Starting with KKP v2.24, KubeLB is integrated into the Kubermatic Kubernetes Platform (KKP). This means that you can use KubeLB to provision load balancers for your KKP clusters. KKP will take care of configurations and deployments for you in the user cluster. Admins mainly need to create the KubeLB manager cluster and configure KKP to use it.
For usage outside of KKP please follow the guide along.
This guide assumes that the KubeLB manager cluster has been configured by following the installation guide.
Each cluster that wants load balancer services is treated as a unique tenant by KubeLB. This means that the KubeLB manager needs to be aware of the tenant clusters. This is done by registering the tenant clusters in the KubeLB manager cluster. This is done by creating a namespace with the unique name of tenant and labelling it with kubelb.k8c.io/managed-by: kubelb.
We then create a restricted service account in the tenant cluster that will be used by the KubeLB CCM to communicate with the KubeLB manager cluster. Eventually, we need a kubeconfig that can be configured in the KubeLB CCM to communicate with the KubeLB manager cluster.
This script can be used for creating the required RBAC and generating the kubeconfig:
#!/usr/bin/env bash
set -euox pipefail
if [ $# -ne 1 ] ; then
echo 'No cluster ID provided'
exit 1
fi
clusterId=$1
namespace=$clusterId
kubectl create namespace "$namespace"
cat <<EOF | kubectl apply -n "$namespace" -f -
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubelb-agent
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: kubelb-agent-role
rules:
- apiGroups:
- kubelb.k8c.io
resources:
- loadbalancers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- kubelb.k8c.io
resources:
- loadbalancers/status
verbs:
- get
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubelb-agent-rolebinding
subjects:
- kind: ServiceAccount
name: kubelb-agent
roleRef:
kind: Role
name: kubelb-agent-role
apiGroup: rbac.authorization.k8s.io
EOF
# your server name goes here
server=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
token_name=$(kubectl -n $namespace get sa kubelb-agent -o jsonpath='{.secrets[0].name}')
ca=$(kubectl -n $namespace get secret/$token_name -o jsonpath='{.data.ca\.crt}')
token=$(kubectl -n $namespace get secret/$token_name -o jsonpath='{.data.token}' | base64 --decode)
echo "
apiVersion: v1
kind: Config
clusters:
- name: kubelb-cluster
cluster:
certificate-authority-data: ${ca}
server: ${server}
contexts:
- name: default-context
context:
cluster: kubelb-cluster
namespace: $namespace
user: default-user
current-context: default-context
users:
- name: default-user
user:
token: ${token}"
For CCM, during installation we need to provide the kubeconfig that we generated in the previous step. Also, the tenantName field in the values.yaml should be set to the name of the tenant cluster.