Access the Kubernetes API for an Azure Kubernetes Fleet Manager hub cluster

2025-10-16

Applies to: ✔️ Fleet Manager with hub cluster

If your Azure Kubernetes Fleet Manager (Kubernetes Fleet) resource was created with a hub cluster, you can use it to centrally control scenarios like Kubernetes resource propagation. In this article, you learn how to access the Kubernetes API for a Kubernetes Fleet hub cluster.

Before you begin

If you don't have an Azure account, create a free account before you begin.
You need a Kubernetes Fleet resource with a hub cluster and member clusters. If you don't have one, see Create an Azure Kubernetes Fleet Manager resource and join member clusters by using the Azure CLI.
The identity (user or service principal) that you're using needs to have Microsoft.ContainerService/fleets/listCredentials/action permissions on the Kubernetes Fleet resource.

If your Azure Kubernetes Fleet Manager (Kubernetes Fleet) resource was created with a private hub cluster, you can use it to centrally control scenarios like Kubernetes resource propagation. In this article, you learn how to access the Kubernetes API for a private Kubernetes Fleet hub cluster securely using Azure Bastion's native client tunneling feature.

Using Azure Bastion protects your private hub cluster from exposing endpoints to the outside world, while still providing secure access. For more information, see What is Azure Bastion?

Before you begin

If you don't have an Azure account, create a free account before you begin.
You need a Kubernetes Fleet resource with a hub cluster and member clusters. If you don't have one, see Create an Azure Kubernetes Fleet Manager resource and join member clusters by using the Azure CLI.
You need a virtual network with the Bastion host already installed.
- Ensure that you have set up an Azure Bastion host for the virtual network in which the Fleet Manager is located. To set up an Azure Bastion host, see Quickstart: Deploy Bastion with default settings.
- The Bastion must be Standard or Premium SKU and have native client support enabled under configuration settings.
The identity (user or service principal) that you're using needs to have:
- Microsoft.ContainerService/fleets/listCredentials/action permissions on the Kubernetes Fleet resource.
- Microsoft.Network/bastionHosts/read on the Bastion Resource.
- Microsoft.Network/virtualNetworks/read on the virtual network of the private hub cluster.

Access the Kubernetes API

Set the following environment variables for your subscription ID, resource group, and Kubernetes Fleet resource:
```
export SUBSCRIPTION_ID=<subscription-id>
export GROUP=<resource-group-name>
export FLEET=<fleet-name>
```
Set the default Azure subscription by using the az account set command:
```
az account set --subscription ${SUBSCRIPTION_ID}
```
Get the kubeconfig file of the Kubernetes Fleet hub cluster by using the az fleet get-credentials command:
```
az fleet get-credentials --resource-group ${GROUP} --name ${FLEET}
```
Your output should look similar to the following example:
```
Merged "hub" as current context in /home/fleet/.kube/config
```

Set the following environment variable for the FLEET_ID value of the hub cluster's Kubernetes Fleet resource:

export FLEET_ID=/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${GROUP}/providers/Microsoft.ContainerService/fleets/${FLEET}

Authorize your identity to access the Kubernetes Fleet hub cluster by using the following commands.

For the ROLE environment variable, you can use one of the following four built-in role definitions as the value:

Azure Kubernetes Fleet Manager RBAC Reader
Azure Kubernetes Fleet Manager RBAC Writer
Azure Kubernetes Fleet Manager RBAC Admin
Azure Kubernetes Fleet Manager RBAC Cluster Admin

export IDENTITY=$(az ad signed-in-user show --query "id" --output tsv)
export ROLE="Azure Kubernetes Fleet Manager RBAC Cluster Admin"
az role assignment create --role "${ROLE}" --assignee ${IDENTITY} --scope ${FLEET_ID}

Your output should look similar to the following example:

{
  "canDelegate": null,
  "condition": null,
  "conditionVersion": null,
  "description": null,
  "id": "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<GROUP>/providers/Microsoft.ContainerService/fleets/<FLEET>/providers/Microsoft.Authorization/roleAssignments/<assignment>",
  "name": "<name>",
  "principalId": "<id>",
  "principalType": "User",
  "resourceGroup": "<GROUP>",
  "roleDefinitionId": "/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
  "scope": "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<GROUP>/providers/Microsoft.ContainerService/fleets/<FLEET>",
  "type": "Microsoft.Authorization/roleAssignments"
}

Verify that you can access the API server by using the kubectl get memberclusters command:
```
kubectl get memberclusters
```
If the command is successful, your output should look similar to the following example:
```
NAME           JOINED   AGE
aks-member-1   True     2m
aks-member-2   True     2m
aks-member-3   True     2m
```

Open the tunnel to your Private Fleet Manager's hub cluster:

export HUB_CLUSTER_ID=<hub-cluster-id-in-FL_resourceGroup>
az network bastion tunnel --name <BastionName> --resource-group ${GROUP} --target-resource-id ${HUB_CLUSTER_ID}$ --resource-port 443 --port <LocalMachinePort>

In a new terminal window, connect to the hub cluster through the Bastion tunnel and verify API server access:
```
kubectl get memberclusters --server=https://localhost:<LocalMachinePort>
```
If the command is successful, your output should look similar to the following example:
```
NAME           JOINED   AGE
aks-member-1   True     2m
aks-member-2   True     2m
aks-member-3   True     2m
```

Propagate resources from an Azure Kubernetes Fleet Manager hub cluster to member clusters

Feedback

Was this page helpful?