install kubernetes on vsphere 7

Don't you also need the vSphere Kubernetes add-on license? If the example secret YAML is used, update the secret name to use a , the vCenter IP address in the keys of stringData, and the username and password for each key. Next, install kubelet, kubectl and kubeadm. You can also use kubectl on external (non-master) systems by copying the contents of the masters /etc/kubernetes/admin.conf to your local computer's ~/.kube/config file. It is recommended to not take snapshots of CNS node VMs to avoid errors and unpredictable behavior. Right, first things first. This article explains how to get your cluster enabled for the so-called "Workload Management". IF you have followed the previous guidance on how to create the OS template image, this step will have already been implemented. It runs on the master and all worker nodes. # set insecureFlag to true if the vCenter uses a self-signed cert, # kubectl create configmap cloud-config --from-file=vsphere.conf --namespace=kube-system, # kubectl get configmap cloud-config --namespace=kube-system, # kubectl create -f cpi-engineering-secret.yaml, # kubectl get secret cpi-engineering-secret --namespace=kube-system, # kubectl describe nodes | egrep "Taints:|Name:", # kubectl apply -f https://raw.githubusercontent.com/kubernetes/cloud-provider-vsphere/master/manifests/controller-manager/cloud-controller-manager-roles.yaml, # kubectl apply -f https://raw.githubusercontent.com/kubernetes/cloud-provider-vsphere/master/manifests/controller-manager/cloud-controller-manager-role-bindings.yaml, # kubectl apply -f https://github.com/kubernetes/cloud-provider-vsphere/raw/master/manifests/controller-manager/vsphere-cloud-controller-manager-ds.yaml, # kubectl create -f mongodb-storageclass.yaml, # kubectl create secret generic shared-bootstrap-data --from-file=internal-auth-mongodb-keyfile=key.txt, "/etc/secrets-volume/internal-auth-mongodb-keyfile", # kubectl create -f mongodb-statefulset.yaml, # kubectl exec -it mongod-0 -c mongod-container bash, "mongod-0.mongodb-service.default.svc.cluster.local:27017", "mongod-1.mongodb-service.default.svc.cluster.local:27017", "mongod-2.mongodb-service.default.svc.cluster.local:27017", In-Tree and Out-of-Tree Implementation Models, Deploying the vSphere CPI in a Multi-vCenter OR Multi-Datacenter Environment using Zones, Running a Kubernetes Cluster on vSphere with kubeadm, Deploying a Kubernetes Cluster on vSphere with CSI and CPI, Deploying Kubernetes using kubeadm with the vSphere Cloud Provider (in-tree), these alternative instructions to install a pod overlay network other than flannel, there is a zones/regions tutorial on how to do it here, https://vsphere-csi-driver.sigs.k8s.io/driver-deployment/installation.html, a shared global secret containing all vCenter credentials, or, a secret dedicated for a particular vCenter configuration which takes precedence over anything that might be configured within the global secret, Enter the policy name and description, and click Next. Do not power on the VM. Review your configuration and click FINISH to start the deployment. CSI, CPI and CNS are all now working. The last and final stage is to again select the Proton Kube OVA which we downloaded earlier as the base image for the workers and management virtual machines. With the most common being done on-prem with VMwares vSphere. This must be done in order to run commands on both the Kubernetes master and worker nodes in this guide. The reader will also learn how to deploy the Container Storage Interface and Cloud Provider Interface plugins for vSphere specific operations. Feel free to activate the vCenter license. I'm using my default Management VLAN. Grab the cluster credentials with: Using the command above,copy and paste it into our kubectl command, to set your new context. It's not a big issue, but power consumption in very high for my lab (770W, normally they are at 550W). The following troubleshooting options are available: You can get the same information from DCLI and API Explorer. or separate network adapters). I don't know if it's normal or they have a process misbehaving. The purpose of this guide is to provide the reader with step by step instructions on how to deploy Kubernetes on vSphere infrastructure. For instructions on how to do this, please refer to the guidance provided in this blog post by Myles Gray of VMware. Storage