Skip to content

Latest commit

 

History

History
253 lines (188 loc) · 9.67 KB

03-compute-resources.md

File metadata and controls

253 lines (188 loc) · 9.67 KB

Provisioning Compute Resources

Kubernetes requires a set of machines to host the Kubernetes control plane and the worker nodes where containers are ultimately run. In this lab you will provision the compute resources required for running a secure and highly available Kubernetes cluster within a single Resource Group in a single region

Here is a high level picture of the Azure resources you are going to create in this step:

compute resources

Ensure a resource group has been created as described in the Prerequisites lab.

Networking

The Kubernetes networking model assumes a flat network in which containers and nodes can communicate with each other. In cases where this is not desired network policies can limit how groups of containers are allowed to communicate with each other and external network endpoints.

Setting up network policies is out of scope for this tutorial.

Virtual Network

In this section a dedicated Virtual Network (VNet) network will be setup to host the Kubernetes cluster.

Create the kubernetes-vnet custom VNet network with a subnet kubernetes-subnet provisioned with an IP address range large enough to assign a private IP address to each node in the Kubernetes cluster.:

az network vnet create -g kubernetes \
  -n kubernetes-vnet \
  --address-prefix 10.240.0.0/24 \
  --subnet-name kubernetes-subnet

The 10.240.0.0/24 IP address range can host up to 254 compute instances.

Firewall Rules

Create a firewall (Network Security Group) and assign it to the subnet:

az network nsg create -g kubernetes -n kubernetes-nsg

Associate the kubernetes-nsg firewall to the kubernetes-subnet subnet in the kubernetes-vnet vnet:

az network vnet subnet update -g kubernetes \
  -n kubernetes-subnet \
  --vnet-name kubernetes-vnet \
  --network-security-group kubernetes-nsg

Create a firewall rule that allows external SSH and HTTPS:

If you want to restrict communication from your current IP Address only, retrieve your public IP address with curl ifconfig.co and then use that ip address in --source-address-prefix 'your.i.p.address'

az network nsg rule create -g kubernetes \
  -n kubernetes-allow-ssh \
  --access allow \
  --destination-address-prefix '*' \
  --destination-port-range 22 \
  --direction inbound \
  --nsg-name kubernetes-nsg \
  --protocol tcp \
  --source-address-prefix '*' \
  --source-port-range '*' \
  --priority 1000
az network nsg rule create -g kubernetes \
  -n kubernetes-allow-api-server \
  --access allow \
  --destination-address-prefix '*' \
  --destination-port-range 6443 \
  --direction inbound \
  --nsg-name kubernetes-nsg \
  --protocol tcp \
  --source-address-prefix '*' \
  --source-port-range '*' \
  --priority 1001

An external load balancer will be used to expose the Kubernetes API Servers to remote clients.

List the firewall rules in the kubernetes-vnet VNet network:

az network nsg rule list -g kubernetes --nsg-name kubernetes-nsg --query "[].{Name:name, \
  Direction:direction, Priority:priority, Port:destinationPortRange}" -o table

output

Name                         Direction      Priority    Port
---------------------------  -----------  ----------  ------
kubernetes-allow-ssh         Inbound            1000      22
kubernetes-allow-api-server  Inbound            1001    6443

Kubernetes Public IP Address

Allocate a static IP address that will be attached to the external load balancer fronting the Kubernetes API Servers:

This creates a public IP address resource named kubernetes-pip assigned to a load balancer (nlb) resource named kubernetes-lb

az network lb create -g kubernetes \
  -n kubernetes-lb \
  --backend-pool-name kubernetes-lb-pool \
  --public-ip-address kubernetes-pip \
  --public-ip-address-allocation static

Verify the kubernetes-pip static IP address was created correctly in the kubernetes Resource Group and chosen region:

az network public-ip list --query="[?name=='kubernetes-pip'].{ResourceGroup:resourceGroup, \
  Region:location,Allocation:publicIpAllocationMethod,IP:ipAddress}" -o table

output

ResourceGroup    Region    Allocation    IP
---------------  --------  ------------  --------------
kubernetes       eastus2   Static        XX.XXX.XXX.XXX

Virtual Machines

The compute instances in this lab will be provisioned using Ubuntu Server 18.04, which has good support for the cri-containerd container runtime. Each compute instance will be provisioned with a fixed private IP address to simplify the Kubernetes bootstrapping process.

