RemoteKubernetesCluster¶

Introduction¶

The cluster-scoped RemoteKubernetesCluster resource provides an abstraction layer for managing resources in a remote Kubernetes cluster.

It allows users to define and interact with a separate Kubernetes environment, distinct from the cluster where the resource is created.
This is particularly useful in scenarios that require centralized management of ScyllaDB clusters distributed across multiple geographic regions.

Example¶

1apiVersion: scylla.scylladb.com/v1alpha1
2kind: RemoteKubernetesCluster
3metadata:
4    name: dev-us-east-1
5spec:
6  kubeconfigSecretRef:
7    name: dev-us-east-1
8    namespace: remotekubernetescluster-credentials

Remote authorization methods¶

Secret¶

This authorization method relies on a Secret containing credentials to a remote Kubernetes cluster in the kubeconfig format.
The user associated with these credentials must have the scylladb:controller:operator-remote ClusterRole bound. The name and namespace of this Secret are referenced in the spec of the corresponding RemoteKubernetesCluster resource.

Example:

Caution

While token-based authentication is the easiest to configure, the use of long-lived tokens is discouraged due to security risks.
For improved security, consider using alternative authentication methods outlined in the Kubernetes documentation:
https://kubernetes.io/docs/reference/access-authn-authz/authentication/

Currently, RemoteKubernetesCluster requires unconditional access to all Secrets and ConfigMaps across all namespaces in the remote cluster. Please note the security implications of this limitation.

 1apiVersion: v1
 2kind: Secret
 3metadata:
 4  name: dev-us-east-1
 5  namespace: remotekubernetescluster-credentials
 6type: Opaque
 7stringData:
 8  kubeconfig: |
 9    apiVersion: v1
10    kind: Config
11    clusters:
12      - cluster:
13          certificate-authority-data: <kube-apiserver-ca-bundle>
14          server: <kube-apiserver-address>
15        name: dev-us-east-1
16    contexts:
17      - context:
18          cluster: dev-us-east-1
19          user: dev-us-east-1
20        name: dev-us-east-1
21    current-context: dev-us-east-1
22    users:
23      - name: dev-us-east-1
24        user:
25          token: <token-having-remote-operator-cluster-role>

Status¶

Since the RemoteKubernetesCluster specification must authenticate with a remote Kubernetes cluster, it is important to carefully verify that the configured credentials are valid. RemoteKubernetesCluster resources include standard aggregated conditions, which provide an easy way to confirm whether the configuration and connection were successful:

$ kubectl wait --for='condition=Progressing=False' remotekubernetesclusters.scylla.scylladb.com/example
remotekubernetesclusters.scylla.scylladb.com/example condition met

$ kubectl wait --for='condition=Degraded=False' remotekubernetesclusters.scylla.scylladb.com/example
remotekubernetesclusters.scylla.scylladb.com/example condition met

$ kubectl wait --for='condition=Available=True' remotekubernetesclusters.scylla.scylladb.com/example
remotekubernetesclusters.scylla.scylladb.com/example condition met