Skip to content

Commit

Permalink
Merge pull request #744 from zhzhuang-zju/controllers
Browse files Browse the repository at this point in the history 
update configure-controller.md
  • Loading branch information
@karmada-bot
karmada-bot authored Nov 27, 2024
2 parents 669bf93 + 351bfc1 commit 1e152b2
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 8 deletions.
9 changes: 4 additions & 5 deletions docs/administrator/configuration/configure-controllers.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ The controllers are embedded into components of `karmada-controller-manager` or
along with components startup. Some controllers may be shared by `karmada-controller-manager` and `karmada-agent`.

| Controller | In karmada-controller-manager | In karmada-agent |
|--------------------------------------|-------------------------------|------------------------|
| ------------------------------------ | ----------------------------- | ---------------------- |
| cluster | Y | N |
| clusterStatus | Y | Y |
| binding | Y | N |
Expand All @@ -38,6 +38,7 @@ along with components startup. Some controllers may be shared by `karmada-contro
| endpointsliceDispatch | Y | N |
| remedy | Y | N |
| workloadRebalancer | Y | N |
| agentcsrapproving | Y | N |

### Configure Karmada Controllers

Expand Down Expand Up @@ -166,17 +167,15 @@ More details please refer to:
- [bootstrap tokens overview](https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/#bootstrap-tokens-overview)
- [enabling bootstrap token authentication](https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/#enabling-bootstrap-token-authentication)

#### csrapproving, csrcleaner, csrsigning
#### csrcleaner, csrsigning

The controllers runs as part of `kube-controller-manager`.

The `csrapproving` controller uses the [SubjectAccessReview API](https://kubernetes.io/docs/reference/access-authn-authz/authorization/#checking-api-access) to determine if a given user is authorized to request a CSR, then approves based on the authorization outcome.

The `csrcleaner` controller clears expired csr periodically.

The `csrsigning` controller signs the certificate using Karmada root CA.

> Note: these controllers currently are used to register member clusters with PULL mode by `karmadactl register`.
> Note: the `csrcleaner` and `csrsigning` controllers collaborate with the `agentcsrapproving` controller, which runs in the karmada-controller-manager, to facilitate the registration of member clusters in Pull mode using `karmadactl register`.
More details please refer to:
- [csr approval](https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/#approval)
Expand Down
5 changes: 2 additions & 3 deletions ...lugin-content-docs/current/administrator/configuration/configure-controllers.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ Karmada 维护了一系列包含控制循环的控制器,它们监视系统状
| endpointsliceDispatch |||
| remedy |||
| workloadRebalancer |||
| agentcsrapproving |||

### 配置 Karmada 控制器

Expand Down Expand Up @@ -167,13 +168,11 @@ TTL 计时器在 Job 完成时启动,并且在 TTL 到期后将清理已完成

这些控制器作为 `kube-controller-manager` 的一部分运行。

`csrapproving` 控制器使用 [SubjectAccessReview API](https://kubernetes.io/docs/reference/access-authn-authz/authorization/#checking-api-access) 确定给定用户是否被授权请求 CSR,并根据授权结果批准。

`csrcleaner` 控制器定期清除过期的 csr。

`csrsigning` 控制器使用 Karmada 根证书签署证书。

> 注意:此控制器目前用于由 `karmadactl register` 注册成员集群的 PULL 模式
> 注意:`csrcleaner``csrsigning` 控制器与在 karmada-controller-manager 中运行的 `agentcsrapproving` 控制器协作,协助 `karmadactl register` 来完成 PULL 模式集群的注册
有关详细信息,请参考:
- [csr approval](https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/#approval)
Expand Down

0 comments on commit 1e152b2

Please sign in to comment.