Skip to main content
Version: 3.17 (latest)

Remote cluster configuration

A remote cluster configuration resource (RemoteClusterConfiguration) represents a cluster in a federation of clusters. Each remote cluster needs a configuration to be specified to allow the local cluster to access resources on the remote cluster. The connection is one-way: the information flows only from the remote to the local cluster. To share information from the local cluster to the remote one a remote cluster configuration resource must be created on the remote cluster.

A remote cluster configuration causes Typha and calicoq to retrieve the following resources from a remote cluster:

When using the Kubernetes API datastore with RBAC enabled on the remote cluster, the RBAC rules must be configured to allow access to these resources.

For more details on the federation feature refer to the Overview.

For the meaning of the fields matches the configuration used for configuring calicoctl, see Kubernetes datastore instructions for more details.

This resource is not supported in kubectl.

Sample YAML

For a remote Kubernetes datastore cluster:

kind: RemoteClusterConfiguration
name: cluster1
datastoreType: kubernetes
kubeconfig: /etc/tigera-federation-remotecluster/kubeconfig-rem-cluster-1

For a remote etcdv3 cluster:

kind: RemoteClusterConfiguration
name: cluster1
datastoreType: etcdv3
etcdEndpoints: ','

RemoteClusterConfiguration Definition


FieldDescriptionAccepted ValuesSchema
nameThe name of this remote cluster configuration.Lower-case alphanumeric with optional -string


FieldSecret keyDescriptionAccepted ValuesSchemaDefault
clusterAccessSecretReference to a Secret that contains connection informationKubernetes ObjectReferencenone
datastoreTypedatastoreTypeThe datastore type of the remote cluster.etcdv3 kubernetesstringnone
etcdEndpointsetcdEndpointsA comma separated list of etcd endpoints.stringnone
etcdUsernameetcdUsernameUsername for RBAC.stringnone
etcdPasswordetcdPasswordPassword for the given username.stringnone
etcdKeyFileetcdKeyPath to the etcd key file.stringnone
etcdCertFileetcdCertPath to the etcd certificate file.stringnone
etcdCACertFileetcdCACertPath to the etcd CA certificate file.stringnone
kubeconfigkubeconfigLocation of the kubeconfig file.stringnone
k8sAPIEndpointLocation of the kubernetes API server.stringnone
k8sKeyFileLocation of a client key for accessing the Kubernetes API.stringnone
k8sCertFileLocation of a client certificate for accessing the Kubernetes API.stringnone
k8sCAFileLocation of a CA certificate.stringnone
k8sAPITokenToken to be used for accessing the Kubernetes API.stringnone

When using the clusterAccessSecret field, all other fields in the RemoteClusterconfiguration resource must be empty. When the clusterAccessSecret reference is used, all datastore configuration will be read from the referenced Secret using the "Secret key" fields named in the above table as the data key in the Secret. The fields read from a Secret that were file path or locations in a RemoteClusterConfiguration will be expected to be the file contents when read from a Secret.

All of the fields that start with etcd are only valid when the DatastoreType is etcdv3 and the fields that start with k8s or kube are only valid when the datastore type is kubernetes. The kubeconfig field and the fields that end with File must be accessible to Typha and calicoq, this does not apply when the data is coming from a Secret referenced by clusterAccessSecret.

When the DatastoreType is kubernetes, the kubeconfig file is optional but since it can contain all of the authentication information needed to access the Kubernetes API server it is generally easier to use than setting all the individual k8s fields. The other kubernetes fields can be used by themselves though or to override specific kubeconfig values.

Supported operations

Datastore typeCreate/DeleteUpdateGet/ListNotes
Kubernetes API serverYesYesYes