copyright | lastupdated | keywords | subcollection | ||
---|---|---|---|---|---|
|
2020-01-14 |
kubernetes, iks, clusters |
containers |
{:codeblock: .codeblock} {:deprecated: .deprecated} {:download: .download} {:external: target="_blank" .external} {:faq: data-hd-content-type='faq'} {:gif: data-image-type='gif'} {:help: data-hd-content-type='help'} {:important: .important} {:new_window: target="_blank"} {:note: .note} {:pre: .pre} {:preview: .preview} {:screen: .screen} {:shortdesc: .shortdesc} {:support: data-reuse='support'} {:table: .aria-labeledby="caption"} {:tip: .tip} {:troubleshoot: data-hd-content-type='troubleshoot'} {:tsCauses: .tsCauses} {:tsResolve: .tsResolve} {:tsSymptoms: .tsSymptoms}
{: #access_cluster} {: help} {: support}
After your {{site.data.keyword.containerlong}} cluster is created, you can begin working with your cluster by accessing the cluster. {: shortdesc}
{: #prereqs}
- Install the required CLI tools, including the {{site.data.keyword.cloud_notm}} CLI, {{site.data.keyword.containershort_notm}} plug-in(
ibmcloud ks
), and Kubernetes CLI (kubectl
). - Create your Kubernetes cluster.
- If your network is protected by a company firewall, allow access to the {{site.data.keyword.cloud_notm}} and {{site.data.keyword.containerlong_notm}} API endpoints and ports. For private service endpoint-only clusters, you cannot test the connection to your cluster until you expose the private service endpoint of the master to the cluster by using a private NLB.
- Check that your cluster is in a healthy state by running
ibmcloud ks cluster get --cluster <cluster_name_or_ID>
. If your cluster is not in a healthy state, review the Debugging clusters guide for help. For example, if your cluster is provisioned in an account that is protected by a firewall gateway appliance, you must configure your firewall settings to allow outgoing traffic to the appropriate ports and IP addresses.
{: #access_public_se}
To work with your cluster, set the cluster that you created as the context for a CLI session to run kubectl
commands.
{: shortdesc}
If you want to use the {{site.data.keyword.cloud_notm}} console instead, you can run CLI commands directly from your web browser in the Kubernetes Terminal. {: tip}
-
If your network is protected by a company firewall, allow access to the {{site.data.keyword.cloud_notm}} and {{site.data.keyword.containerlong_notm}} API endpoints and ports.
- Allow access to the public endpoints for the
ibmcloud
API and theibmcloud ks
API in your firewall. - Allow your authorized cluster users to run
kubectl
commands to access the master through the public only, private only, or public and private service endpoints. - Allow your authorized cluster users to run
calicotl
commands to manage Calico network policies in your cluster.
- Allow access to the public endpoints for the
-
Set the cluster that you created as the context for this session. Complete these configuration steps every time that you work with your cluster.
-
Get the command to set the environment variable and download the Kubernetes configuration files.
ibmcloud ks cluster config --cluster <cluster_name_or_ID>
{: pre} When the download of the configuration files is finished, a command is displayed that you can use to set the path to the local Kubernetes configuration file as an environment variable.
Example for OS X:
export KUBECONFIG=/Users/<user_name>/.bluemix/plugins/kubernetes-service/clusters/mycluster/kube-config-prod-dal10-mycluster.yml
{: screen}
-
Copy and paste the command that is displayed in your terminal to set the
KUBECONFIG
environment variable. -
Verify that the
KUBECONFIG
environment variable is set properly. Example for OS X:echo $KUBECONFIG
{: pre}
Output:
/Users/<user_name>/.bluemix/plugins/kubernetes-service/clusters/mycluster/kube-config-prod-dal10-mycluster.yml
{: screen}
-
-
Launch your Kubernetes dashboard with the default port
8001
.-
Set the proxy with the default port number.
