Access the Kubernetes API for an Azure Kubernetes Fleet Manager hub cluster
If your Azure Kubernetes Fleet Manager (Kubernetes Fleet) resource was created with a hub cluster, you can use it to centrally control scenarios like Kubernetes resource propagation. In this article, you learn how to access the Kubernetes API for a Kubernetes Fleet hub cluster.
- If you don't have an Azure trail subscription, create a trial subscription before you begin.
- You need a Kubernetes Fleet resource with a hub cluster and member clusters. If you don't have one, see Create an Azure Kubernetes Fleet Manager resource and join member clusters by using the Azure CLI.
- The identity (user or service principal) that you're using needs to have Microsoft.ContainerService/fleets/listCredentials/action permissions on the Kubernetes Fleet resource.
Access the Kubernetes API
Set the following environment variables for your subscription ID, resource group, and Kubernetes Fleet resource:
export SUBSCRIPTION_ID=<subscription-id> export GROUP=<resource-group-name> export FLEET=<fleet-name>
Set the default Azure subscription by using the
az account set
command:az account set --subscription ${SUBSCRIPTION_ID}
Get the kubeconfig file of the Kubernetes Fleet hub cluster by using the
az fleet get-credentials
command:az fleet get-credentials --resource-group ${GROUP} --name ${FLEET}
Your output should look similar to the following example:
Merged "hub" as current context in /home/fleet/.kube/config
Set the following environment variable for the
value of the hub cluster's Kubernetes Fleet resource:export FLEET_ID=/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${GROUP}/providers/Microsoft.ContainerService/fleets/${FLEET}
Authorize your identity to access the Kubernetes Fleet hub cluster by using the following commands.
For the
environment variable, you can use one of the following four built-in role definitions as the value:- Azure Kubernetes Fleet Manager RBAC Reader
- Azure Kubernetes Fleet Manager RBAC Writer
- Azure Kubernetes Fleet Manager RBAC Admin
- Azure Kubernetes Fleet Manager RBAC Cluster Admin
export IDENTITY=$(az ad signed-in-user show --query "id" --output tsv) export ROLE="Azure Kubernetes Fleet Manager RBAC Cluster Admin" az role assignment create --role "${ROLE}" --assignee ${IDENTITY} --scope ${FLEET_ID}
Your output should look similar to the following example:
{ "canDelegate": null, "condition": null, "conditionVersion": null, "description": null, "id": "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<GROUP>/providers/Microsoft.ContainerService/fleets/<FLEET>/providers/Microsoft.Authorization/roleAssignments/<assignment>", "name": "<name>", "principalId": "<id>", "principalType": "User", "resourceGroup": "<GROUP>", "roleDefinitionId": "/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69", "scope": "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<GROUP>/providers/Microsoft.ContainerService/fleets/<FLEET>", "type": "Microsoft.Authorization/roleAssignments" }
Verify that you can access the API server by using the
kubectl get memberclusters
command:kubectl get memberclusters
If the command is successful, your output should look similar to the following example:
NAME JOINED AGE aks-member-1 True 2m aks-member-2 True 2m aks-member-3 True 2m