Import Standard Kubernetes Cluster

Use this procedure to import an existing standard Kubernetes cluster, such as a cluster deployed with kubeadm, as a third-party cluster.

Terminology Prerequisites Notes Obtain Registry Address Check if Extra Registry Config is Needed Get Cluster Info Integrate Cluster Network Configuration Post-import Configuration FAQ Why is the "Add Node" button disabled?Which certificates are supported?Which features are unsupported?How to fix Containerd runtime causing distributed storage deployment failures?

Terminology

Term	Description
Provider-managed Kubernetes service	A Kubernetes service where the provider owns the control plane nodes and control plane components. Users usually cannot log in to or directly maintain the control plane nodes.
Self-managed Kubernetes cluster	A Kubernetes cluster where the cluster owner maintains the control plane nodes and cluster components.

Prerequisites

Kubernetes and related components in the cluster must meet the version and parameter requirements.
If the runtime is Containerd, update the Containerd configuration before integration to ensure distributed storage can be deployed successfully.

Notes

By default, the platform monitors NIC traffic matching eth.*|en.*|wl.*|ww.*. If your NIC uses a different naming convention, update the configuration after integration following Collect Network Data from Custom Named Network Cards.

Obtain Registry Address

To use the registry deployed by the platform during global cluster installation, run the following on a global control node:

if [ "$(kubectl get productbase -o jsonpath='{.items[].spec.registry.preferPlatformURL}')" = 'false' ]; then
    REGISTRY=$(kubectl get cm -n kube-public global-info -o jsonpath='{.data.registryAddress}')
else
    REGISTRY=$(kubectl get cm -n kube-public global-info -o jsonpath='{.data.platformURL}' | awk -F // '{print $NF}')
fi
echo "Registry address: $REGISTRY"

To use an external registry, set REGISTRY manually:

REGISTRY=<external-registry-address>  # e.g., registry.example.cn:60080 or 192.168.134.43
echo "Registry address: $REGISTRY"

Check if Extra Registry Config is Needed

Run the following to check if the registry supports HTTPS with a trusted CA certificate:

REGISTRY=<registry-address-from-previous-step>

if curl -s -o /dev/null --retry 3 --retry-delay 5 -- "https://${REGISTRY}/v2/"; then
    echo 'Pass: Registry uses a trusted CA certificate. No extra config needed.'
else
    echo 'Fail: Registry does not support HTTPS or uses an untrusted certificate. Follow "Trust Insecure Registry".'
fi

If check fails, see How to trust an insecure registry?

Get Cluster Info

See How to fetch cluster information?.

Integrate Cluster

In the left navigation, go to Cluster Management > Clusters.
Click Import Cluster.

Configure parameters as below:

Parameter	Description
Registry	Registry storing required platform component images. Options: Platform Default (configured during global setup), Private Registry (requires address, port, username, password), Public Registry (requires cloud credential update).
Cluster Info	Can be entered manually or parsed from a KubeConfig file. Required fields: Cluster Address, CA Certificate (Base64 decoded if entered manually), and Authentication (token or client certificate with cluster-admin rights).

Click Check Connectivity. The platform verifies network access and auto-detects cluster type.
If successful, click Import to complete.

Progress can be viewed via the execution progress dialog (status.conditions). Once integrated, the cluster appears as healthy in the list.

Network Configuration

Ensure connectivity between the global cluster and the imported cluster.

Post-import Configuration

If you need the platform to collect audit data from an imported standard Kubernetes cluster, configure Kubernetes API server audit logging on the cluster after import. See How to configure audit collection for imported standard Kubernetes clusters?.

FAQ

Why is the "Add Node" button disabled?

Adding nodes through the platform UI is not supported for imported standard Kubernetes clusters. Add nodes directly in the target cluster or through the cluster provider.

Which certificates are supported?

Kubernetes Certificates: Only API Server certificates can be viewed; other certificates are unsupported and will not auto-rotate.
Platform Component Certificates: Viewable and auto-rotatable.

Which features are unsupported?

Provider-managed Kubernetes services: Audit logs are not available.
Provider-managed Kubernetes services: ETCD, Scheduler, and Controller Manager monitoring are not supported. Only API Server metrics are available.
All clusters: Certificates other than API Server are not supported.

How to fix Containerd runtime causing distributed storage deployment failures?

When using Containerd, distributed storage deployment fails unless you adjust Containerd settings on all nodes:

Edit /etc/systemd/system/containerd.service, set LimitNOFILE=1048576.
Run systemctl daemon-reload.
Restart Containerd: systemctl restart containerd.
On control nodes, restart distributed storage pods:
kubectl delete pod --all -n rook-ceph

#Import Standard Kubernetes Cluster

#TOC

#Terminology

#Prerequisites

#Notes

#Obtain Registry Address

#Check if Extra Registry Config is Needed

#Get Cluster Info

#Integrate Cluster

#Network Configuration

#Post-import Configuration

#FAQ

#Why is the "Add Node" button disabled?

#Which certificates are supported?

#Which features are unsupported?

#How to fix Containerd runtime causing distributed storage deployment failures?