This document shows how to create a user cluster that uses a new installation model that is available as a preview feature in version 1.13 of Google Distributed Cloud.
What is kubeception?
The term kubeception is used to convey the idea that a Kubernetes cluster is used to create and manage other Kubernetes clusters. In the context of Google Distributed Cloud, kubeception refers to the case where the control plane for a user cluster runs on one or more nodes in an admin cluster.
Starting in version 1.13.0, you have the option of having the control plane for a user cluster run on one or more nodes in the user cluster itself. In previous versions of Google Distributed Cloud, kubeception was the only option. That is, all user clusters had their control planes in the admin cluster.
The new installation model brings architectural consistency between admin and user clusters, and decouples the user cluster from the admin cluster. This is an advantage for scenarios like running clusters on different geographical sites.
Before you begin
You must have an admin cluster, and the admin cluster version must be 1.13.0 or later.
Plan your IP addresses
As you plan your IP addresses for your user cluster, be aware of these requirements for the new installation model:
The control-plane nodes for your user cluster must get their IP addresses from a list of static addresses that you provide. This is the case even if your worker nodes get their addresses from a DHCP server. You need three control-plane nodes for a high availability (HA) user cluster, but only one control-plane node for a non-HA user cluster.
The user cluster control plane node(s) must be in the same VLAN as the user cluster worker nodes. This is in contrast to the kubeception model.
The user cluster control-plane VIP must be in the same VLAN as the user cluster worker nodes and the user cluster control-plane node(s). This is in contrast to the kubeception model.
Plan your vSphere environment
The
admin cluster configuration file
and
user cluster configuration file
both have a vCenter section where you can specify the vSphere resources that
you want the admin or user cluster to use.
For a user cluster, you do not have to fill in the vCenter section, because by
default, a user cluster uses the same vSphere resources as the admin cluster.
But if you want your user cluster to use vSphere resources different from what
you specified for the admin cluster, you can fill in fields of your choice in the
vCenter section of the user cluster configuration file. For more information,
see
Set up your vSphere object hierarchy.
In the new installation model, the control-plane nodes for the user cluster are
in the user cluster itself. So the control-plane nodes use the vSphere
resources specified in the user cluster configuration file. For example, suppose
you specify datacenter-1 for your admin cluster and datacenter-2 for your
user cluster. The control-plane nodes for your user cluster will be in
datacenter-2.
Anti-affinity groups
The
admin cluster configuration file
and
user cluster configuration file
both have an antiAffinityGroups.enabled field that you can set to true or
false.
In the new installation model, the control-plane nodes for the user cluster
are distributed according to the
antiAffinityGroups.enabled value in the user cluster configuration file.
In contrast, with the kubeception model, the control-plane nodes for the user
cluster are distributed according to the antiAffinityGroups.enabled value in
the admin cluster configuration file.
Example
Here we give an example of a user cluster that has the following characteristics:
There are three worker nodes.
The worker nodes have static IP addresses.
There are three control-plane nodes. That is, it is an HA cluster.
The load balancer is MetalLB.
The user cluster uses the same vSphere resources as the admin cluster.
The following diagram illustrates the network for the admin and user clusters:
Here is an example of an IP block file and a portion of a user cluster configuration file.
user-ipblock.yaml
blocks:
- netmask: 255.255.255.0
gateway: 172.16.21.1
ips:
- ip: 172.16.21.2
hostname: worker-vm-1
- ip: 172.16.21.3
hostname: worker-vm-2
- ip: 172.16.21.4
hostname: worker-vm-3
- ip: 172.16.21.5
hostname: worker-vm-4
user-cluster.yaml
apiVersion: v1
kind: UserCluster
...
kubeception: false
network:
hostConfig:
dnsServers:
- "203.0.113.2"
- "198.51.100.2"
ntpServers:
- "216.239.35.4"
ipMode:
type: "static"
ipBlockFilePath: "user-ipblock.yaml"
controlPlaneIPBlock:
netmask: "255.255.255.0"
gateway: "172.16.21.1"
ips:
- ip: "172.16.21.6"
hostname: "cp-vm-1"
- ip: "172.16.21.7"
hostname: "cp-vm-2"
- ip: "172.16.21.8"
hostname: "cp-vm-3"
loadBalancer:
vips:
controlPlaneVIP: "172.16.21.40"
ingressVIP: "172.16.21.30"
kind: MetalLB
metalLB:
addressPools:
- name: "address-pool-1"
addresses:
- "172.16.21.30-172.16.21.39"
...
masterNode:
cpus: 4
memoryMB: 8192
replicas: 3
nodePools:
- name: "worker-node-pool"
enableLoadBalancer: true
These are the important points to understand in the preceding example:
The static IP addresses for the worker nodes are specified in an IP block file. The IP block file has four addresses even though there are only three worker nodes. The extra IP address is needed during cluster upgrade, update, and auto repair.
The static IP addresses for the three control-plane nodes are specified in the
network.controlPlaneIPBlocksection of the user cluster configuration file. There is no need for an extra IP address in this block.The
masterNode.replicasfield is set to3.The control-plane VIP and the ingress VIP are both in the same VLAN as the worker nodes and the control-plane nodes.
The VIPs that are set aside for Services of type LoadBalancer are specified in the
loadBalancer.metalLB.addressPoolssection of the user cluster configuration file. These VIPs are in the same VLAN as the worker nodes and the control-plane nodes.The user cluster configuration file does not include a
vCentersection. So the user cluster uses the same vSphere resources as the admin cluster.