To select latest stable Ubuntu Server release run following command and replace UBUNTULTS variable below with latest row in the table.

az vm image list --location eastus2 --publisher Canonical --offer UbuntuServer --sku 18.04-LTS --all -o table
UBUNTULTS="Canonical:UbuntuServer:18.04-LTS:18.04.202002180"

Virtual Machine size

To list the available machine sizes in the selected region (eastus2), run the following command:

az vm list-sizes --location eastus2 -o table

Compare the pricing of the VMs here Linux Virtual Machines Pricing

Then select the size you prefer - in this example, we will use the Standard_B1ms size (1 CPU, 2 GiB of RAM, 4 GiB of Disk) that costs about $11/month.

VMSIZE="Standard_B1ms"

Kubernetes Controllers

Create two compute instances which will host the Kubernetes control plane in controller-as Availability Set:

az vm availability-set create -g kubernetes -n controller-as
for i in 0 1 2; do
    echo "[Controller ${i}] Creating public IP..."
    az network public-ip create -n controller-${i}-pip -g kubernetes > /dev/null

    echo "[Controller ${i}] Creating NIC..."
    az network nic create -g kubernetes \
        -n controller-${i}-nic \
        --private-ip-address 10.240.0.1${i} \
        --public-ip-address controller-${i}-pip \
        --vnet kubernetes-vnet \
        --subnet kubernetes-subnet \
        --ip-forwarding \
        --lb-name kubernetes-lb \
        --lb-address-pools kubernetes-lb-pool > /dev/null

    echo "[Controller ${i}] Creating VM..."
    az vm create -g kubernetes \
        -n controller-${i} \
        --image ${UBUNTULTS:-'Canonical:UbuntuServer:18.04-LTS:18.04.202107200'} \
        --size ${VMSIZE:-Standard_B1ms} \
        --nics controller-${i}-nic \
        --availability-set controller-as \
        --admin-username 'kuberoot' \
        --generate-ssh-keys > /dev/null
done

Kubernetes Workers

Each worker instance requires a pod subnet allocation from the Kubernetes cluster CIDR range. The pod subnet allocation will be used to configure container networking in a later exercise. The pod-cidr instance metadata will be used to expose pod subnet allocations to compute instances at runtime.

The Kubernetes cluster CIDR range is defined by the Controller Manager's --cluster-cidr flag. In this tutorial the cluster CIDR range will be set to 10.240.0.0/16, which supports 254 subnets.

Create two compute instances which will host the Kubernetes worker nodes in worker-as Availability Set:

az vm availability-set create -g kubernetes -n worker-as
for i in 0 1; do
    echo "[Worker ${i}] Creating public IP..."
    az network public-ip create -n worker-${i}-pip -g kubernetes > /dev/null

    echo "[Worker ${i}] Creating NIC..."
    az network nic create -g kubernetes \
        -n worker-${i}-nic \
        --private-ip-address 10.240.0.2${i} \
        --public-ip-address worker-${i}-pip \
        --vnet kubernetes-vnet \
        --subnet kubernetes-subnet \
        --ip-forwarding > /dev/null

    echo "[Worker ${i}] Creating VM..."
    az vm create -g kubernetes \
        -n worker-${i} \
        --image ${UBUNTULTS:-'Canonical:UbuntuServer:18.04-LTS:18.04.202107200'} \
        --size ${VMSIZE:-Standard_B1ms} \
        --nics worker-${i}-nic \
        --tags pod-cidr=10.200.${i}.0/24 \
        --availability-set worker-as \
        --generate-ssh-keys \
        --admin-username 'kuberoot' > /dev/null
done

Verification

List the compute instances in your default compute zone:

az vm list -d -g kubernetes -o table

output

Name          ResourceGroup    PowerState    PublicIps       Location
------------  ---------------  ------------  --------------  ----------
controller-0  kubernetes       VM running    XX.XXX.XXX.XXX  eastus2
controller-1  kubernetes       VM running    XX.XXX.XXX.XXX  eastus2
controller-2  kubernetes       VM running    XX.XXX.XXX.XXX  eastus2
worker-0      kubernetes       VM running    XX.XXX.XXX.XXX  eastus2
worker-1      kubernetes       VM running    XX.XXX.XXX.XXX  eastus2

Next: Provisioning a CA and Generating TLS Certificates