karmada `kubectl karmada join` does not support `--context --as --as-group`

What would you like to be added: support for these 3 flags

Why is this needed: otherwise I need to setup a special context and use-context to be able to use join

Mar 11 '24 21:03 grosser

For the --context, karmadactl(same as kubectl karmada) provides the two flags to specify the context for both karmada and member cluster:

    --cluster-context='':
	Name of cluster context in kubeconfig. The current context is used by default.
    --karmada-context='':
	The name of the kubeconfig context to use

Given karmadatl join might need two kubeconfigs, just one --context might be misleading as it can't represent which kubeconfig it applies to.

Please let us know if the two flags meet your needs. Maybe I didn't understand your use case yet.

Mar 12 '24 01:03 RainbowMango

For the --as and --as-group, I guess you mean the two flags in kubectl:

    --as='':
	Username to impersonate for the operation. User could be a regular user or a service account in a namespace.

    --as-group=[]:
	Group to impersonate for the operation, this flag can be repeated to specify multiple groups.

I'd like to hear more details about the use case if you don't mind. We also need to consider which kubeconfig the two flags will be applied.

Mar 12 '24 01:03 RainbowMango

I'd need to impersonate admin on the host cluster, so --cluster-as

Mar 12 '24 01:03 grosser

hmmm no the host cluster would be --karmada-as :)

Mar 12 '24 01:03 grosser

Yes, --karmada-as and --karmada-as-group are sounds good to me. cc @XiShanYongYe-Chang What do you think?

Mar 12 '24 01:03 RainbowMango

These two flags look good, but I don't understand one thing. Why do you need to use impersonate to join a cluster in Karmada?

Mar 12 '24 02:03 XiShanYongYe-Chang

I need to be cluster admin to join the cluster, our default context is read-only.

On Mon, Mar 11, 2024, 7:18 PM Chang @.***> wrote:

These two flags look good, but I don't understand one thing. Why do you need to use impersonate to join a cluster in Karmada?

— Reply to this email directly, view it on GitHub https://github.com/karmada-io/karmada/issues/4695#issuecomment-1989831087, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAACYZ4LLXPBVSLK725ZHNTYXZQW3AVCNFSM6AAAAABERCJRJOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOBZHAZTCMBYG4 . You are receiving this because you authored the thread.Message ID: @.***>

Mar 12 '24 02:03 grosser

I need to be cluster admin to join the cluster, our default context is read-only.

Is this safe? Should the admin user be the one to join the cluster?

Mar 12 '24 02:03 XiShanYongYe-Chang

It needs to be the admin user since the read-only user can't do it. We do the same ATM by adding a new context first and then use use-context.

On Mon, Mar 11, 2024, 7:26 PM Chang @.***> wrote:

I need to be cluster admin to join the cluster, our default context is read-only.

Is this safe? Should the admin user be the one to join the cluster?

— Reply to this email directly, view it on GitHub https://github.com/karmada-io/karmada/issues/4695#issuecomment-1989852591, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAACYZ4L3KNGCCEBPO452OLYXZRWRAVCNFSM6AAAAABERCJRJOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOBZHA2TENJZGE . You are receiving this because you authored the thread.Message ID: @.***>

Mar 12 '24 02:03 grosser

It needs to be the admin user since the read-only user can't do it.

So you need to have the read-only user act as the admin user to join the cluster, is that correct?

We do the same ATM by adding a new context first and then use use-context.

Sorry, I didn't quite understand that sentence. Can you explain it a little more?

Mar 12 '24 03:03 XiShanYongYe-Chang

A: yes B: atm we make define a foo-admin context that connects to the same user that we otherwise want to assume, so I think with --as support things should just work

Mar 12 '24 04:03 grosser

Thanks~ Would you like to contribute?

Mar 12 '24 08:03 XiShanYongYe-Chang

I can give it a try

Mar 12 '24 15:03 grosser

kindly ping @grosser are you still working on this? Do you need any help?

May 29 '24 09:05 RainbowMango

ah sry never got around to it 😞 best don't add a milestone, I'll give it another try when I find some time

May 29 '24 14:05 grosser

no rush, take your time :)

May 30 '24 01:05 RainbowMango

https://github.com/karmada-io/karmada/pull/5016 for the --karmada-as-* flags ... getting the context set was more complicated so leaving that for another PR

Jun 02 '24 19:06 grosser

getting the context set was more complicated so leaving that for another PR

Is it possible to submit them in one PR? Currently, only the flag is submitted, and there is no corresponding processing logic. I'm afraid that they are not in the same version, which may cause misunderstanding to the user.

Jun 03 '24 02:06 XiShanYongYe-Chang

the PR adds the --as-* and sets them on the client, I though that would do the trick ? (context flag + setting it on the client can be a standalone PR)

Jun 03 '24 03:06 grosser

In favor of #5016 /assign @grosser

the PR adds the --as-* and sets them on the client, I though that would do the trick ?

Hi @grosser, I think it will be ok, have you tested with the PR?

Jun 17 '24 08:06 XiShanYongYe-Chang

Thanks @grosser ~ You have completed the tasks in this issue. Let me close this issue. Feel free to re-open this issue if you need any help. /close

Jul 12 '24 07:07 XiShanYongYe-Chang

@XiShanYongYe-Chang: Closing this issue.

In response to this:

Thanks @grosser ~ You have completed the tasks in this issue. Let me close this issue. Feel free to re-open this issue if you need any help. /close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Jul 12 '24 07:07 karmada-bot