Table of Contents generated with DocToc
KubeFed can be deployed to and manage GKE clusters running
Kubernetes v1.13 or greater. The following example deploys two GKE clusters named cluster1 and cluster2.
export GKE_VERSION=1.11.2-gke.15
export ZONE=$(gcloud config get-value compute/zone)
gcloud container clusters create cluster1 --zone $ZONE --cluster-version $GKE_VERSION
gcloud container clusters create cluster2 --zone $ZONE --cluster-version $GKE_VERSIONIf you are following along with the KubeFed User Guide, change the cluster context names:
export GCP_PROJECT=$(gcloud config list --format='value(core.project)')
kubectl config rename-context gke_${GCP_PROJECT}_${ZONE}_cluster1 cluster1
kubectl config rename-context gke_${GCP_PROJECT}_${ZONE}_cluster2 cluster2Before proceeding with the KubeFed deployment, you must complete the steps outlined in this document.
You can expect the following error when deploying KubeFed to Google Kubernetes Engine (GKE) v1.6 or later:
<....>
Error from server (Forbidden): error when creating "hack/install-latest.yaml": clusterroles.rbac.authorization.k8s.io
"kubefed-role" is forbidden: attempt to grant extra privileges:
<....>
This is due to how GKE verifies permissions. From Google Kubernetes Engine docs:
Because of the way GKE checks permissions when you create a Role or ClusterRole, you must first create a RoleBinding that grants you all of the permissions included in the role you want to create. An example workaround is to create a RoleBinding that gives your Google identity a cluster-admin role before attempting to create additional Role or ClusterRole permissions. This is a known issue in the Beta release of Role-Based Access Control in Kubernetes and Container Engine version 1.6.
To workaround this issue, you must grant your current Google Cloud Identity the cluster-admin role for each cluster
registered with KubeFed:
kubectl create clusterrolebinding myname-cluster-admin-binding --clusterrole=cluster-admin \
--user=$(gcloud config get-value core/account) --context cluster1
kubectl create clusterrolebinding myname-cluster-admin-binding --clusterrole=cluster-admin \
--user=$(gcloud config get-value core/account) --context cluster2Once all pods are running you can return to the User Guide to deploy the KubeFed control-plane.
Admission control in GKE private clusters requires an additional VPC network firewall rule.
The kubefed-controller-manager pod fails to start up when attempting to create
a KubeFedConfig resource. A timeout error is observed.
Error updating KubeFedConfig "kube-federation-system/kubefed": Timeout: request did not complete within requested timeout 30s
The GKE Kubernetes control plane is deployed in a Google-managed account.
During the provisioning of a private cluster, GKE automatically creates:
- A network peering connection to allow the master to communicate to the node pools.
- A firewall rule to allow ports 443 and 10250 from the master to the node pools.
The GKE API Server operates with --enable-aggregator-routing=true.
This means that the Service IPs are internally translated to endpoint IPs and
routed to the relevant pods.
A number of webhook configurations are deployed
during the kubfed helm installation, alongside the kubefed-admission-webhook
application. Every time a validated kubefed object is created or updated,
the webhook causes the API server to query the kubefed-admission-webhook service.
Because of the enable-aggregator-routing being turned on, the request is
directed from the API server to the pod running the kubefed-admission-webhook
application directly, on port 8443. This traffic needs to be allowed through the
GCP firewall in order for the webhook query to succeed.
Create a VPC network firewall rule to allow traffic from your master's source IP range to the node pools. An example gcloud command is provided below.
CLUSTER_NAME=my_gke_private_cluster
CLUSTER_REGION=europe-west3-a
VPC_NETWORK=$(gcloud container clusters describe $CLUSTER_NAME --region $CLUSTER_REGION --format='value(network)')
MASTER_IPV4_CIDR_BLOCK=$(gcloud container clusters describe $CLUSTER_NAME --region $CLUSTER_REGION --format='value(privateClusterConfig.masterIpv4CidrBlock)')
NODE_POOLS_TARGET_TAGS=$(gcloud container clusters describe $CLUSTER_NAME --region $CLUSTER_REGION --format='value[terminator=","](nodePools.config.tags)' --flatten='nodePools[].config.tags[]')
gcloud compute firewall-rules create "allow-apiserver-to-admission-webhook-8443" \
--allow tcp:8443 \
--network="$VPC_NETWORK" \
--source-ranges="$MASTER_IPV4_CIDR_BLOCK" \
--target-tags="$NODE_POOLS_TARGET_TAGS" \
--description="Allow apiserver access to admission webhook pod on port 8443" \
--direction INGRESS