You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+28Lines changed: 28 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -306,6 +306,12 @@ The Metrics Operator can monitor both the cluster it's deployed in and remote cl
306
306
307
307
This remote cluster access resource can be used by `Metric` and `ManagedMetric` resources to monitor resources in the remote cluster.
308
308
309
+
You can configure access to a remote cluster in one of two ways:
310
+
311
+
1. Access via Service Account Token (recommended for in-cluster or service mesh setups)
312
+
313
+
Use this method if you want the operator to assume a service account in the remote cluster using projected tokens and cluster credentials. This allows for dynamic access for clusters using an OIDC provider.
`clusterSecretRef` must point to a Kubernetes Secret on the same cluster running `the metrics-operator` and contains:
330
+
- `host`: API server endpoint of the remote cluster
331
+
- `caData`: CA bundle of the remote cluster API (base64-encoded)
332
+
- `audience`: Token audience to use when projecting the service account token
333
+
334
+
You will also need to setup the required [RBAC configuration](#rbac-configuration) for the service account on the remote clusters. The RBAC configuration should allow the service account to monitor the resources defined in your `Metric` resources and use the proper service account name for remote access.
323
335
336
+
2. Access via Kubeconfig Secret
337
+
Use this method if you already have a kubeconfig for the remote cluster and want to provide it directly.
338
+
339
+
```yaml
340
+
apiVersion: metrics.openmcp.cloud/v1alpha1
341
+
kind: RemoteClusterAccess
342
+
metadata:
343
+
name: remote-cluster
344
+
namespace: <monitoring-namespace>
345
+
spec:
346
+
kubeConfigSecretRef:
347
+
name: remote-kubeconfig-secret
348
+
namespace: <secret-namespace>
349
+
key: kubeconfig
350
+
```
351
+
`kubeConfigSecretRef`points to a Kubernetes Secret that includes a valid kubeconfig under the specified `key`.
0 commit comments