Command `karmadactl --operation-scope members` Fails in Operator-Installed Karmada

[chaosi-zju]

What happened:

I have a karmada control plane installed by karmada-operator and it has joined a member cluster (member1). When I execute the command karmadactl --operation-scope members, it failed with following error message:

$ karmadactl --karmada-context karmada-apiserver get deploy --operation-scope members                                                                                                     
error: cluster(member1) is inaccessible, please check authorization or network

What you expected to happen:

The result should be like this:

$ karmadactl --karmada-context karmada-apiserver get deploy --operation-scope members
NAME    CLUSTER   READY   UP-TO-DATE   AVAILABLE   AGE   ADOPTION
nginx   member1   1/1     1            1           10m   Y

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know?:

Refer to other installation method, operator missed two rbac config:

cluster-proxy-admin

```yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: "2024-09-19T08:22:24Z" labels: karmada.io/system: "true" name: cluster-proxy-admin resourceVersion: "282" uid: 1561fe60-eec6-405d-a981-0a9ca417c09d rules: - apiGroups: - cluster.karmada.io resources: - clusters/proxy verbs: - '*' --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: creationTimestamp: "2024-09-19T08:22:24Z" labels: karmada.io/system: "true" name: cluster-proxy-admin resourceVersion: "283" uid: ddebc2b0-2ead-4fca-bf8e-40d6634b5d8f roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-proxy-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: system:admin ```

when this two rbac config applied to karmada, the issue gone.

Environment:

• Karmada version:
• kubectl-karmada or karmadactl version (the result of kubectl-karmada version or karmadactl version):
• Others:

[chaosi-zju]

/assign chaosi-zju

cc @zhzhuang-zju please help confirm that this is indeed a problem.

[zhzhuang-zju]

Refer to other installation method, operator missed two rbac config:

Without these two RBAC configurations, the user system:admin will not have permission to access cluster.karmada.io. As a result, the kubeconfig used by karmadactl will not be able to access member clusters. I think this is an omission during the installation of the Karmada instance by the Karmada operator. Do you have any ideas to resolve this?

[chaosi-zju]

yes, I raised a PR https://github.com/karmada-io/karmada/pull/5572 to resolve it