Access Fleet hub cluster Kubernetes API
If your Azure Kubernetes Fleet Manager resource was created with the hub cluster enabled, then it can be used to centrally control scenarios like Kubernetes resource propagation. In this article, you learn how to access the Kubernetes API of the hub cluster managed by the Fleet resource.
Prerequisites
If you don't have an Azure trail subscription, create a trial subscription before you begin.
- You need a Fleet resource with a hub cluster and member clusters. If you don't have one, see Create an Azure Kubernetes Fleet Manager resource and join member clusters using Azure CLI.
- The identity (user or service principal) you're using needs to have the Microsoft.ContainerService/fleets/listCredentials/action on the Fleet resource.
Access Fleet hub cluster Kubernetes API
Set the following environment variables for your subscription ID, resource group, and Fleet resource:
export SUBSCRIPTION_ID=<subscription-id> export GROUP=<resource-group-name> export FLEET=<fleet-name>
Set the default Azure subscription to use using the
az account set
command.az account set --subscription ${SUBSCRIPTION_ID}
Get the kubeconfig file of the hub cluster Fleet resource using the
az fleet get-credentials
command.az fleet get-credentials --resource-group ${GROUP} --name ${FLEET}
Your output should look similar to the following example output:
Merged "hub" as current context in /home/fleet/.kube/config
Set the following environment variable for the
id
of the hub cluster Fleet resource:export FLEET_ID=/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${GROUP}/providers/Microsoft.ContainerService/fleets/${FLEET}
Authorize your identity to the hub cluster Fleet resource's Kubernetes API server using the following commands:
For the
ROLE
environment variable, you can use one of the following four built-in role definitions as the value:- Azure Kubernetes Fleet Manager RBAC Reader
- Azure Kubernetes Fleet Manager RBAC Writer
- Azure Kubernetes Fleet Manager RBAC Admin
- Azure Kubernetes Fleet Manager RBAC Cluster Admin
export IDENTITY=$(az ad signed-in-user show --query "id" --output tsv) export ROLE="Azure Kubernetes Fleet Manager RBAC Cluster Admin" az role assignment create --role "${ROLE}" --assignee ${IDENTITY} --scope ${FLEET_ID}
Your output should look similar to the following example output:
{ "canDelegate": null, "condition": null, "conditionVersion": null, "description": null, "id": "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<GROUP>/providers/Microsoft.ContainerService/fleets/<FLEET>/providers/Microsoft.Authorization/roleAssignments/<assignment>", "name": "<name>", "principalId": "<id>", "principalType": "User", "resourceGroup": "<GROUP>", "roleDefinitionId": "/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69", "scope": "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<GROUP>/providers/Microsoft.ContainerService/fleets/<FLEET>", "type": "Microsoft.Authorization/roleAssignments" }
Verify you can access the API server using the
kubectl get memberclusters
command.kubectl get memberclusters
If successful, your output should look similar to the following example output:
NAME JOINED AGE aks-member-1 True 2m aks-member-2 True 2m aks-member-3 True 2m