Installing and Provisioning Containerized Contrail Controller for Kubernetes
This section describes the steps required to install and provision containerized Contrail Controller for Kubernetes.
Ensure the following prerequisites are met for successful provisioning of a Contrail Kubernetes cluster.
An installed and running Kubernetes cluster is available.
You can choose the installation method for Kubernetes.
Kubernetes cluster must have at least one worker node.
The Kubernetes cluster consists of one master node and at least one worker node. Kubernetes “tainted” master, a mode in which worker pods are scheduled on Kubernetes master node, is not supported.
Ensure that Kubelet running on the Kubernetes master node does not have network plugin options.
If Kubelet is configured with a network plugin option:
Disable or comment out the KUBELET_NETWORK_ARGS option in the configuration file.
/etc/systemd/system/kubelet.service.d/10-kubeadm.confRestart the Kubelet service.
systemctl daemon-reload; systemctl restart kubelet.service
Get a service account token that has a
cluster-admincluster role.You can configure this token in
contrail-ansibleduring provisioning of the Contrail Kubernetes cluster.For more information, refer to the
kubernetes_access_tokenvariable in theall.ymlincontrail-ansible.Create a service account and bind it to the
cluster-admincluster role.kubectl create clusterrolebinding <role-binding-name> --clusterrole=cluster-admin --serviceaccount=<service-account-name>Alternatively, you can bind the
cluster-adminrole to an existing service account.Example: Bind a
cluster-adminrole to a service account nameddefault.kubectl create clusterrolebinding contrail-kube-manager --clusterrole=cluster-admin --serviceaccount=default:defaultGet the secret associated with the service account.
kubectl describe sa <service-account-name>Example:
> kubectl describe sa default Name: default Namespace: default Labels: <none> Annotations: <none> Tokens: default-token-r353k <----- Image pull secrets: <none> Mountable secrets: default-token-r353kGet the token associated with the secret.
kubectl describe secret <name>Example:
> kubectl describe secret default-token-r353k Name: default-token-r353k Namespace: default Labels: <none> Annotations: kubernetes.io/service-account.name=default kubernetes.io/service-account.uid=4fbcc5cf-3fed-11e7-acf4-0271c93f63d6 Type: kubernetes.io/service-account-token Data ==== ca.crt: 1025 bytes namespace: 7 bytes token: $123ABC
Installing and Provisioning Containerized Contrail Controller for Kubernetes
Perform the following steps to install containerized Contrail controller for Kubernetes:
Set up password-free access to all hosts from Ansible host.
ssh-keygen -t rsa ssh <user>@<host-ip> mkdir -p .ssh ssh <user>@<host-ip> chmod 700 .ssh cat .ssh/id_rsa.pub | ssh <user>@<host-ip> 'cat >> .ssh/authorized_keys'
Ensure ssh <user>@<host-ip> works fine.
Install Ansible on your Mac OS X or any other machine. Version must be = 2.2.0.
sudo easy_install pip sudo pip install ansible==2.2.0
Download contrail-kubernetes-docker_<release>_<os-name>.tgz package and extract it. The extracted package contains contrail-networking-tools_<release>.tgz and contrail-kubernetes-docker-images_<release>.tgz packages.
The contrail-networking-tools_<release>.tgz contains the
contrail-ansiblepackage while the contrail-kubernetes-docker-images_<release>.tgz contains Contrail container images.Extract the
contrail-ansiblepackage from the contrail-networking-tools_<release>.tgz package.contrail-ansibleis used to provision a Contrail Kubernetes cluster. Thecontrail-ansiblerepo contains a site.yml playbook that has the requisite roles and tasks to provision a fully-functional Contrail Kubernetes cluster. The inventory files in the repo expose all the parameters required by the playbook to provision the cluster. Thecontrail-ansibledirectory-based inventory file mechanism is recommended for provisioning.Note:The scope of
contrail-ansibleis to provision only the Contrail part of the Kubernetes solution. The Kubernetes cluster should be provisioned independently using recommended Kubernetes guidelines.Contrail Kubernetes clusters can be provisioned in the following modes:
Stand-alone Contrail Kubernetes cluster
In this mode, Contrail provides networking to a stand-alone Kubernetes cluster. Contrail components are provisioned and dedicated to the management of this cluster.
Nested Contrail Kubernetes cluster
In this mode, Contrail provides networking for a Kubernetes cluster that is provisioned on a Contrail OpenStack cluster. Contrail components are shared between the two clusters. Ansible provisions only the Contrail components that directly interface with the Kubernetes API server. All other Contrail components are shared between OpenStack and Kubernetes clusters.
Create a folder called container_images inside contrail-ansible/playbook. Copy container images to this folder by extracting contrail-kubernetes-docker-images_<release>.tgz.
Update the inventory file.
The inventory files in directory-based provisioning are as following:
inventory/my-inventory/hosts. See inventory/my-inventory/hosts Inventory File for more information.
inventory/my-inventory/group_vars/all.yml. See inventory/my-inventory/group_vars/all.yml Inventory File for more information.
Run the Ansible playbook from contrail-ansible/playbook.
ansible-playbook -i inventory/my-inventory site.yml
inventory/my-inventory/hosts Inventory File
This section describes the parameters and provides examples of the inventory/my-inventory/hosts inventory file in stand-alone and nested Contrail Kubernetes clusters.
Table 1 lists the parameters used in the inventory/my-inventory/hosts inventory file.
In Table 1, Cluster Mode is one of the following:
Stand-alone —Applicable only to a stand-alone cluster.
Nested —Applicable only to nested cluster.
Both—Applicable to both stand-alone and nested clusters.
Parameter |
Cluster Mode |
Description |
|---|---|---|
contrail-repo |
Nested |
List of hosts where contrail apt or yum repo container will be started. This repo will be used by other nodes on installing any packages in the node. Setting up contrail-cni needs this repo enabled |
contrail-controllers |
Stand-alone |
List of hosts where contrail-controller container or processes are to be provisioned. . |
contrail-analyticsdb |
Stand-alone |
List of hosts where contrail-analyticsdb container or process is to be provisioned. |
contrail-analytics |
Stand-alone |
List of hosts where contrail-analytics container or process is to be provisioned. |
contrail-kubernetes |
Both |
Node where contrail-kube-manager container or process is to be run. |
contrail-compute |
Both |
List of hosts which are to be provisioned as kubernetes compute/minion nodes. Contrail vRouter or vrouter-agent or CNI will be provisioned on these nodes. |
kubernetes-contrail-controllers |
Nested |
List of nodes with pre-existing contrail-controller container or processes to which contrail-kube-manager should connect to. |
kubernetes-contrail-analytics |
Nested |
List of nodes with pre-existing contrail-analytics container or processes to which contrail-kube-manager should connect to. |
- Example: inventory/my-inventory/hosts File in a Stand-alone Contrail Kubernetes Cluster
- Example: Nested inventory/my-inventory/hosts File in a Nested Contrail Kubernetes Cluster
Example: inventory/my-inventory/hosts File in a Stand-alone Contrail Kubernetes Cluster
The following is an example of the inventory/my-inventory/hosts file in a stand-alone Contrail Kubernetes cluster:
[contrail-controllers] 10.xx.27.16 [contrail-analyticsdb] 10.xx.27.16 [contrail-analytics] 10.xx.27.16 [contrail-kubernetes] 10.xx.27.16 [contrail-compute] 10.xx.23.37
Example: Nested inventory/my-inventory/hosts File in a Nested Contrail Kubernetes Cluster
The following is an example of the inventory/my-inventory/hosts file in a nested Contrail Kubernetes cluster:
[contrail-repo] 10.xx.31.71 [contrail-kubernetes] 10.xx.31.71 [contrail-compute] 10.xx.31.72 [kubernetes-contrail-controllers] 10.xx.29.27 [kubernetes-contrail-analytics] 10.xx.29.27
inventory/my-inventory/group_vars/all.yml Inventory File
This section describes the parameters and provides examples of the inventory/my-inventory/group_vars/all.yml inventory file in stand-alone and nested Contrail Kubernetes clusters.
Table 2 describes the configuration parameters used in the inventory/my-inventory/group_vars/all.yml inventory file.
In Table 2, Cluster Mode is one of the following:
Stand-alone —Applicable only to a stand-alone cluster.
Nested —Applicable only to nested cluster.
Both—Applicable to both stand-alone and nested clusters.
| Parameter | Value | Default | Cluster Mode | Description |
|---|---|---|---|---|
cloud_orchestrator |
Kubernetes |
None |
Both |
Specifies orchestrator type. |
contrail_compute_mode |
container |
bare_metal |
Both |
Specifies if the Contrail components must be run as containers or as processes on a stand-alone server. |
keystone_config |
{ip: <ip>, admin_password: <passwd>, admin_user: <username>, admin_tenant: <tenant-name>} |
None |
Nested |
Keystone authentication information. |
nested_cluster_private_network |
"<cluster-private-CIDR>" |
None |
Nested |
The IP subnet reserved for use by Kubernetes for internal cluster management and housekeeping. The Ansible user is responsible to make sure this CIDR does not collide with existing CIDRs in the virtual-network. |
kubernetes_cluster_name |
<cluster-name> |
k8s-default |
Both |
Name of the Kubernetes cluster being provisioned. |
nested_cluster_network |
{domain: <name>, project: <name>, name: <name>} |
None |
Nested |
Virtual Network in which the Kubernetes cluster must be provisioned. This network must be the same network to which the virtual machines that host the Kubernetes cluster belong. |
kubernetes_access_token |
< token > |
None |
Both |
RBAC token to connect to Kubernetes API server. |
nested_mode |
true |
None |
Nested |
Parameter to enable nested provisioning of a Kubernetes cluster. |
kubernetes_public_fip_pool |
{domain: <id>, project: <id>, network: <id>, name: <id>} |
None |
Both |
Kubernetes FloatingIpPool to be used for service or ingress. |
kubernetes_cluster_project |
{domain: <id>, project: <id>} |
{domain: default-domain, project: default} |
Both |
Fq-name of Contrail project within which Kubernetes cluster must be provisioned. |
kubernetes_pod_subnet |
<CIDR> |
10.32.0.0/12 |
Both |
Pod subnet used by Kubernetes cluster. |
kubernetes_service_subnet |
<CIDR> |
10.96.0.0/12 |
Both |
Service subnet used by Kubernetes cluster. |
kubernetes_api_server |
<IP> |
Contrail Control Node IP |
Both |
Node on which kubernetes-api server is running. |
Example: inventory/my-inventory/group_vars/all.yml File in a Stand-alone Contrail Kubernetes Cluster
The following is an example of the inventory/my-inventory/group_vars/all.yml file in a stand-alone Contrail Kubernetes cluster:
docker_install_method: package
docker_py_pkg_install_method: pip
# ansible connection details
ansible_user: root
ansible_become: true
ansible_ssh_private_key_file: ~/.ssh/id_rsa
contrail_compute_mode: container
os_release: ubuntu14.04
# contrail version
contrail_version: 4.0.0.0-16
cloud_orchestrator: kubernetes
# vrouter physical interface
vrouter_physical_interface: enp6s0f0
# global_config:
analytics_api_config: {aaa_mode: no-auth}
# To configure custom webui http port
webui_config: {http_listen_port: 8085}
# Name of the kubernetes cluster being provisioned.
kubernetes_cluster_name: k8s5
# Access token to connect to Kuberenetes API server.
kubernetes_access_token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc
3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9
zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRl
cy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG
9rZW4tcTUzYmYiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3Nlcn
ZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc
2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImVhNzE1YjJkLT
JhYWUtMTFlNy1iZmJmLTAyMWQwOTNhMzRkMSIsInN1YiI6InN5c3RlbTpzZ
XJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.Kj0-NYBopRc8rMsX
4NnKpJa570k2iamPOgCTdj3d93MW20girt4IgdAmR4v4kifQO-h5eYGVlfA3
ftkPuWb5GbHDz9x7BoYc7b759i2cuX3AmtbCl5kNcbGY7_7JPIDkMHwwRj
7FK7Y57eEFTstCxcpR4itqxzsRi7jc0nrrcbDkvlOkDhA93ID4ChPwE2PcsAf_
LV9ds-gSzuyPIQt0qdxnQvI262AjgeNowbQhkYguoqZWJIE--AwpgSE0NiNpjc
xiUx1HC2uaRSP3g9mMr2g4YQHRjxJwuz3fUkaSRNZyQEpyE5G5WKXTefc
7h52R5Kphn2nT9gg6x175mrrnNQ
# Kubernetes API server IP.
kubernetes_api_server: 10.14.27.16
Example: inventory/my-inventory/group_vars/all.yml File in a Nested Contrail Kubernetes Cluster
The following is an example of the inventory/my-inventory/group_vars/all.yml file in a nested Contrail Kubernetes cluster
docker_install_method: package
docker_py_pkg_install_method: pip
# ansible connection details
ansible_user: root
ansible_become: true
ansible_ssh_private_key_file: ~/.ssh/id_rsa
contrail_compute_mode: container
os_release: ubuntu14.04
# contrail version
contrail_version: 4.0.0.0-16
cloud_orchestrator: kubernetes
# vrouter physical interface
vrouter_physical_interface: enp6s0f0
# global_config:
# To configure custom webui http port
webui_config: {http_listen_port: 8085}
keystone_config: {ip: 10.14.29.27, admin_password: c0ntrail123, admin_user: admin, admin_tenant: admin}
###################################################
# Kubernetes cluster configuration
##
# The IP subnet reserved for use by kubernetes for internal cluster management
# and housekeeping.
nested_cluster_private_network: "10.10.10.0/24"
# Name of the kubernetes cluster being provisioned.
kubernetes_cluster_name: k8s5
# Virtual Network in which the Kubernetes cluster should be provisioned.
nested_cluster_network: {domain: default-domain, project: admin, name: 5-k8s-VM-network}
# Access token to connect to Kuberenetes API server.
kubernetes_access_token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc
3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9z
ZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlc
y5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9
rZW4tcTUzYmYiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZp
Y2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2V
ydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImVhNzE1YjJkLTJhY
WUtMTFlNy1iZmJmLTAyMWQwOTNhMzRkMSIsInN1YiI6InN5c3RlbTpzZXJ2
aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.Kj0-NYBopRc8rMsX4Nn
KpJa570k2iamPOgCTdj3d93MW20girt4IgdAmR4v4kifQO-h5eYGVlfA3ftkPu
Wb5GbHDz9x7BoYc7b759i2cuX3AmtbCl5kNcbGY7_7JPIDkMHwwRj7FK7Y
57eEFTstCxcpR4itqxzsRi7jc0nrrcbDkvlOkDhA93ID4ChPwE2PcsAf_LV9ds-g
SzuyPIQt0qdxnQvI262AjgeNowbQhkYguoqZWJIE--AwpgSE0NiNpjcxiUx1HC2
uaRSP3g9mMr2g4YQHRjxJwuz3fUkaSRNZyQEpyE5G5WKXTefc7h52R5Kph
n2nT9gg6x175mrrnNQ
# Kubernetes cluster is nested within an Openstack cluster.
nested_mode: true
# Kubernetes API server IP.
kubernetes_api_server: 10.14.27.16