6-9

Untitled-1

@@ -8,4 +8,7 @@ export CLUSTERPOOL_SIZE=3
 export CLUSTERPOOL_NAME=server-foundation-aws
 # AWS Specific
 export CLUSTERPOOL_AWS_REGION=us-east-1
-export CLUSTERPOOL_AWS_BASE_DOMAIN=dev04.red-chesterfield.com
+export CLUSTERPOOL_AWS_BASE_DOMAIN=dev04.red-chesterfield.com
+
+
+

demo copy.md → demo 510.md

@@ -1,7 +1,51 @@
-## Demo:
-I will demo the rbac prototype about clusterset managedclusters and clusterpool
-we define three Persona: cluster-admin(gurney) team-admin(le jian) team-user(dangpeng)
-we use gurney as cluster-admin, le and jian is team-admin, dangpeng is team-user
+I will show the new RBAC model around managedcluster
+
+The previous RBAC model is hard to understand, for managedclusters there are two sets of permissions that the user needs. 
+A cluster role-binding to the ManagedCluster resource itself, a namespace role-binding to the cluster namespace. It is possible for a user to have either or both assignments. 
+This leads to complexity in understanding what each pattern means.
+
+So, in this epic, we simplify the rbac model around mangedcluster, Reduce the complexity, and Handle permission of clusterpool/claim/clusterdeployment
+
+Next, I will show the demo, In this demo, I defined some Persona, Gurney as cluster-admin, and a server-foundation team , In the team, we have three members, Le and jian are team-admin
+Dangpeng is team view. team-admin can create/get/update/delete resources. and team-view can only view resource.
+
+Let's see the demo video.
+
+
+
+
+
+That's all for new rbac model around managedcluster, then liuwei will demo Leverage the ManagedClusterAddon API to deploy Submariner
+
+
+
+
+
+
+
+
+In this clusterrole, we have two lables, one for clusterset, another one is role, user can filter the clusterroles by these labels.
+
+
+
+
+[Note] Then for team-admin, if he want to create managedcluster and clusterdeployment, he must set the clusterset label. if not, the create request will be denied. lets try to create a managedcluster and clusterdeploment which has no set label. and it will fail
+
+
+In this scario, we create a mangaecluster and use clusterdeployment to provision a managedcluster.
+
+Then we will demo to use clusterpool and clusterclaim to provision clusters.
+Firstlly, gurney need to create a project for clusterpool and clusterclaim.
+
+
+
+[Note] after clusterclaim and clusterdeployment created, we will add the clusterset lable to clusterclaim and clusterdeployment, and claim and clusterdeployment will be added to this set.
+
+Then let's use other team member to access the clusterpool
+
+
+
+
 
 
 
@@ -14,44 +58,53 @@ oc create -f cluster-admin/managedclusterset.yaml --as gurney
 [Note] after the clusterset created, we will create two clusterrole, clusterset admin, clusterset view
 
 kubectl get clusterrole| grep server-foundation-clusterset
+
 kubectl get clusterrole open-cluster-management:managedclusterset:admin:server-foundation-clusterset -oyaml
+In this clusterrole, we have two lables, one for clusterset, another one is role, user can filter the clusterroles by these labels.
 
-In this clusterrole, we have two lables, one for clusterset, another for role, user can filter the roles by these labels.
 
 ## Cluster-admin Grant permission to team
 oc adm policy add-cluster-role-to-user open-cluster-management:managedclusterset:admin:server-foundation-clusterset le jian --as gurney
 oc adm policy add-cluster-role-to-user open-cluster-management:managedclusterset:view:server-foundation-clusterset dangpeng --as gurney
 
 
+
+
+
 ## team-admin create cluster
-[Note] Then for team-admin, if he want to create managedcluster, he must set the clusterset label. if not,  the create request will be denied. lets try to create a managedcluster which has no set label. and it will fail
+[Note] Then for team-admin, if he want to create managedcluster and clusterdeployment, he must set the clusterset label. if not, the create request will be denied. lets try to create a managedcluster and clusterdeploment which has no set label. and it will fail
+
+cat team-admin/managedcluster-nolabel.yaml
+oc create -f team-admin/managedcluster-nolabel.yaml --as le
+
+cat team-admin/managedcluster-label.yaml
+oc create -f team-admin/managedcluster-label.yaml --as le
+
 