kubectl proxy
{: pre}
Starting to serve on 127.0.0.1:8001
{: screen}
-
Open the following URL in a web browser to see the Kubernetes dashboard.
http://localhost:8001/ui
{: codeblock}
-
{: #access_private_se}
The Kubernetes master is accessible through the private service endpoint if authorized cluster users are in your {{site.data.keyword.cloud_notm}} private network or are connected to the private network through a VPN connection or {{site.data.keyword.cloud_notm}} Direct Link. However, communication with the Kubernetes master over the private service endpoint must go through the 166.X.X.X
IP address range, which is not routable from a VPN connection or through {{site.data.keyword.cloud_notm}} Direct Link. You can expose the private service endpoint of the master for your cluster users by using a private network load balancer (NLB). The private NLB exposes the private service endpoint of the master as an internal 10.X.X.X
IP address range that users can access with the VPN or {{site.data.keyword.cloud_notm}} Direct Link connection. If you enable only the private service endpoint, you can use the Kubernetes dashboard or temporarily enable the public service endpoint to create the private NLB.
{: shortdesc}
-
If your network is protected by a company firewall, allow access to the {{site.data.keyword.cloud_notm}} and {{site.data.keyword.containerlong_notm}} API endpoints and ports.
-
Allow access to the public endpoints for the
ibmcloud
API and theibmcloud ks
API in your firewall. -
Allow your authorized cluster users to run
kubectl
commands. Note that you cannot test the connection to your cluster in step 6 until you expose the private service endpoint of the master to the cluster by using a private NLB. -
Get the private service endpoint URL and port for your cluster.
ibmcloud ks cluster get --cluster <cluster_name_or_ID>
{: pre}
In this example output, the Private Service Endpoint URL is https://c1.private.us-east.containers.cloud.ibm.com:25073
.
Name: setest
ID: b8dcc56743394fd19c9f3db7b990e5e3
State: normal
Created: 2019-04-25T16:03:34+0000
Location: wdc04
Master URL: https://c1.private.us-east.containers.cloud.ibm.com:25073
Public Service Endpoint URL: -
Private Service Endpoint URL: https://c1.private.us-east.containers.cloud.ibm.com:25073
Master Location: Washington D.C.
...
{: screen}
- Create a YAML file that is named
kube-api-via-nlb.yaml
. This YAML creates a privateLoadBalancer
service and exposes the private service endpoint through that NLB. Replace<private_service_endpoint_port>
with the port you found in the previous step.
apiVersion: v1
kind: Service
metadata:
name: kube-api-via-nlb
annotations:
service.kubernetes.io/ibm-load-balancer-cloud-provider-ip-type: private
namespace: default
spec:
type: LoadBalancer
ports:
- protocol: TCP
port: <private_service_endpoint_port>
targetPort: <private_service_endpoint_port>
---
kind: Endpoints
apiVersion: v1
metadata:
name: kube-api-via-nlb
subsets:
- addresses:
- ip: 172.20.0.1
ports:
- port: 2040
{: codeblock}
- To create the private NLB, you must be connected to the cluster master. Because you cannot yet connect through the private service endpoint from a VPN or {{site.data.keyword.cloud_notm}} Direct Link, you must connect to the cluster master and create the NLB by using the public service endpoint or Kubernetes dashboard.
-
If you enabled the private service endpoint only, you can use the Kubernetes dashboard to create the NLB. The dashboard automatically routes all requests to the private service endpoint of the master.
- Log in to the {{site.data.keyword.cloud_notm}} console.
- From the menu bar, select the account that you want to use.
- From the menu , click Kubernetes.
- On the Clusters page, click the cluster that you want to access.
- From the cluster detail page, click the Kubernetes Dashboard.
- Click + Create.
- Select Create from file, upload the
kube-api-via-nlb.yaml
file, and click Upload. - In the Overview page, verify that the
kube-api-via-nlb
service is created. In the External endpoints column, note the10.x.x.x
address. This IP address exposes the private service endpoint for the Kubernetes master on the port that you specified in your YAML file.