Policies configured (vSAN, LUNs, or NFS are fine but you have to use Storage Policies for all components within Kubernetes). You can also monitor their storage policy compliance status. Additional note: You can reactivate the license when Workload Management has been enabled. The following govc commands will set the disk.EnableUUID=1 on all nodes. Setup steps required on all nodes Cluster domain-c1 must have DRS enabled and set to fully automated to enable vSphere namespaces. To get started with vSphere Integrated Kubernetes, you need the following components: If you do not have 3 ESXi hosts. The extensions archive should have been download already from www.vmware.com/go/get-tkg . In this last part Im also assuming youre using vSAN as it has native support for container volumes. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. Were using the root VM folder, our vSAN datastore and lastly, weve created a separate resource pool called k8s-prod to manage the clusters CPU, storage and memory limits. These should be the minimum versions installed. At this point, you can check if the overlay network is deployed. Upon clicking connect youll see your available data-centers show up. Open the vSphere Client and Navigate to Workload Management and click ENABLE. The VM storage policy you created will be used as a part of storage class definition for dynamic volume provisioning. The instructions use kubeadm, a tool built to provide best-practice fast paths for creating Kubernetes clusters. ESXi Hosts are in a Cluster with HA and DRS (fully automated) enabled. NSX-T is a little bit special as instead of giving you 60-days after every installation, you have to sign up for an evaluation license that runs 60 days after requesting it. Finally, the disk.EnableUUID parameter must be set for each node VMs. Here are the links to the tools and install instructions for other operating systems: The next step is to install the necessary Kubernetes components on the Ubuntu OS virtual machines. The installer should catch up and finish. The example provided here will show how to create a stateful containerized application and use the vSphere Client to access the volumes that back your application. In the vSphere Client, navigate to Developer Center > API Explorer and search for namespace The CPI supports storing vCenter credentials either in: In the example vsphere.conf above, there are two configured Kubernetes secret. The discovery.yaml file must exist in /etc/kubernetes on the nodes. It also deploys the Cloud Controller Manager in a DaemonSet. MongoDB will use this key to communicate with the internal cluster. If you ran into that issue, just gracefully shut down the Edge VM, resize the Virtual Machine (vCenter > Edit Virtual Machine) and reboot it. These images are automatically pulled in when CSI and CPI manifests are deployed. Pay attention to where the steps are carried out, which will be either on the master or the worker nodes. Of course, this repo also needs to contain the Mongo image. Finally, review your configuration and click Deploy management cluster. In that case, 192.168.250.50-192.168.250.54. With the networking configuration, you can use the defaults provided here. With the VMware Tanzu Kubernetes Grid 1.2.0 CLI archive downloaded. On the Review and finish page, review the policy settings, and click Finish. Then simply follow the on screen steps. # govc vm.change -vm '/datacenter/vm/k8s-node1' -e="disk.enableUUID=1", # govc vm.change -vm '/datacenter/vm/k8s-node2' -e="disk.enableUUID=1", # govc vm.change -vm '/datacenter/vm/k8s-node3' -e="disk.enableUUID=1", # govc vm.change -vm '/datacenter/vm/k8s-node4' -e="disk.enableUUID=1", # govc vm.change -vm '/datacenter/vm/k8s-master' -e="disk.enableUUID=1", # govc vm.upgrade -version=15 -vm '/datacenter/vm/k8s-node1', # govc vm.upgrade -version=15 -vm '/datacenter/vm/k8s-node2', # govc vm.upgrade -version=15 -vm '/datacenter/vm/k8s-node3', # govc vm.upgrade -version=15 -vm '/datacenter/vm/k8s-node4', # govc vm.upgrade -version=15 -vm '/datacenter/vm/k8s-master', # govc vm.option.info '/datacenter/vm/k8s-node1' | grep HwVersion, # apt install ca-certificates software-properties-common \, # curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -, # add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable", # apt install docker-ce=18.06.0~ce~3-0~ubuntu -y, # tee /etc/docker/daemon.json >/dev/null </etc/apt/sources.list.d/kubernetes.list, # apt install -qy kubeadm=1.14.2-00 kubelet=1.14.2-00 kubectl=1.14.2-00, # sysctl net.bridge.bridge-nf-call-iptables=1, # tee /etc/kubernetes/kubeadminit.yaml >/dev/null < discovery.yaml, # tee /etc/kubernetes/kubeadminitworker.yaml >/dev/null </dev/null < Configuration > Fabric > Nodes > Host Transport Nodes to verify that all hosts are configured without errors. The discovery.yaml file will need to be copied to /etc/kubernetes/discovery.yaml on each of the worker nodes. This storage class maps to the Space-Efficient VM storage policy that you defined previously on the vSphere Client side. Once the vSphere Cloud Provider Interface is installed, and the nodes are initialized, the taints will be automatically removed from node, and that will allow scheduling of the coreDNS pods. Are you sure? You will now need to login to each of the nodes and copy the discovery.yaml file from /home/ubuntu to /etc/kubernetes. DNS Server: 192.168.250.1 This is useful for switching between multiple clusters: With kubectl connected to our cluster lets create our first namespace to check everything is working correctly. VMware provides a number of helpful extensions to add monitoring, logging and ingress services for web based (HTTP/HTTPS) deployments via contour. The next step is to install packages to allow apt to use a repository over HTTPS. If you are on a vSphere version that is below 6.7 U3, you can either upgrade vSphere to 6.7U3 or follow one of the tutorials for earlier vSphere versions. Subnet Mask: 255.255.255.0 In this step, we will verify that the Cloud Native Storage feature released with vSphere 6.7U3 is working. To setup the Mongo replica set configuration, we need to connect to one of the mongod container processes to configure the replica set. If youre running the latest release of vCenter (7.0.1.00100) you can actually deploy a TKG cluster straight from the Workload Management screen. DCLI Note: If you happen to make an error with the vsphere.conf, simply delete the CPI components and the configMap, make any necessary edits to the configMap vSphere.conf file, and reapply the steps above. Once installed you can run tkg version to check tkg is working and installed into your system PATH. The vCenter at 10.0.0.1 contains credentials in the secret named cpi-engineering-secret in the namespace kube-system and the vCenter at 1.1.1.1 and 192.168.0.1 contains credentials in the secret named cpi-global-secret in the namespace kube-system defined in the global: section. VMware distributes and recommends the following images: In addition, you can use the following images or any of the open source or commercially available container images appropriate for the CSI deployment. Required fields are marked *. The following section details the steps that are needed on both the master and worker nodes. If that happens, reboot/remove/reconfigure might help. As the setup needs to pull down and deploy multiple images for the Docker containers which are used to bootstrap the Tanzu management cluster. This can be done directly from the vSphere web UI. Click on namespace_management/cluster_compatibility > GET > EXECUTE Just be patient, the deployment happens in the background. Once the installation has finished youll now see several VMs within the vSphere web client named something similar too: tkg-mgmt-vsphere-20200927183052-control-plane-6rp25 . For those users deploying CPI versions 1.1.0 or earlier, the corresponding INI based configuration that mirrors the above configuration appears as the following: Create the configmap by running the following command: Verify that the configmap has been successfully created in the kube-system namespace. [y/N]: y. ), 60-day Evaluation (Just Install ESXi/vCenter + Subscribe for NSX-T Evaluation), 3 ESXi Hosts (Intel NUC with USB Network adapters), Management VLAN is for everything: vCenter, ESXi, NSX-Manager, External T-0 Interface, Kubernetes Components (Ingress, Egress, Supervisor Control Plane,), Second VLAN is for Geneve Transport (ESXi+Edge VM), Same Transport VLAN for Edge and Compute Nodes. With the release of vSphere 7.0, the integration of Kubernetes, formerly known as Project Pacific, has been introduced. The following is a sample YAML file that defines the service for the MongoDB application. However, weve created a separate Distributed switch called