-cat team-admin/cluster-nolabel.yaml
-oc create -f team-admin/cluster-nolabel.yaml --as le
 
-cat team-admin/cluster-label.yaml
-oc create -f team-admin/cluster-label.yaml --as le
+cat team-admin/clusterdeployment-label.yaml
+oc create -f team-admin/clusterdeployment-label.yaml --as le
+
 
 ######################################## view
 ### another team-admin edit managedcluster
 oc get managedclusters.clusterview --as jian
 oc annotate managedclusters managedcluster1 testupdate1=l1 --as jian
+oc get project --as jian
+oc get clusterdeployment -n managedcluster1 --as jian
 
-oc get managedclusters.clusterview --as dangpeng
-oc annotate managedclusters managedcluster1 testupdate2=l1 --as dangpeng
 
 
-oc get project --as jian
+oc get managedclusters.clusterview --as dangpeng
+oc annotate managedclusters managedcluster1 testupdate2=l1 --as dangpeng
 oc get project --as dangpeng
-oc get clusterdeployment -n managedcluster1 --as jian
 oc get clusterdeployment -n managedcluster1 --as dangpeng
 
 
 In this scario, we create a mangaecluster and use clusterdeployment to provision a managedcluster.
 
 
 
-
 Then we will demo to use clusterpool and clusterclaim to provision clusters.
 Firstlly, gurney need to create a project for clusterpool and clusterclaim.
 
@@ -63,8 +116,8 @@ oc adm policy add-role-to-user admin  --namespace  server-foundation-clusterpool
 
 
 ## team-admin create Clusterpool 
-#oc create secret generic server-foundation-aws-creds -n server-foundation-clusterpool --from-literal=aws_access_key_id=${AWS_ACCESS_KEY_ID} --from-literal=aws_secret_access_key=${AWS_SECRET_ACCESS_KEY} --as le
-#oc create secret generic server-foundation-ocp-pull-secret --from-file=.dockerconfigjson=team-admin/clusterpool/pull-secret.txt --type=kubernetes.io/dockerconfigjson -n server-foundation-clusterpool --as le
+oc create secret generic server-foundation-aws-creds -n server-foundation-clusterpool --from-literal=aws_access_key_id=${AWS_ACCESS_KEY_ID} --from-literal=aws_secret_access_key=${AWS_SECRET_ACCESS_KEY} --as le
+oc create secret generic server-foundation-ocp-pull-secret --from-file=.dockerconfigjson=team-admin/clusterpool/pull-secret.txt --type=kubernetes.io/dockerconfigjson -n server-foundation-clusterpool --as le
 
 
 cat team-admin/clusterpool/clusterpool-label.yaml
@@ -77,22 +130,23 @@ cat team-admin/clusterpool/clustercliam.yaml
 oc create -f team-admin/clusterpool/clustercliam.yaml --as le
 
 
-[Note] after clusterclaim and clusterdeployment created, we will add the clusterset lable to clusterclaim and clusterdeployment, and claim and clusterdeployment will be added to this set. so clusterset admin and clusterset view will has permission to access them.
+[Note] after clusterclaim and clusterdeployment created, we will add the clusterset lable to clusterclaim and clusterdeployment, and claim and clusterdeployment will be added to this set.
 
 Then let's use other team member to access the clusterpool
 
 
 
 ## another team-admin get clusterdeployment
 oc get clusterpool -n server-foundation-clusterpool --as jian
-oc get clusterpool -n server-foundation-clusterpool --as dangpeng
-oc label clusterpool -n server-foundation-clusterpool  ocp46-aws-clusterpool testlabel=a1 --as jian
-oc label clusterpool -n server-foundation-clusterpool  ocp46-aws-clusterpool testlabel1=a2 --as dangpeng
-
 oc get clusterclaim.hive.openshift.io -n server-foundation-clusterpool --as jian
-oc get clusterclaim.hive.openshift.io -n server-foundation-clusterpool --as dangpeng
-
 oc get project --as jian
+
+
+oc get clusterdeployment --all-namespaces
+
+
+oc get clusterpool -n server-foundation-clusterpool --as dangpeng
+oc get clusterclaim.hive.openshift.io -n server-foundation-clusterpool --as dangpeng
 oc get project --as dangpeng
 
