Add cluster-proxy Service Proxy feature blog post #529
Conversation
✅ Deploy Preview for open-cluster-management ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
/assign @qiujian16 |
|
/assign @haoqing0110 You can follow steps in this blog to setup a service-proxy enabled cluster-proxy test env. |
|
/hold |
|
/unhold |
|
|
||
| Cluster Proxy is an [OCM addon](https://github.com/open-cluster-management-io/cluster-proxy) that provides L4 network connectivity between hub and managed clusters through a reverse proxy tunnel. In previous versions, accessing services on managed clusters through cluster-proxy required using a specialized Go package, the [konnectivity client](https://github.com/open-cluster-management-io/cluster-proxy/blob/main/examples/test-client.md). | ||
|
|
||
| With the new v0.9.0 release, we've introduced a more convenient approach — "Service Proxy". This feature provides an HTTPS service that allows users to access the kube-apiserver and other services in managed clusters through a specific URL structure. Additionally, it introduces a more user-friendly authentication and authorization mechanism using **Impersonation**, enabling users to authenticate and authorize against the managed cluster's kube-apiserver using their hub user token. |
There was a problem hiding this comment.
do we enable impersonation by default? I am thinking we have a flag so we can disable it.
There was a problem hiding this comment.
Good catch! The flag control now added: open-cluster-management-io/cluster-proxy#245
We can use flag to disable impersonation and remove all special permission adds on clusterrole on both sides. But, by default it's true.
|
|
||
| ### Configuring RBAC Permissions | ||
|
|
||
| Next, create a Role and RoleBinding in the `managed` cluster to grant the `test-sa` user permission to list and get pods in the `open-cluster-management-agent` namespace: |
There was a problem hiding this comment.
Could we add a note here mentioning that this can be simplified by using cluster permissions?
xuezhaojun
force-pushed
the
docs/enhance-cluster-proxy-blog-post
branch
from
aaad684 to
adca33d
Compare
…and section hierarchy - Fix typos and grammar issues throughout the document - Standardize terminology (Hub/Spoke → hub/managed clusters) - Improve section structure with better logical flow (Setup → Install → Use) - Add detailed explanation for GATEWAY_IP configuration - Fix cluster name inconsistencies (cluster1 → managed) - Move 'Verifying the Deployment' under 'Installing Cluster Proxy' section - Rename main usage section for better clarity These improvements enhance readability and make the tutorial easier to follow. Signed-off-by: xuezhaojun <zxue@redhat.com>
xuezhaojun
force-pushed
the
docs/enhance-cluster-proxy-blog-post
branch
from
adca33d to
eb12e6f
Compare
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: qiujian16, xuezhaojun The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
xuezhaojun
merged commit fcf1673
into
open-cluster-management-io:main
4 participants
Summary
This PR adds a comprehensive blog post introducing the new Service Proxy feature in cluster-proxy v0.9.0. The post includes a complete setup guide, installation instructions, and practical examples demonstrating how to use the impersonation-based authentication mechanism to access managed cluster resources.
Content Overview
The blog post covers:
Key Features Documented
Writing Quality
🤖 Generated with Claude Code
Co-Authored-By: Claude noreply@anthropic.com