feat: Cluster discovery

paralus / paralus

All-in-one Kubernetes access manager. User-level credentials, RBAC, SSO, audit logs.

https://www.paralus.io/

Apache License 2.0

1.04k stars 65 forks source link

feat: Cluster discovery #220

Open lukasmrtvy opened 1 year ago

lukasmrtvy commented 1 year ago

Briefly describe the feature

Cluster Discovery via Kubernetes Secrets ( Kubeconfig )

What problem does this feature solve? Please link any relevant documentation or Issues

Cluster Discovery can be useful for CAPI ( https://github.com/kubernetes-sigs/cluster-api ) managed clusters

(optional) What is your current workaround?

none

akshay196 commented 1 year ago

@lukasmrtvy Thanks for creating issue. Can you please add more information such as use cases of cluster discovery, different user stories if any, why/when do we need this feature, benefits of this feature? Also I am wondering how cluster discovery can be helpful for CAPI managed clusters.

akshay196 commented 10 months ago

@lukasmrtvy Hey, we would like to know more about your use cases and requirement. How organization, community would get benefited by having this feature?

lukasmrtvy commented 10 months ago

Hi, In organizations where workload clusters are created/managed in the central managed cluster via Cluster-API, Rancher, Gardener ( each workload cluster has its admin kubeconfig generated there also in form of K8s secret ), etc, makes sense to run also Paralus as a central access manager, thus Paralus would benefit from discovering workload clusters via Kubernetes Secret ( Kubeconfig ) automatically.

This could be probably done with https://github.com/flant/shell-operator and API endpoint for adding workload clusters ( https://www.paralus.io/blog/kind-quickstart#importing-an-existing-cluster ).

Also with https://github.com/external-secrets/external-secrets where the kubeconfig could be pushed to the external secret store and pulled/synced in the Paralus cluster.

Geethree commented 4 days ago

Generally speaking, I follow the same setup: I use cluster API declaratively spin up and manage around ~120 clusters across all hyperscalers and a pile of tier-1 cloud providers. It is growing everyday.

Currently, I have some infrastructure that I've created to help manage this, but I believe in the power of the collective whole to asymptotically approach a better solution overtime than my in-house tooling.

As such, it would be excellent to see find a path to allow cluster api managed clusters to be auto discovered by paralus by some fashion.

Currently, to pull clusters into argo-cd I have a kyverno policy that mutates the cluster-api generated secret into an argocd cluster which can be picked up by argo-cd.