VM Tanzu Prod which its connected via its own segregated VLAN back into our network. The virtual IP address is the main IP address of the API server that provides the load balancing service aka the ingress server. Notify me of follow-up comments by email. For Virtual Machine CPU and Memory requirements, size adequately based on workload requirements. NTP Server: 192.168.250.1, vSphere Distributed Switch: VDS used for NSX-T If you see compatible clusters, skip the troubleshooting part. From here, you don't see anything for 30-60 minutes. If not, you just see the following screen showing you that something is wrong, but not why. The secret for the vCenter at 10.0.0.1 might look like the following: Then to create the secret, run the following command replacing the name of the YAML file with the one you have used: Verify that the credential secret is successfully created in the kube-system namespace. Your SSH RSA key is usually located within your home directory: If the file doesn't exist or you need to create a new RSA key you can generate one like so: If you change the default filename youll see two files created, once the command has run. This template is cloned to act as base images for your Kubernetes cluster. You may now remove the vsphere.conf file created at /etc/kubernetes/. You can just install ESXi and vCenter without a license to activate a fully-featured 60-day evaluation. On the Storage compatibility page, review the list of vSAN datastores that match this policy and click Next. In other cases, some of the components need only be installed on the master, and in other cases, only the workers. You do not find anything called "Kubernetes" in the vSphere Client. This should be the default, but it is always good practice to check. To make this change simple copy and paste the command below: You can then check your StorageClass has been correctly applied like so: You can also test your StorageClass config is working by creating a quick PersistentVolumeClaim again, copy and paste the command below. Verify the status of docker via the following command: The next step is to install the main Kubernetes components on each of the nodes. Enter your email address to subscribe to this blog and receive notifications of new posts by email. This post will form part of a series of posts on running Zercurity on top of Kubernetes in a production environment. It will also fail when you have more than one T0: debug wcp [opID=5ef66d71] Found VDS [{ID:50 17 46 79 02 f5 f9 cf-ff 1a f9 db b5 50 82 84 Name:DSwitch EdgeClusters:[{ID:adac224c-0e73-40d5-b1ac-bb70540f94d3 Name:edge-cluster1 TransportZoneID:1b3a2f36-bfd1-443e-a0f6-4de01abc963e Tier0s:[tier0-k8s tier0-2] Validated:false Error:Edge cluster adac224c-0e73-40d5-b1ac-bb70540f94d3 has more than one tier0 gateway: tier0-k8s, tier0-prod}] Validated:false Error:No valid edge cluster for VDS 50 17 46 79 02 f5 f9 cf-ff 1a f9 db b5 50 82 84}] for hosts 2269c8be-ea0f-4931-9886-e68a1ab91799, fb1575d6-0c5c-4721-b5be-15b89fbe5606, ff3348b9-ddf9-4e7f-af4e-26732796f99c, c4239575-acd0-4312-9ca3-edce2585722e. You need to copy and paste the contents of your public key (the .pub file). However, for the purposes of this post and to support older versions of ESX (vSphere 6.7u3 and vSphere 7.0) and vCenter were going to be using the TKG client utility which spins up its own simple to use web UI anyway for deploying Kubernetes. Here is the tutorial on deploying Kubernetes with kubeadm, using the VCP - Deploying Kubernetes using kubeadm with the vSphere Cloud Provider (in-tree). However, Id argue these are the primary extensions youre going to want to add. Were using photon-3-v1.17.3_vmware.2.ova . Obviously, you will need to modify this file to reflect your own vSphere configuration. By using our website you agree to our use of cookies. Docker is now installed. Fortunately, as of the most recent release of VMwares vCenter you can easily deploy Kubernetes with VMwares Tanzu Kubernetes Grid (TKG). This section will cover the prerequisites that need to be in place before attempting the deployment. It's up to you if you want to work with a command line or the browser-based API Explorer. If you want to use topology-aware volume provisioning and the late binding feature using zone/region, the node need to discover its topology by connecting to the vCenter, for this every node should be able to communicate to the