Failed to proxy to member clusters with Karmada deployed by karmada-operator

[chaosi-zju]

What happened:

I have a karmada control plane installed by karmada-operator and it has joined a member cluster (member1). When I execute the command karmadactl --operation-scope members, it failed with following error message:

$ karmadactl --karmada-context karmada-apiserver get deploy --operation-scope members                                                                                                     
error: cluster(member1) is inaccessible, please check authorization or network

What you expected to happen:

The result should be like this:

$ karmadactl --karmada-context karmada-apiserver get deploy --operation-scope members
NAME    CLUSTER   READY   UP-TO-DATE   AVAILABLE   AGE   ADOPTION
nginx   member1   1/1     1            1           10m   Y

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know?:

Refer to other installation method, operator missed two rbac config:

cluster-proxy-admin

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: "2024-09-19T08:22:24Z"
  labels:
    karmada.io/system: "true"
  name: cluster-proxy-admin
  resourceVersion: "282"
  uid: 1561fe60-eec6-405d-a981-0a9ca417c09d
rules:
- apiGroups:
  - cluster.karmada.io
  resources:
  - clusters/proxy
  verbs:
  - '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: "2024-09-19T08:22:24Z"
  labels:
    karmada.io/system: "true"
  name: cluster-proxy-admin
  resourceVersion: "283"
  uid: ddebc2b0-2ead-4fca-bf8e-40d6634b5d8f
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-proxy-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: system:admin

when this two rbac config applied to karmada, the issue gone.

Environment:

• Karmada version:
• kubectl-karmada or karmadactl version (the result of kubectl-karmada version or karmadactl version):
• Others:

[chaosi-zju]

/assign chaosi-zju

cc @zhzhuang-zju please help confirm that this is indeed a problem.

[zhzhuang-zju]

Refer to other installation method, operator missed two rbac config:

Without these two RBAC configurations, the user system:admin will not have permission to access cluster.karmada.io. As a result, the kubeconfig used by karmadactl will not be able to access member clusters.
I think this is an omission during the installation of the Karmada instance by the Karmada operator. Do you have any ideas to resolve this?

[chaosi-zju]

yes, I raised a PR #5572 to resolve it

[RainbowMango]

/retitle Failed to proxy to member clusters with Karmada deployed by karmada-operator