ocm

module
v0.13.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 8, 2024 License: Apache-2.0

README

image

License CII Best Practices OpenSSF Scorecard FOSSA Status Artifact HUB Cluster Manager Artifact HUB Klusterlet

Welcome! The open-cluster-management.io project is focused on enabling end-to-end visibility and control across your Kubernetes clusters.

The Open Cluster Management (OCM) architecture uses a hub - agent model. The hub centralizes control of all the managed clusters. An agent, which we call the klusterlet, resides on each managed cluster to manage registration to the hub and run instructions from the hub.

image

OCM is a Cloud Native Computing Foundation (CNCF) sandbox project.

You can use the clusteradm CLI to bootstrap a control plane for multicluster management. The following diagram illustrates the deployment architecture for OCM:

image

To setup a multicluster environment with OCM enabled on your local machine, follow the instructions in setup dev environment.

There are a number of key use cases that are enabled by this project, and are categorized to 3 sub projects.

Cluster Lifecycle: Cluster registration and management

OCM has a group of APIs to provide the foundational functions in multiple cluster management.

The journey of cluster management starts with Cluster Registration which follows a double opt-in protocol to establish a MTLS connection from the agent on the managed cluster (Klusterlet) to the hub (Cluster Manager). After this, users or operands on the hub can declare ManifestWorks which contains a slice of Kubernetes resource manifests to be distributed and applied to a certain managed cluster. To schedule workloads to a certain set of clusters, users can also declare a Placement on the hub to dynamically select a set of clusters with certain criteria.

In addition, developers can leverage Addon framework to build their own management tools or integrate with other open source projects to extend the multicluster management capability. OCM maintaines two built-in addons for application lifecycle and security governance.

Application Lifecycle: Delivery, upgrade, and configuration of applications on Kubernetes clusters

  • Centrally create, update, and delete Kubernetes clusters across multiple private and public clouds.
  • Automatically deploy applications to specific clusters by subscribing to different workload (resource) channels, such as GitHub, Helm repository, ObjectStore, and resource templates.

The application model defines a Kubernetes-first way of describing the application. Your existing Kubernetes apps or kustomized apps can be adapted with the addition of a few new objects: Channel, and Subscription. Changes made to the app are then easily delivered to managed clusters based on the dynamic placement engine. See deploy a helm chart on how to install application manager addon in OCM and deploy helm charts in multiple clusters.

GRC: Governance, Risk and Compliance across Kubernetes clusters

  • Use prebuilt security and configuration controllers to enforce policies on Kubernetes configuration across your clusters.

Policy controllers allow the declarative expression of a desired condition that can be audited or enforced against a set of managed clusters. Policies allow you to drive cross-cluster configuration or validate that a certain configuration explicitly does not exist.

The following repositories describe the underlying API and controllers for the GRC model:

More external integrations

We are constantly working with other open source projects to make multicluster management easier.

  • Submariner is a project that provides multicluster networking connectivity. Users can benefit from a Submariner addon, which automates the deployment and management of multicluster networking.
  • Clusternet is another project that provides multicluster orchestration, which can be easily plug into OCM with clusternet addon
  • KubeVela is a modern application delivery platform that makes deploying and operating applications across today's hybrid, multi-cloud environments easier, faster and more reliable. Note that OCM is also available as an vela addon in KubeVela.

Get connected

See the following options to connect with the community:

Directories

Path Synopsis
cmd
pkg
registration/hub/addon
package addon contains the hub-side controllers for updating addon status and rotating the addon certificate.
package addon contains the hub-side controllers for updating addon status and rotating the addon certificate.
registration/hub/clusterrole
package clusterrole contains the hub-side reconciler for the ManagedCluster necessary clusterrole resource.
package clusterrole contains the hub-side reconciler for the ManagedCluster necessary clusterrole resource.
registration/hub/csr
package csr contains the hub-side reconciler for auto approving the renewal CertificateSigningRequests for an accepted managed cluster
package csr contains the hub-side reconciler for auto approving the renewal CertificateSigningRequests for an accepted managed cluster
registration/hub/gc
package gc contains the hub-side reconciler to cleanup finalizer on role/rolebinding in cluster namespace when ManagedCluster is being deleted.
package gc contains the hub-side reconciler to cleanup finalizer on role/rolebinding in cluster namespace when ManagedCluster is being deleted.
registration/hub/lease
package lease contains the hub-side controller for checking an accepted spoke cluster whether is available
package lease contains the hub-side controller for checking an accepted spoke cluster whether is available
registration/hub/managedcluster
package managedcluster contains the hub-side reconciler for the ManagedCluster resource.
package managedcluster contains the hub-side reconciler for the ManagedCluster resource.
registration/hub/user
Package user contains common definition works for kubernetes certificates
Package user contains common definition works for kubernetes certificates
registration/spoke
package spoke and its subpackages contain the controllers that make up the spoke agent.
package spoke and its subpackages contain the controllers that make up the spoke agent.
registration/spoke/addon
package addon contains the managed cluster side controllers for updating addon status and registering addon on the hub cluster.
package addon contains the managed cluster side controllers for updating addon status and registering addon on the hub cluster.
registration/spoke/managedcluster
package managedcluster contains the spoke cluster side reconciler for the SpokeCluster resource.
package managedcluster contains the spoke cluster side reconciler for the SpokeCluster resource.
registration/webhook
package webhook contains the managed cluster admission hooks to mutate and validate the ManagedCluster create and update operations
package webhook contains the managed cluster admission hooks to mutate and validate the ManagedCluster create and update operations
work/spoke/auth/cache
Package cache implements a ManifestWork Executor Validator with caching capabilities.
Package cache implements a ManifestWork Executor Validator with caching capabilities.
work/webhook
package webhook contains the manifestwork admission hook to validate the ManifestWork create and update operations
package webhook contains the manifestwork admission hook to validate the ManifestWork create and update operations
test
e2e
integration/operator
Package integration provides integration tests for open-cluster-management operator, the test cases include - deploy/update/remove the cluster manager - deploy/update/remove the klusterlet
Package integration provides integration tests for open-cluster-management operator, the test cases include - deploy/update/remove the cluster manager - deploy/update/remove the klusterlet
integration/registration
Package integration provides integration tests for open-cluster-management registration, the test cases include - managed cluster joining process - managed cluster health check - registration agent rotate its certificate after its certificate is expired - registration agent recovery from invalid bootstrap kubeconfig - registration agent recovery from invalid hub kubeconfig
Package integration provides integration tests for open-cluster-management registration, the test cases include - managed cluster joining process - managed cluster health check - registration agent rotate its certificate after its certificate is expired - registration agent recovery from invalid bootstrap kubeconfig - registration agent recovery from invalid hub kubeconfig
integration/work
Package integration provides integration tests for open-cluster-management work, the test cases include - create work - update work - delete work
Package integration provides integration tests for open-cluster-management work, the test cases include - create work - update work - delete work

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL