Install KubeLB CCM and setup Tenant Cluster

Requirements

  • KubeLB management cluster kubernetes API access.
  • Registered as a tenant in the KubeLB management cluster.

Pre-requisites

  • Create a namespace kubelb for the CCM to be deployed in.

  • The agent expects a Secret with a kubeconf file named kubelb to access the management/load balancing cluster.

    • First register the tenant in LB cluster by following tenant registration guidelines.
    • Fetch the generated kubeconfig and create a secret by using these command:
    #  Replace with the tenant name
    TENANT_NAME=tenant-shroud
    KUBELB_KUBECONFIG=$(kubectl get secret kubelb-ccm-kubeconfig -n $TENANT_NAME --template={{.data.kubelb}})
    kubectl --namespace kubelb create secret generic kubelb-cluster --from-literal=kubelb="$(echo $KUBELB_KUBECONFIG | base64 -d)"
    
  • The name of secret can be overridden using .Values.kubelb.clusterSecretName, if required. If not the secret needs to be named kubelb and look like:

    kubectl get secrets -o yaml kubelb-cluster
    
    apiVersion: v1
    data:
      kubelb: xxx-base64-encoded-xxx
    kind: Secret
    metadata:
      name: kubelb-cluster
      namespace: kubelb
    type: Opaque
    
  • Update the tenantName in the values.yaml to a unique identifier for the tenant. This is used to identify the tenant in the manager cluster. Tenants are registered in the management cluster by the Platform Provider and the name is prefixed with tenant-. So for example, a tenant named my-tenant will be registered as tenant-my-tenant. NOTE: We have an automation in place and both tenant name without and with tenant- prefix are supported.

At this point a minimal values.yaml should look like this:

kubelb:
    clusterSecretName: kubelb-cluster
    tenantName: <unique-identifier-for-tenant>

Important configurations for private clusters! If your cluster only uses internal IPs for nodes (check the following example output) you would need to change the value kubelb.nodeAddressType to InternalIP:

kubectl get nodes -o wide
NAME     STATUS   ROLES           AGE    VERSION   INTERNAL-IP    EXTERNAL-IP   OS-IMAGE          KERNEL-VERSION       CONTAINER-RUNTIME
node-x   Ready    control-plane   208d   v1.29.9   10.66.99.222   <none>        Ubuntu            5.15.0-121-generic   containerd://1.6.33

Adjust values.yaml:

kubelb:
  # -- Address type to use for routing traffic to node ports. Values are ExternalIP, InternalIP.
  nodeAddressType: InternalIP

Installation for KubeLB CCM

In case if Gateway API needs to be enabled for the cluster. Please set kubelb.enableGatewayAPI to true in the values.yaml. This is required otherwise due to missing CRDs, kubelb will not be able to start.

Prerequisites

  • Create a namespace kubelb for the CCM to be deployed in.
  • Create imagePullSecrets for the chart to pull the image from the registry in kubelb namespace.

At this point a minimal values.yaml should look like this:

imagePullSecrets:
  - name: <imagePullSecretName>
kubelb:
    clusterSecretName: kubelb-cluster
    tenantName: <unique-identifier-for-tenant>

Install the helm chart

helm pull oci://quay.io/kubermatic/helm-charts/kubelb-ccm-ee --version=v1.1.2 --untardir "." --untar
## Create and update values.yaml with the required values.
helm upgrade --install kubelb-ccm kubelb-ccm-ee --namespace kubelb -f kubelb-ccm-ee/values.yaml

KubeLB CCM EE Values

KeyTypeDefaultDescription
affinityobject{}
autoscaling.enabledboolfalse
autoscaling.maxReplicasint10
autoscaling.minReplicasint1
autoscaling.targetCPUUtilizationPercentageint80
autoscaling.targetMemoryUtilizationPercentageint80
extraVolumeMountslist[]
extraVolumeslist[]
fullnameOverridestring""
image.pullPolicystring"IfNotPresent"
image.repositorystring"quay.io/kubermatic/kubelb-ccm-ee"
image.tagstring"v1.1.2"
imagePullSecrets[0].namestring"kubermatic-quay.io"
kubelb.clusterSecretNamestring"kubelb-cluster"Name of the secret that contains kubeconfig for the loadbalancer cluster
kubelb.disableGRPCRouteControllerboolfalsedisableGRPCRouteController specifies whether to disable the GRPCRoute Controller.
kubelb.enableGatewayAPIboolfalseenableGatewayAPI specifies whether to enable the Gateway API and Gateway Controllers. By default Gateway API is disabled since without Gateway APIs installed the controller cannot start.
kubelb.disableGatewayControllerboolfalsedisableGatewayController specifies whether to disable the Gateway Controller.
kubelb.disableHTTPRouteControllerboolfalsedisableHTTPRouteController specifies whether to disable the HTTPRoute Controller.
kubelb.disableIngressControllerboolfalsedisableIngressController specifies whether to disable the Ingress Controller.
kubelb.disableTCPRouteControllerboolfalsedisableTCPRouteController specifies whether to disable the TCPRoute Controller.
kubelb.disableTLSRouteControllerboolfalsedisableTLSRouteController specifies whether to disable the TLSRoute Controller.
kubelb.disableUDPRouteControllerboolfalsedisableUDPRouteController specifies whether to disable the UDPRoute Controller.
kubelb.enableLeaderElectionbooltrueEnable the leader election.
kubelb.enableSecretSynchronizerboolfalseEnable to automatically convert Secrets labelled with kubelb.k8c.io/managed-by: kubelb to Sync Secrets. This is used to sync secrets from tenants to the LB cluster in a controlled and secure way.
kubelb.nodeAddressTypestring"ExternalIP"Address type to use for routing traffic to node ports. Values are ExternalIP, InternalIP.
kubelb.tenantNamestringnilName of the tenant, must be unique against a load balancer cluster.
kubelb.useGatewayClassbooltrueuseGatewayClass specifies whether to target resources with kubelb gateway class or all resources.
kubelb.useIngressClassbooltrueuseIngressClass specifies whether to target resources with kubelb ingress class or all resources.
kubelb.useLoadBalancerClassboolfalseuseLoadBalancerClass specifies whether to target services of type LoadBalancer with kubelb load balancer class or all services of type LoadBalancer.
nameOverridestring""
nodeSelectorobject{}
podAnnotationsobject{}
podLabelsobject{}
podSecurityContext.runAsNonRootbooltrue
podSecurityContext.seccompProfile.typestring"RuntimeDefault"
rbac.allowLeaderElectionRolebooltrue
rbac.allowMetricsReaderRolebooltrue
rbac.allowProxyRolebooltrue
rbac.enabledbooltrue
replicaCountint1
resources.limits.cpustring"500m"
resources.limits.memorystring"512Mi"
resources.requests.cpustring"100m"
resources.requests.memorystring"128Mi"
securityContext.allowPrivilegeEscalationboolfalse
securityContext.capabilities.drop[0]string"ALL"
securityContext.runAsUserint65532
service.portint8443
service.protocolstring"TCP"
service.typestring"ClusterIP"
serviceAccount.annotationsobject{}
serviceAccount.createbooltrue
serviceAccount.namestring""
serviceMonitor.enabledboolfalse
tolerationslist[]

Install the helm chart

helm pull oci://quay.io/kubermatic/helm-charts/kubelb-ccm --version=v1.1.2 --untardir "." --untar
## Create and update values.yaml with the required values.
helm upgrade --install kubelb-ccm kubelb-ccm --namespace kubelb -f kubelb-ccm/values.yaml