 
@@ -106,6 +160,9 @@ oc get project --as dangpeng
 
 
 
+
+
+
 kubectl delete -f cluster-admin/managedclusterset.yaml
 kubectl delete -f team-admin/managedcluster-label.yaml
 kubectl delete clusterrolebinding open-cluster-management:managedclusterset:admin:server-foundation-clusterset open-cluster-management:managedclusterset:view:server-foundation-clusterset

demo.md

@@ -22,9 +22,6 @@ oc adm policy add-cluster-role-to-user open-cluster-management:managedclusterset
 ##//oc adm policy add-cluster-role-to-user self-provisioner le jian --as gurney
 
 
-
-
-
 ## team-admin create cluster
 [Note] Then for team-admin, if he want to create managedcluster, he must set the clusterset label. if not,  the create request will be denied. lets try to create a managedcluster which has no set label. and it will fail
 

kcp

@@ -0,0 +1,26 @@
+Our intention is that our experiments improve Kubernetes for everyone, by improving CRDs and scaling resource watching, and enabling more, better controllers for everyone, whether you're using Kubernetes as a container orchestrator or not.
+
+
+
+    kcp, which serves a Kubernetes-style API with a minimum of built-in types.
+    cluster-controller, which along with the Cluster CRD allows kcp to connect to other full-featured Kubernetes clusters, and includes these components:
+        syncer, which runs on Kubernetes clusters registered with the cluster-controller, and watches kcp for resources assigned to the cluster
+        deployment-splitter, which demonstrates a controller that can split a Deployment object into multiple "virtual Deployment" objects across multiple clusters.
+        crd-puller which demonstrates mirroring CRDs from a cluster back to kcp
+
+
+
+Multi-Cluster Kubernetes?
+
+kcp could be useful for multi-cluster scenarios, by running kcp as a control plane outside of any of your workload clusters.
+Multi-Tenant Kubernetes?
+
+kcp could be useful for multi-tenancy scenarios, by allowing multiple tenant clusters inside a cluster to be managed by a single kcp control plane.
+Local Kubernetes Development?
+
+kcp could be useful for local development scenarios, where you don't necessarily care about all of Kubernetes' many built-in resources and their reconciling controllers.
+Embedded/low-resource scenarios?
+
+kcp could be useful for environments where resources are scarce, by limiting the number of controllers that need to run. Kubernetes' asynchronous reconciliation pattern can also be very powerful in disconnected or intermittently connected environments, regardless of how workloads actually run.
+
+

rbac-video.md

@@ -0,0 +1,50 @@
+# I will show the RBAC around managedClusterset.
+I will have a demo for that. 
+In the demo, we define some persona, gurney, he is cluster-admin, 
+and we have a team, server-foundation, in this team, we have three members, le,jian,dangpeng,
+le and jian are team-admin, dangpeng is team-view. we will use these persona to login to ocp and acm-ui to explain the rbac around mangedclusters.
+
+
+
+1. let's login to OCM ui as gurney,
+and , let's create a managedclusterset named server-foundation-clusterset, it's used for server-foundation team
+
+then, 
+2. let's switch to ocp ui as gurney.
+3. we have define two group server-foundation-admin server-foundation-view
+
+in server-foundation-admin, there are two users, le-taem-admin, jian-team-admin
+in server-foundation-view there is one user, dangpeng-team-view
+
+
+then, let's create some clusterrolr-binding to grant managedclusterset permission to server-foundation team.
+1. for each managedclusterset, we will auto generate two clusterrole, one for managedclusterset admin, another is manageclusterset view.
+
+1. we need to give the server-foundation-admin group server-foundation-clusterset admin permission
+2. let's give server-foundation-vewi group server-foundation-clusterset view permission
+
+for each team-admin, they should provision cluster by them selves. so we should give the self-provisioner permission to server-foubdaiton-admin group.
+
+
+
+# let's login to openshift ui as le-team-admin, then create a project named "server-foundation"
+
+then login to ocm ui as le-team-admin and provision some clusters.
+
+1. let's create a managedcluster managedcluster1, as non-cluster-admin, he must select managedclusterset, or the create request will fail.
+2. let's create a clusterpool named "server-foundation-clusterpool", same as mangedclusters, he must select managedclusterset.
+3.  then he can claim the clusterpool.
+4.  in clusterset, we can see these resources.
+
+
+
+
+# login to ocm ui as jian-team-admin
+1. he also has admin permissions to the resources which created by le-team-admin.
+2. let's try to add one label for mangaedcluster1
+3. let's try to add a lable for clusterpool.
+
+
+# login to ocm ui as dangpeng-team-view
+1. he has view permissions to the resources which created by le-team-admin.
+2. he can see these resources, but he can not update it. 

