Skip to content

Using cluster‐proxy to trigger VM actions

Jump to bottom
Jorge Padilla edited this page Sep 12, 2024 · 2 revisions

Use the cluster-proxy to trigger actions on VMs in the managed clusters.

Setup the cluster-proxy

  1. Create Managed Serviceaccount.
    A managed service account is needed per cluster.
oc create -f - <<EOF
apiVersion: authentication.open-cluster-management.io/v1beta1
kind: ManagedServiceAccount
metadata:
  name: vm-actor
spec:
  rotation: {}
EOF
  1. Create ManifestWork.

    This configures rbac on the managed cluster to authorize the managed service account to trigger the actions.
oc create -f - <<EOF
apiVersion: work.open-cluster-management.io/v1
kind: ManifestWork
metadata:
  name: vm-actor
spec:
  workload:
    manifests:
      - apiVersion: rbac.authorization.k8s.io/v1
        kind: ClusterRole
        metadata:
          name: vm-actor
        rules:
          - apiGroups:
              - kubevirt.io
            resources:
              - virtualmachines
              - virtualmachineinstances
            verbs:
              - get
              - list
          - apiGroups:
              - subresources.kubevirt.io
            resources:
              - virtualmachines/stop
              - virtualmachines/start
              - virtualmachineinstances/pause
              - virtualmachineinstances/unpause
            verbs:
              - update
      - apiVersion: rbac.authorization.k8s.io/v1
        kind: ClusterRoleBinding
        metadata:
          name: vm-actor
        subjects:
          - kind: ServiceAccount
            name: vm-actor
            namespace: open-cluster-management-agent-addon
        roleRef:
          apiGroup: rbac.authorization.k8s.io
          kind: ClusterRole
          name: vm-actor
EOF

Trigger actions from the hub

Configure the terminal environment

## Save the ca-bundle. curl uses this to avoid using the --insecure flag.
oc get configmap kube-root-ca.crt -n open-cluster-management -o=jsonpath='{.data.ca\.crt}' > hub-ca.crt

export MANAGED_CLUSTER=bare-metal
export VM_NAMESPACE=openshift-cnv
export VM_NAME=centos7-gray-owl-35
export MANAGED_CLUSTER_TOKEN=$(oc -n ${MANAGED_CLUSTER} get secret vm-actor -o jsonpath={.data.token} | base64 -d)
export CLUSTER_PROXY=https://$(oc get route -n multicluster-engine cluster-proxy-addon-user -o=jsonpath='{.spec.host}')/$MANAGED_CLUSTER
  1. List VMs
curl --cacert ./hub-ca.crt $CLUSTER_PROXY/apis/kubevirt.io/v1/namespaces/$VM_NAMESPACE/virtualmachines \
--header "Authorization: Bearer $MANAGED_CLUSTER_TOKEN"
  1. START VM
curl --cacert ./hub-ca.crt -X PUT \
$CLUSTER_PROXY/apis/subresources.kubevirt.io/v1/namespaces/$VM_NAMESPACE/virtualmachines/$VM_NAME/start \
--header "Authorization: Bearer $MANAGED_CLUSTER_TOKEN"
  1. STOP VM
curl --cacert ./hub-ca.crt -X PUT \
$CLUSTER_PROXY/apis/subresources.kubevirt.io/v1/namespaces/$VM_NAMESPACE/virtualmachines/$VM_NAME/stop \
--header "Authorization: Bearer $MANAGED_CLUSTER_TOKEN"
  1. PAUSE VM
curl --cacert ./hub-ca.crt -X PUT \
$CLUSTER_PROXY/apis/subresources.kubevirt.io/v1/namespaces/$VM_NAMESPACE/virtualmachineinstances/$VM_NAME/pause \
--header "Authorization: Bearer $MANAGED_CLUSTER_TOKEN"
  1. UNPAUSE VM
curl --cacert ./hub-ca.crt -X PUT \
$CLUSTER_PROXY/apis/subresources.kubevirt.io/v1/namespaces/$VM_NAMESPACE/virtualmachineinstances/$VM_NAME/unpause \
--header "Authorization: Bearer $MANAGED_CLUSTER_TOKEN"
Clone this wiki locally