-
Notifications
You must be signed in to change notification settings - Fork 5.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create Position around Management Cluster #8210
Open
corentone
wants to merge
4
commits into
kubernetes:master
Choose a base branch
from
corentone:corentone-mgt-cluster
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
f383444
Create management-cluster-position-statement.md
corentone 90a99eb
Update and rename management-cluster-position-statement.md to hub-clu…
corentone d0fbe3d
Update sig-multicluster/hub-cluster-position-statement.md
corentone f5dc455
Update hub-cluster-position-statement.md
corentone File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,57 @@ | ||
| # Hub Cluster - SIG Multicluster Position Statement | ||
|
|
||
| Author: Corentin Debains (**[@corentone](https://github.com/corentone)**), Google | ||
| Last Edit: 2025/01/25 | ||
| Status: DRAFT | ||
|
|
||
| ## Goal | ||
| To establish a standard definition for a central cluster that is leveraged by multicluster | ||
| controllers to manage multicluster applications or features across an inventory of clusters. | ||
|
|
||
| ## Context | ||
| Multicluster controllers have always needed a place to run. This may happen in external | ||
| proprietary control-planes but for more generic platforms, it has been natural for the | ||
| Kubernetes community to leverage a Kubernetes Cluster and the existing api-machinery | ||
| available. There has been a variety of examples of which we can quote ArgoCD, MultiKueue, Open Cluster Management | ||
| or any of the Federation effort (Karmada, KubeAdmiral), all of them not-naming the "location" | ||
| where they run or not aligning on the name (Admin cluster, Management Cluster, Command Cluster, Manager Cluster...). | ||
| The [ClusterInventory](https://github.com/kubernetes/enhancements/blob/master/keps/sig-multicluster/4322-cluster-inventory/README.md) | ||
| (ClusterProfile CRDs) is also the starting point for a lot of multicluster controllers and, | ||
| being a CRD, it requires an api-machinery to host it. The functionality of this cluster is also | ||
| defined in separation to what a "workload" cluster does, which is to run the business applications, | ||
| when hub runs infrastructure components. | ||
|
|
||
| ## Definition | ||
|
|
||
| A (multicluster) hub cluster is a Kubernetes cluster that acts as a | ||
| control-plane for other Kubernetes clusters (named Workload [Execution] Clusters to differentiate | ||
| them). It MUST have the ClusterProfiles written on it MAY have access to the api, metrics or | ||
| workloads of the workload clusters and MAY have administrative privileges over them. It | ||
| SHOULD not be part of workload clusters or running as mixed mode (workload and hub) to provide a better | ||
| security isolation, especially when it has any administrative privileges over them. | ||
| There MAY be multiple hub clusters overseeing the same set of Workload Clusters | ||
| and it is left to the administrator to guarantee that they don't compete in their | ||
| management tasks. There SHOULD be a single [clusterset](https://multicluster.sigs.k8s.io/api-types/cluster-set/) | ||
| managed by a hub cluster. Hub clusters can be used for multicluster controllers relative to platform-running features, | ||
| for example: managing the clusters, or application-running features, for example: scheduling business | ||
| applications dynamically. | ||
|
|
||
| ### Rationale on some specific points of the definition | ||
|
|
||
| * Multiple hub clusters: While it often makes sense to have a single "Brain" overseeing | ||
| a Fleet of Clusters, there is a need for flexibility over the number of hub clusters. To | ||
| allow redundancy to improve reliability, to allow sharding of responsibility (for regionalized | ||
| controllers), to allow for separation of functionality (security-enforcer hub cluster vs | ||
| config-delivery hub cluster), to allow for migrations (from old hub cluster to new | ||
| hub cluster) and likely more. | ||
| * Hub cluster also being part of the workload-running Fleet: We do recommend that the | ||
| hub cluster(s) be isolated from the running Workload Fleet for security and hub | ||
| concerns. But there may be specific cases or applications that require to mix the two. For example, | ||
| controllers that take a "leader-election" approach and want a smaller footprint. | ||
| * Application-running features vs platform-running features: Hub clusters can run controllers | ||
| that are catering to a "Platform" type of user, effectively using a central cluster to manage other clusters and | ||
| other infrastructure. For example, centrally monitoring health of clusters of a clusterset. It can also run | ||
| controllers that are helping run business applications globally. For example, having a definition of a multicluster | ||
| application and scheduling replicas of the application to the different clusters of the clusterset. | ||
| This means that access control to the hub cluster and permissions given to controllers on the hub | ||
| clusters must be carefully designed. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this definition intended to cover what Open Cluster Management does? OCM has its own representation of a workload (execution) cluster, called
ManagedCluster.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the goal here is to bind it with ClusterProfile. while we can draw the parallel with OCM, I think both this and ClusterProfile gain at being linked together.