Proxy Global Resources

Introduce

The newly introduced proxy feature allows users to access all the resources both in karmada controller panel and member clusters. With it, users can:

  • create, update, patch, get, list, watch and delete resources in controller panel, such as deployments and jobs. All the request behaviors are supported, just like using karmada-apiserver.
  • update, patch, get, list, watch and delete resources in member clusters, such as pods, nodes, and customer resources.
  • access subresources, such as pods’ log and exec.

Quick start

To quickly experience this feature, we experimented with karmada-apiserver certificate.

Step1: Obtain the karmada-apiserver Certificate

For Karmada deployed using hack/local-up-karmada.sh, you can directly copy it from the $HOME/.kube/ directory.

  1. cp $HOME/.kube/karmada.config $HOME/karmada-proxy.config

Step2: Access by proxy

Append /apis/search.karmada.io/v1alpha1/proxying/karmada/proxy to the server address of karmada-proxy.config. Then set this file as default config:

  1. export KUBECONFIG=$HOME/karmada-proxy.config

Step3: Define Resource To be Proxied

Define which member cluster resource you want to be proxied with ResourceRegistry.

For example:

  1. apiVersion: search.karmada.io/v1alpha1
  2. kind: ResourceRegistry
  3. metadata:
  4. name: proxy-sample
  5. spec:
  6. targetCluster:
  7. clusterNames:
  8. resourceSelectors:
  9. - apiVersion: v1
  10. kind: Pod
  11. - apiVersion: v1
  12. kind: Node

After applying it, you can access pods and nodes with kubectl. Enjoy it!

FAQ

Is creating supported?

For resources not defined in ResourceRegistry, creating requests are redirected to karmada controller panel. So Resources are created in controller panel. For resources defined in ResourceRegistry, proxy doesn’t know which cluster to create, and responses MethodNotSupported error.

Can I read resources by selectors?

Label selectors are fully supported. While field selectors are limited to metadata.name and metadata.namespace

When I get pods with kubectl, only NAME and AGE columns are displayed

Yes, kubectl use application/json;as=Table;g=meta.k8s.io;v=v1 as content-type, while proxy only implement defaultTableConvertor as TableConvertor.

  1. NAME AGE
  2. nginx-65c54cc984-2jjw6 10s

But it doesn’t affect usaging of client-go, which use application/json as content-type.

What will happen when I access resource with same name accross clusters.

In this stage, proxy cannot discern the resources with same name accross clusters. So get/update/patch/delete and subresources requests will return a conflict error. When list resources, the resources with same name will be returned in item list.

Users shall design to avoid or tolerate this error.

How to access resources in pull mode cluster

we can deploy apiserver-network-proxy (ANP) to access it.