Managing clusters via ACM

[tumido]

Tracking issue for learning the ropes of ACM.

• Provisioning clusters
• Resizing clusters: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.1/html/manage_cluster/resizing-a-cluster
• Attaching clusters to our ArgoCD
• Declarative management
• RBAC

[tumido]

Provisioning clusters

1. create "provider connection" credentials
2. create cluster instance

All in UI, declarative management is possible. The provider connection translates to a secret in selected namespace, we can map it to ArgoCD.

Creating a cluster creates a new namespace on the management (hub) cluster. This new namespace is named the same as the cluster (beware of reusing a name of an existing namespace for the cluster, I have no idea how that would behave).

This new namespace contains some secrets which contains (among others):

• kubeadmin:password
• kubeconfig

It takes about 30 mins to install and prepare a cluster.

[tumido]

RBAC

ACM has quite granular, though complicated RBAC
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.1/html/security/security#overview-of-roles

We currently have few cluster-admins, though we might need to expand this and allow people to manage/view certain clusters. The complication in this is due to the namespace ~ cluster mapping on the hub cluster. For user to view a certain cluster it requires him to be given a cluster role + namespace access.

[tumido]

Policy

We'll need to define policies if we want to go multi-cluster. I imagine we can have common policies for clusters running ODH, for Kubeflow clusters etc..

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.1/html/security/security#governance-and-risk

Samples available at the policy catalog (including community policies), might be a good inspiration for us.
https://github.com/open-cluster-management/policy-collection