KubeLB CCM Values

KeyTypeDefaultDescription
affinityobject{}
autoscaling.enabledboolfalse
autoscaling.maxReplicasint10
autoscaling.minReplicasint1
autoscaling.targetCPUUtilizationPercentageint80
autoscaling.targetMemoryUtilizationPercentageint80
extraVolumeMountslist[]
extraVolumeslist[]
fullnameOverridestring""
image.pullPolicystring"IfNotPresent"
image.repositorystring"quay.io/kubermatic/kubelb-ccm"
image.tagstring"v1.1.2"
imagePullSecretslist[]
kubelb.clusterSecretNamestring"kubelb-cluster"Name of the secret that contains kubeconfig for the loadbalancer cluster
kubelb.disableGRPCRouteControllerboolfalsedisableGRPCRouteController specifies whether to disable the GRPCRoute Controller.
kubelb.enableGatewayAPIboolfalseenableGatewayAPI specifies whether to enable the Gateway API and Gateway Controllers. By default Gateway API is disabled since without Gateway APIs installed the controller cannot start.
kubelb.disableGatewayControllerboolfalsedisableGatewayController specifies whether to disable the Gateway Controller.
kubelb.disableHTTPRouteControllerboolfalsedisableHTTPRouteController specifies whether to disable the HTTPRoute Controller.
kubelb.disableIngressControllerboolfalsedisableIngressController specifies whether to disable the Ingress Controller.
kubelb.enableLeaderElectionbooltrueEnable the leader election.
kubelb.enableSecretSynchronizerboolfalseEnable to automatically convert Secrets labelled with kubelb.k8c.io/managed-by: kubelb to Sync Secrets. This is used to sync secrets from tenants to the LB cluster in a controlled and secure way.
kubelb.nodeAddressTypestring"ExternalIP"Address type to use for routing traffic to node ports. Values are ExternalIP, InternalIP.
kubelb.tenantNamestringnilName of the tenant, must be unique against a load balancer cluster.
kubelb.useGatewayClassbooltrueuseGatewayClass specifies whether to target resources with kubelb gateway class or all resources.
kubelb.useIngressClassbooltrueuseIngressClass specifies whether to target resources with kubelb ingress class or all resources.
kubelb.useLoadBalancerClassboolfalseuseLoadBalancerClass specifies whether to target services of type LoadBalancer with kubelb load balancer class or all services of type LoadBalancer.
nameOverridestring""
nodeSelectorobject{}
podAnnotationsobject{}
podLabelsobject{}
podSecurityContext.runAsNonRootbooltrue
podSecurityContext.seccompProfile.typestring"RuntimeDefault"
rbac.allowLeaderElectionRolebooltrue
rbac.allowMetricsReaderRolebooltrue
rbac.allowProxyRolebooltrue
rbac.enabledbooltrue
replicaCountint1
resources.limits.cpustring"500m"
resources.limits.memorystring"512Mi"
resources.requests.cpustring"100m"
resources.requests.memorystring"128Mi"
securityContext.allowPrivilegeEscalationboolfalse
securityContext.capabilities.drop[0]string"ALL"
securityContext.runAsUserint65532
service.portint8443
service.protocolstring"TCP"
service.typestring"ClusterIP"
serviceAccount.annotationsobject{}
serviceAccount.createbooltrue
serviceAccount.namestring""
serviceMonitor.enabledboolfalse
tolerationslist[]

Setup the tenant cluster

Install Gateway API CRDs

At this point, the KubeLB CCM should be installed and running in the tenant cluster. Next steps are to install the Gateway API CRDs in the cluster. This is required to use the Gateway API resources in the tenant cluster.

Use the Experimental channel to install the CRDs:

kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/experimental-install.yaml

For more details: Experimental Install

Use the Standard channel to install the CRDs:

kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml

For more details: Standard Install

Due to the following reasons this has been left as a manual step and we haven’t added these CRDs to the KubeLB Manager chart, for automated installation:

  • We can’t have optional CRDs in a helm chart.
  • Installing it through the helm chart would result in the existing CRDs in the tenant cluster to be overwritten. Which is not the desired behavior.