Access the Kubernetes API for an Azure Kubernetes Fleet Manager hub cluster

If your Azure Kubernetes Fleet Manager (Kubernetes Fleet) resource was created with a hub cluster, you can use it to centrally control scenarios like Kubernetes resource propagation. In this article, you learn how to access the Kubernetes API for a Kubernetes Fleet hub cluster.

Prerequisites

• If you don't have an Azure trail subscription, create a trial subscription before you begin.
• You need a Kubernetes Fleet resource with a hub cluster and member clusters. If you don't have one, see Create an Azure Kubernetes Fleet Manager resource and join member clusters by using the Azure CLI.
• The identity (user or service principal) that you're using needs to have Microsoft.ContainerService/fleets/listCredentials/action permissions on the Kubernetes Fleet resource.

Access the Kubernetes API

1. Set the following environment variables for your subscription ID, resource group, and Kubernetes Fleet resource:

   export SUBSCRIPTION_ID=<subscription-id>
   export GROUP=<resource-group-name>
   export FLEET=<fleet-name>
   

2. Set the default Azure subscription by using the az account set command:

   az account set --subscription ${SUBSCRIPTION_ID}
   

3. Get the kubeconfig file of the Kubernetes Fleet hub cluster by using the az fleet get-credentials command:

   az fleet get-credentials --resource-group ${GROUP} --name ${FLEET}
   

   Your output should look similar to the following example:

   Merged "hub" as current context in /home/fleet/.kube/config
   

4. Set the following environment variable for the FLEET_ID value of the hub cluster's Kubernetes Fleet resource:

   export FLEET_ID=/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${GROUP}/providers/Microsoft.ContainerService/fleets/${FLEET}
   

5. Authorize your identity to access the Kubernetes Fleet hub cluster by using the following commands.

   For the ROLE environment variable, you can use one of the following four built-in role definitions as the value:

   • Azure Kubernetes Fleet Manager RBAC Reader
   • Azure Kubernetes Fleet Manager RBAC Writer
   • Azure Kubernetes Fleet Manager RBAC Admin
   • Azure Kubernetes Fleet Manager RBAC Cluster Admin

   export IDENTITY=$(az ad signed-in-user show --query "id" --output tsv)
   export ROLE="Azure Kubernetes Fleet Manager RBAC Cluster Admin"
   az role assignment create --role "${ROLE}" --assignee ${IDENTITY} --scope ${FLEET_ID}
   

   Your output should look similar to the following example:

   {
     "canDelegate": null,
     "condition": null,
     "conditionVersion": null,
     "description": null,
     "id": "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<GROUP>/providers/Microsoft.ContainerService/fleets/<FLEET>/providers/Microsoft.Authorization/roleAssignments/<assignment>",
     "name": "<name>",
     "principalId": "<id>",
     "principalType": "User",
     "resourceGroup": "<GROUP>",
     "roleDefinitionId": "/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
     "scope": "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<GROUP>/providers/Microsoft.ContainerService/fleets/<FLEET>",
     "type": "Microsoft.Authorization/roleAssignments"
   }
   

6. Verify that you can access the API server by using the kubectl get memberclusters command:

   kubectl get memberclusters
   

   If the command is successful, your output should look similar to the following example:

   NAME           JOINED   AGE
   aks-member-1   True     2m
   aks-member-2   True     2m
   aks-member-3   True     2m
   

Related content

• Propagate resources from an Azure Kubernetes Fleet Manager hub cluster to member clusters