Instead of create the second ManifestWork, user can also set HPA for this deployment. HPA will also take the ownership
of replicas, and the update of replicas field in the first ManifestWork will return conflict condition.
All workload manifests are applied to the managed cluster by the work agent, and by default the work agent has the following permission for the managed cluster:
admin clusterRole"open-cluster-management.io/aggregate-to-work": "true" for your to-be-applied
+resources, the rules defined in the clusterRole will be aggregated to the work agent(OCM version >= v0.12.0)klusterlet-work-sa service accountBelow is an example use ManifestWork to give klusterlet-work-sa permission for resource machines.cluster.x-k8s.io
apiVersion: work.open-cluster-management.io/v1
+kind: ManifestWork
+metadata:
+ namespace: cluster1
+ name: permission-set
+spec:
+ workload:
+ manifests:
+ - apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRole
+ metadata:
+ name: open-cluster-management:klusterlet-work:my-role
+ labels:
+ open-cluster-management.io/aggregate-to-work: "true" # with this label, the clusterRole will be selected to aggregate
+ rules:
+ # Allow agent to managed machines
+ - apiGroups: ["cluster.x-k8s.io"]
+ resources: ["machines"]
+ verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+apiVersion: work.open-cluster-management.io/v1
kind: ManifestWork
metadata:
diff --git a/index.xml b/index.xml
index 34915ced..404de0c6 100644
--- a/index.xml
+++ b/index.xml
@@ -164,7 +164,7 @@ The ManagedClusterSet and ManagedClusterSetBinding API v1beta1 version will no l
Mon, 01 Jan 0001 00:00:00 +0000
https://open-cluster-management.io/concepts/manifestwork/
- What is ManifestWork Status tracking Fine-grained field values tracking Garbage collection Delete options Resource Race and Adoption Permission setting for work agent Treating defaulting/immutable fields in API Dynamic identity authorization What is ManifestWork ManifestWork is used to define a group of Kubernetes resources on the hub to be applied to the managed cluster. In the open-cluster-management project, a ManifestWork resource must be created in the cluster namespace.
+ What is ManifestWork Status tracking Fine-grained field values tracking Garbage collection Delete options Resource Race and Adoption Permission setting for work agent Treating defaulting/immutable fields in API Dynamic identity authorization What is ManifestWork ManifestWork is used to define a group of Kubernetes resources on the hub to be applied to the managed cluster. In the open-cluster-management project, a ManifestWork resource must be created in the cluster namespace.
-
diff --git a/zh/concepts/index.xml b/zh/concepts/index.xml
index 3e10fb67..7913f580 100644
--- a/zh/concepts/index.xml
+++ b/zh/concepts/index.xml
@@ -57,7 +57,7 @@ The ManagedClusterSet and ManagedClusterSetBinding API v1beta1 version will no l
Mon, 01 Jan 0001 00:00:00 +0000
https://open-cluster-management.io/zh/concepts/manifestwork/
- What is ManifestWork Status tracking Fine-grained field values tracking Garbage collection Delete options Resource Race and Adoption Permission setting for work agent Treating defaulting/immutable fields in API Dynamic identity authorization What is ManifestWork ManifestWork is used to define a group of Kubernetes resources on the hub to be applied to the managed cluster. In the open-cluster-management project, a ManifestWork resource must be created in the cluster namespace.
+ What is ManifestWork Status tracking Fine-grained field values tracking Garbage collection Delete options Resource Race and Adoption Permission setting for work agent Treating defaulting/immutable fields in API Dynamic identity authorization What is ManifestWork ManifestWork is used to define a group of Kubernetes resources on the hub to be applied to the managed cluster. In the open-cluster-management project, a ManifestWork resource must be created in the cluster namespace.
-
diff --git a/zh/concepts/manifestwork/index.html b/zh/concepts/manifestwork/index.html
index c0014eda..ea040a44 100644
--- a/zh/concepts/manifestwork/index.html
+++ b/zh/concepts/manifestwork/index.html
@@ -271,10 +271,7 @@
资源下发
Resource Race and Adoption
-
-
- Permission setting for work agent
-
+ - Permission setting for work agent
- Treating defaulting/immutable fields in API
- Dynamic identity authorization
Instead of create the second ManifestWork, user can also set HPA for this deployment. HPA will also take the ownership
of replicas, and the update of replicas field in the first ManifestWork will return conflict condition.
All workload manifests are applied to the managed cluster by the work agent, and by default the work agent has the following permission for the managed cluster:
admin clusterRole"open-cluster-management.io/aggregate-to-work": "true" for your to-be-applied
+resources, the rules defined in the clusterRole will be aggregated to the work agent(OCM version >= v0.12.0)klusterlet-work-sa service accountBelow is an example use ManifestWork to give klusterlet-work-sa permission for resource machines.cluster.x-k8s.io
apiVersion: work.open-cluster-management.io/v1
+kind: ManifestWork
+metadata:
+ namespace: cluster1
+ name: permission-set
+spec:
+ workload:
+ manifests:
+ - apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRole
+ metadata:
+ name: open-cluster-management:klusterlet-work:my-role
+ labels:
+ open-cluster-management.io/aggregate-to-work: "true" # with this label, the clusterRole will be selected to aggregate
+ rules:
+ # Allow agent to managed machines
+ - apiGroups: ["cluster.x-k8s.io"]
+ resources: ["machines"]
+ verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+apiVersion: work.open-cluster-management.io/v1
kind: ManifestWork
metadata:
diff --git a/zh/index.xml b/zh/index.xml
index 87bf7224..a9a91298 100644
--- a/zh/index.xml
+++ b/zh/index.xml
@@ -166,7 +166,7 @@ The ManagedClusterSet and ManagedClusterSetBinding API v1beta1 version will no l
Mon, 01 Jan 0001 00:00:00 +0000
https://open-cluster-management.io/zh/concepts/manifestwork/
- What is ManifestWork Status tracking Fine-grained field values tracking Garbage collection Delete options Resource Race and Adoption Permission setting for work agent Treating defaulting/immutable fields in API Dynamic identity authorization What is ManifestWork ManifestWork is used to define a group of Kubernetes resources on the hub to be applied to the managed cluster. In the open-cluster-management project, a ManifestWork resource must be created in the cluster namespace.
+ What is ManifestWork Status tracking Fine-grained field values tracking Garbage collection Delete options Resource Race and Adoption Permission setting for work agent Treating defaulting/immutable fields in API Dynamic identity authorization What is ManifestWork ManifestWork is used to define a group of Kubernetes resources on the hub to be applied to the managed cluster. In the open-cluster-management project, a ManifestWork resource must be created in the cluster namespace.
-