-
Notifications
You must be signed in to change notification settings - Fork 10
Using cluster‐proxy to trigger VM actions
Jorge Padilla edited this page Sep 12, 2024
·
2 revisions
Use the cluster-proxy to trigger actions on VMs in the managed clusters.
- Create Managed Serviceaccount.
A managed service account is needed per cluster.
oc create -f - <<EOF
apiVersion: authentication.open-cluster-management.io/v1beta1
kind: ManagedServiceAccount
metadata:
name: vm-actor
spec:
rotation: {}
EOF
- Create ManifestWork.
This configures rbac on the managed cluster to authorize the managed service account to trigger the actions.
oc create -f - <<EOF
apiVersion: work.open-cluster-management.io/v1
kind: ManifestWork
metadata:
name: vm-actor
spec:
workload:
manifests:
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: vm-actor
rules:
- apiGroups:
- kubevirt.io
resources:
- virtualmachines
- virtualmachineinstances
verbs:
- get
- list
- apiGroups:
- subresources.kubevirt.io
resources:
- virtualmachines/stop
- virtualmachines/start
- virtualmachineinstances/pause
- virtualmachineinstances/unpause
verbs:
- update
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: vm-actor
subjects:
- kind: ServiceAccount
name: vm-actor
namespace: open-cluster-management-agent-addon
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: vm-actor
EOF
Configure the terminal environment
## Save the ca-bundle. curl uses this to avoid using the --insecure flag.
oc get configmap kube-root-ca.crt -n open-cluster-management -o=jsonpath='{.data.ca\.crt}' > hub-ca.crt
export MANAGED_CLUSTER=bare-metal
export VM_NAMESPACE=openshift-cnv
export VM_NAME=centos7-gray-owl-35
export MANAGED_CLUSTER_TOKEN=$(oc -n ${MANAGED_CLUSTER} get secret vm-actor -o jsonpath={.data.token} | base64 -d)
export CLUSTER_PROXY=https://$(oc get route -n multicluster-engine cluster-proxy-addon-user -o=jsonpath='{.spec.host}')/$MANAGED_CLUSTER
- List VMs
curl --cacert ./hub-ca.crt $CLUSTER_PROXY/apis/kubevirt.io/v1/namespaces/$VM_NAMESPACE/virtualmachines \
--header "Authorization: Bearer $MANAGED_CLUSTER_TOKEN"
- START VM
curl --cacert ./hub-ca.crt -X PUT \
$CLUSTER_PROXY/apis/subresources.kubevirt.io/v1/namespaces/$VM_NAMESPACE/virtualmachines/$VM_NAME/start \
--header "Authorization: Bearer $MANAGED_CLUSTER_TOKEN"
- STOP VM
curl --cacert ./hub-ca.crt -X PUT \
$CLUSTER_PROXY/apis/subresources.kubevirt.io/v1/namespaces/$VM_NAMESPACE/virtualmachines/$VM_NAME/stop \
--header "Authorization: Bearer $MANAGED_CLUSTER_TOKEN"
- PAUSE VM
curl --cacert ./hub-ca.crt -X PUT \
$CLUSTER_PROXY/apis/subresources.kubevirt.io/v1/namespaces/$VM_NAMESPACE/virtualmachineinstances/$VM_NAME/pause \
--header "Authorization: Bearer $MANAGED_CLUSTER_TOKEN"
- UNPAUSE VM
curl --cacert ./hub-ca.crt -X PUT \
$CLUSTER_PROXY/apis/subresources.kubevirt.io/v1/namespaces/$VM_NAMESPACE/virtualmachineinstances/$VM_NAME/unpause \
--header "Authorization: Bearer $MANAGED_CLUSTER_TOKEN"