-
If you also enabled the public service endpoint, you already have access to the master.
-
Get the command to set the environment variable and download the Kubernetes configuration files.
ibmcloud ks cluster config --cluster <cluster_name_or_ID>
{: pre} When the download of the configuration files is finished, a command is displayed that you can use to set the path to the local Kubernetes configuration file as an environment variable.
Example for OS X:
export KUBECONFIG=/Users/<user_name>/.bluemix/plugins/kubernetes-service/clusters/mycluster/kube-config-prod-dal10-mycluster.yml
{: screen}
-
Copy and paste the command that is displayed in your terminal to set the
KUBECONFIG
environment variable. -
Create the NLB and endpoint.
kubectl apply -f kube-api-via-nlb.yaml
{: pre} 4. Verify that the
kube-api-via-nlb
NLB is created. In the output, note the10.x.x.x
EXTERNAL-IP address. This IP address exposes the private service endpoint for the Kubernetes master on the port that you specified in your YAML file.kubectl get svc -o wide
{: pre}
In this example output, the IP address for the private service endpoint of the Kubernetes master is
10.186.92.42
.NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR kube-api-via-nlb LoadBalancer 172.21.150.118 10.186.92.42 443:32235/TCP 10m <none> ...
{: screen}
-
- On the client machines where you or your users run
kubectl
commands, add the NLB IP address and the private service endpoint URL to the/etc/hosts
file. Do not include any ports in the IP address and URL and do not includehttps://
in the URL.
-
For OSX and Linux users:
sudo nano /etc/hosts
{: pre}
-
For Windows users:
notepad C:\Windows\System32\drivers\etc\hosts
{: pre}
Depending on your local machine permissions, you might need to run Notepad as an administrator to edit the hosts file. {: tip}
Example text to add:
10.186.92.42 c1.private.us-east.containers.cloud.ibm.com
{: codeblock}
- Verify that you are connected to the private network through one of the following methods:
- Classic clusters: Use a VPN or {{site.data.keyword.cloud_notm}} Direct Link connection.
- VPC clusters: Use a VPC VPN connection.
-
Get the command to set the environment variable and download the Kubernetes configuration files.
ibmcloud ks cluster config --cluster <cluster_name_or_ID>
{: pre} When the download of the configuration files is finished, a command is displayed that you can use to set the path to the local Kubernetes configuration file as an environment variable.
Example for OS X:
export KUBECONFIG=/Users/<user_name>/.bluemix/plugins/kubernetes-service/clusters/mycluster/kube-config-prod-dal10-mycluster.yml
{: screen}
-
Optional: If you have both the public and private service endpoints enabled, update your local Kubernetes configuration file to use the private service endpoint. By default, the public service endpoint is downloaded to the configuration file.
-
Navigate to the
kubeconfig
directory and open the file.cd /Users/<user_name>/.bluemix/plugins/kubernetes-service/clusters/<cluster_name> && nano touch kube-config-prod-dal10-mycluster.yml
{: pre} -
Edit your Kubernetes configuration file to add the word
private
to the service endpoint URL. For example, in the Kubernetes configuration filekube-config-prod-dal10-mycluster.yml
, the server field might look likeserver: https://c1.us-east.containers.cloud.ibm.com:30426
. You can change this URL to the private service endpoint URL by changing the server field toserver: https://c1.private.us-east.containers.cloud.ibm.com:30426
. -
Repeat these steps each time that you run
ibmcloud ks cluster config
. -
Copy and paste the command that is displayed in your terminal to set the
KUBECONFIG
environment variable. -
Verify that the
kubectl
commands run properly with your cluster through the private service endpoint by checking the Kubernetes CLI server version.
kubectl version --short
{: pre}
Example output:
Client Version: v1.14.9
Server Version: v1.14.9
{: screen}