduling/ <p>Read more at <a href="https://cloud.redhat.com/blog/using-the-open-cluster-management-placement-for-multicluster-scheduling">Red Hat Cloud Blog</a>.</p> https://open-cluster-management.io/blog/2021/using-the-open-cluster-management-add-on-framework-to-develop-a-managed-cluster-add-on/ Tue, 12 Oct 2021 00:00:00 +0000 https://open-cluster-management.io/blog/2021/using-the-open-cluster-management-add-on-framework-to-develop-a-managed-cluster-add-on/ <p>Read more at <a href="https://cloud.redhat.com/blog/using-the-open-cluster-management-add-on-framework-to-develop-a-managed-cluster-add-on">Red Hat Cloud Blog</a>.</p> https://open-cluster-management.io/blog/2021/the-next-kubernetes-frontier-multicluster-management/ Wed, 22 Sep 2021 00:00:00 +0000 https://open-cluster-management.io/blog/2021/the-next-kubernetes-frontier-multicluster-management/ <p>Read more at <a href="https://containerjournal.com/features/the-next-kubernetes-frontier-multicluster-management/">Container Journal</a>.</p> https://open-cluster-management.io/blog/2021/put-together-a-user-walk-through-for-the-basic-open-cluster-management-api-using-kind-olm-and-other-open-source-technologies/ Mon, 24 May 2021 00:00:00 +0000 https://open-cluster-management.io/blog/2021/put-together-a-user-walk-through-for-the-basic-open-cluster-management-api-using-kind-olm-and-other-open-source-technologies/ <p>Read more at <a href="https://github.com/mdelder/open-cluster-management-getting-started">GitHub</a>.</p> https://open-cluster-management.io/blog/2021/setting-up-open-cluster-management-the-hard-way/ Thu, 22 Apr 2021 00:00:00 +0000 https://open-cluster-management.io/blog/2021/setting-up-open-cluster-management-the-hard-way/ <p>Read more at <a href="https://github.com/sdminonne/ocm-the-hard-way">Setting up Open Cluster Management the hard way</a>.</p>