rbac.md

@@ -0,0 +1,89 @@
+# RBAC model around ManagedClusterset in Red Hat Advanced Cluster Management for Kubernetes
+
+In this blog, we introduce the RBAC model around managedclusterset in Red Hat Advanced Cluster Management for Kubernetes that is availabel in version 2.3. 
+
+[Red Hat Advanced Cluster Management for Kubernetes](https://www.redhat.com/en/technologies/management/advanced-cluster-management) provides end-to-end visibility and control to manage your Kubernetes clusters, and controls your application lifecycle across the hybrid clouds. There are a couple of resources defined in Red Hat Advanced Cluster Management for Kubernetes, like managedclusterset, managedcluster, clusterpool, clusterclaim, clusterdeployment.
+
+some resources has direct relationship, but the permissions could be segregate. it will cause confuse.
+currentlly, when a managedcluster created, we will auto create a cluster namespace, many resources can be created in this ns. for a user, he can be grant permission to the mangedcluster and ns separatelly. it will cause confuse for each model.
+
+same as clusterpool, clustercalim, clusterdeployment.
+if clusteradmin want to give permission to these resources, he must create rolebinding to these resources one by one. it is complex.
+
+So we use managedclusterset to solve this problem. 
+
+
+## Managedclusterset:
+ManagedClusterSet resources allow the grouping of cluster related resources, which enables role-based access control management across all of the resources in the group.
+
+the following resources can be add to set by set label "a=b".
+|  Resource Type   |  ResourceGroup   |   Description  |
+|  ----  | ----  |  --- |
+| ManagedClusterset  |  | we define it as a resource group. administrator can set permission to it. 
+| ManagedCluster  |  | can be add to managedclusterset 
+| Resources in ManagedCluster Namespace ||
+| ClusterDeployment||
+| Clusterpool||
+| ClusterClaim||
+
+ManagedClusters/clusterdeployment... can be add to managedclusterset by set label:...
+
+
+When clusterset created, we will auto create two clusterrole for this clusterset, one is clusterset admin, another is view.
+
+ClusterRole:
+clusterset-admin
+clusterset-view
+
+user could have clusterset admin or view permission by bind admin or view role. with this role, user will also have admin/view permission to resources which list in up tables wich has this clusterset label. 
+
+# expect action
+we define three role for env. and list some expect action on them.
+
+
+## cluster-admin
+has all administrator permissions for OCM resources. 
+1.  should create clusterset for each team, 
+2. give team-admin and team-view permissions for this set. 
+3. give self-provisioner permission to team admin, so he can provison cluster by himself.
+
+## As team-admin
+1. could create project, 
+2. could create a new cluster in cloud providers, or import an existing cluster.
+3. could create a clusterpool and claim the cluster in this pool
+4. could access the clusterpool's cluster.
+5. could get/update/delete all clusters/clusterpool/clustercliams in the set.
+
+## As team-view
+1. could get all clusters/clusterpool/clustercliams in the set.
+2. could not update/delete/ clusters/clusterpool/clustercliams in the set.
+
+
+
+# Best practice:
+scenarios: 
+
+cluster-admin: gurney
+team: server-foundation
+server-foundation team admin: le, jian
+server-foundation team view: dang
+
+
+## Gurney:
+1. create a managedclusterset, bind the admin permission to server-foundation-admin, bind the view permission to server-foundation-view
+2. create a project(server-foundation) for server-foundation team. bind the admin permission to server-foundation-admin.
+
+Notes: cluster-admin can also give the self-provisioner permissions to server-foundation team-admin, then the team-admin can create it by themselves.
+
+## Le:
+ 1. create a managedclusters c1
+ 2. create a clusterpool
+ 3. create a clusterclaim
+
+## jian:
+1. can get/update/delete managedclusters
+2. can  get/update/delete clusterpool
+3. can get/update/delete  clusterclaim
+
+### dang:
+1. can view ...