Create firewall rules
In addition to the standard firewall rules, create the following firewall rules as needed:
From |
Source port |
To |
Dst port |
Protocol |
Description |
|---|---|---|---|---|---|
|
Admin cluster nodes |
All |
User cluster control-plane VIP |
443 |
https |
Allow nodes and Pods in the admin cluster to talk to the Kubernetes API server of the user cluster. |
|
Admin cluster nodes |
All |
User cluster control-plane nodes |
443 |
https |
Allow nodes and Pods in the admin cluster to talk to the Kubernetes API server of the user cluster by using the IP address of a user cluster control-plane node. |
|
Admin cluster nodes |
All |
User cluster vCenter Server |
443 |
https |
Allow the admin cluster to manage the lifecycle of the user cluster. Required if you specified a value for vCenter.address that is different from the vCenter address in your admin cluster configuration file. |
|
User cluster control-plane nodes |
1024 - 65535 |
On-premises local Docker registry |
Depends on your registry |
TCP/https |
Required if you specified a private registry in your admin cluster configuration file. |
Create a user cluster with the new model
This section shows how to create a user cluster that uses the new installation model. In this example, the user cluster uses the same instance of vCenter Server as the admin cluster.
Follow the instructions in Create a user cluster.
As you fill in your user cluster configuration file:
Set
kubeceptiontofalse.Do not specify a value for
vCenter.address.Fill in the
network.controlPlaneIPBlocksection. If you want an HA user cluster, specify three IP addresses. Otherwise, specify one IP address.
When your user cluster is running, verify that the control plane is running on one or three nodes in the user cluster:
kubectl --kubeconfig USER_CLUSTER_KUBECONFIG get nodes
Replace USER_CLUSTER_KUBECONFIG with the path of the user cluster kubeconfig file.
The output shows one or three control-plane nodes along with the worker nodes. For example:
cp-vm-1 Ready control-plane,master 18m cp-vm-2 Ready control-plane,master 18m cp-vm-3 Ready control-plane,master 18m worker-vm-1 Ready 6m7s worker-vm-2 Ready 6m6s worker-vm-3 Ready 6m14s
Verify that the control plane for the user cluster is not running in the admin cluster:
kubectl --kubeconfig ADMIN_CLUSTER_KUBECONFIG get nodes --output wide
Replace ADMIN_CLUSTER_KUBECONFIG with the path of the admin cluster kubeconfig file.
The output shows a control-plane node for the admin cluster itself, but does not show any control-plane nodes for the user cluster. For example:
admin-vm-1 Ready control-plane,master 82m admin-vm-2 Ready 71m admin-vm-3 Ready 71m
Upgrade a user cluster
Follow the instructions in Upgrading Anthos clusters on VMware.
Note that when you upgrade a user cluster using the new installation model, the entire user cluster, including the user control plane nodes, is upgraded.
In contrast, for user clusters deployed with the kubeception model, the control plane nodes are not upgraded during user cluster upgrade and they will not be upgraded until admin cluster upgrade.
Delete a user cluster
To delete a user cluster:
gkectl delete cluster --kubeconfig ADMIN_CLUSTER_KUBECONFIG --cluster USER_CLUSTER
Replace USER_CLUSTER with the name of the user cluster.
When you delete a user cluster that uses the new installation model, the cluster's data disks do not get deleted automatically. So you need to delete the data disks manually. An HA cluster has three data disks, and a non-HA cluster has one data disk.
The data disks for the user cluster are in one of these locations:
ADMIN_CLUSTER/USER_CLUSTER/
ADMIN_DISK_FOLDER/ADMIN_CLUSTER/USER_CLUSTER/
Replace ADMIN_CLUSTER with the name of the admin cluster.
If you specified a folder in the
vCenter.dataDisk
field of the admin cluster configuration file, replace
ADMIN_DISK_FOLDER with the name of the folder.
For a non-HA cluster, the data disk is named USER_CLUSTER-0-data.vmdk.
For an HA cluster, the data disks are named:
- USER_CLUSTER-0-data.vmdk.
- USER_CLUSTER-1-data.vmdk.
- USER_CLUSTER-2-data.vmdk.
You can use the vSphere client to delete the data disks.
Create a user cluster with its own vCenter Server
In certain situations, it makes sense to create a user cluster that uses its own instance of vCenter Server. That is, the admin cluster and an associated user cluster use different instances of vCenter Server.
For example, in an edge location, you might want to have a physical machine running vCenter Server and one or more physical machines running ESXi. You could then use your local instance of vCenter Server to create a vSphere object hierarchy, including data centers, clusters, resource pools, datastores, and folders.
Follow the instructions under Create a user cluster with the new model.
In addition to the steps given in that section, fill in the entire
vCenter
section of your user cluster configuration file. In particular, specify a value
for vCenter.address that is different from the vCenter Server address you
specified in the admin cluster configuration file.
Example
vCenter:
address: "vc-edge.example"
datacenter: "vc-edge"
cluster: "vc-edge-workloads"
resourcePool: "vc-edge-pool
datastore: "vc-edge-datastore
caCertPath: "/usr/local/google/home/me/certs/edge-cacert.pem"
credentials:
fileRef:
path: "credential.yaml"
entry: "vCenter-edge"
folder: "edge-vm-folder"
Troubleshooting
See Troubleshooting cluster creation and upgrade.