vCenter. You can copy the discovery.yaml to your local machine with scp. If you have multiple clusters, use the following command to get the id to name mapping: API Explorer The following are some sample manifests that can be used to verify that some provisioning workflows using the vSphere CSI driver are working as expected. The command to install flannel on the master is as follows: Please follow these alternative instructions to install a pod overlay network other than flannel. Note that the tags reference the version of various components. The Tanzu tkg is a binary application used to install, upgrade and manage your Kubernetes cluster on top of VMware vSphere. In the next post well be looking at deploying PostgreSQL into our cluster ready for our instance of Zercurity. Visit the TKG download page. To complete the install, add the docker apt repository. Providing the K8s master node(s) access to the vCenter management interface will be sufficient, given the CPI and CSI pods are deployed on the master node(s). T-0 Gateway with external interface in management VLAN (With internet connectivity). As a vSphere user, you create a VM storage policy based on the requirements provided to you by the Kubernetes user. These should match the kubectl get pvc output from earlier. This deprecation notice will be placed in the CPI logs when using the INI based configuration format. The only issue I see is that the 3 Control Plane VMs have ~25% (1 core) at full load all the time. First, the Kubernetes repository needs to be added to apt. Id recommend applying the following extensions. Easy fix. The Service provides a networking endpoint for the application. vSphere 6.7U3 (or later) is a prerequisite for using CSI and CPI at the time of writing. For testing, it's fine to use the management for everything. This is because the master node has taints that the coredns pods cannot tolerate. Part 2 - Harbor, Namespaces and K8S Components, Part 5 - Create and Deploy Private Images, VMware vSphere 6.0 Configuration Maximums, Getting Started with the Free Log Insight for vCenter, Getting Started with Ruby vSphere Console (RVC), VMware NSX-V 6.2 Beginners Guide - From Zero to Full Deployment for Labs, Guide to Install Photon in VMware Workstation and Deploy a Container, 1x NSX-T Edge Appliance (Large Deployment! For more information about VMTools including installation, please visit the official documentation. Scroll down to see the response: Cluster domain-c1 does not have HA enabled. This category only includes cookies that ensures basic functionalities and security features of the website. The following example applies the RBAC roles and the RBAC bindings to your Kubernetes cluster. Open vSphere Client and navigate to Administration > Licensing > Licenses > Assets > Hosts, select your ESXi Hosts, click "Assign License" and set it back to Evaluation Mode. You many also choose to configure a dedicated network and or resource pool for your k8s cluster. Learn how your comment data is processed. Troubleshooting VMware also recommend that virtual machines use the VMware Paravirtual SCSI controller for Primary Disk on the Node VM. Congratulations, youve now got a Kubernetes cluster up and running on top of your VMware cluster. NOTE: As of CPI version 1.2.0 or higher, the preferred cloud-config format will be YAML based. Do you know if is the only way to route Control Plane with VCD? Service CIDRs: 10.96.0.0/24 (Default Value) The following sample specification requests one instance of the MongoDB application, specifies the external image to be used, and references the mongodb-sc storage class that you created earlier. If youve got stuck or have a few suggestions for us to add dont hesitate to get in touch via our website or leave a comment below. Your email address will not be published. This may change going forward, and the documentation will be updated to reflect any changes in this support statement. The following setups are using Ubuntu Linux. This is a prerequisite for kubeadm. All IP addresses, except Pod and Service Networks, can be in the same subnet. First, create secret for the key file. For production, VCF is the only (supported) option at the moment. For the purposes of this demonstration we will name it, On the Policy structure page under Datastore-specific rules, select, On the vSAN page, we will keep the defaults for this policy, which is.