Quick Start
This guide provides copy-and-paste instructions to try out Admiralty Open Source. We use kind (Kubernetes in Docker) to create Kubernetes clusters, but feel free to use something else—though don't just copy and paste instructions then.
Example Use Case
We're going to model a centralized cluster topology made of a management cluster (named cd) where applications are
deployed, and two workload clusters (named us and eu) where containers actually run. We'll deploy a batch job
utilizing both workload clusters, and another targeting a specific region. If you're interested in
other topologies or other kinds of applications (e.g., micro-services), this guide is still
helpful to get familiar with Admiralty in general.
- Global batch
- Regional batch
Prerequisites
We recommend you to use a separate kubeconfig for this exercise, so you can simply delete it when you're done:
export KUBECONFIG=kubeconfig-admiralty-getting-startedCreate three clusters (a management cluster named
cdand two workload clusters namedusandeu):for CLUSTER_NAME in cd us eudokind create cluster --name $CLUSTER_NAMEdoneLabel the workload cluster nodes as if they were in different regions (we'll use these labels as node selectors):
for CLUSTER_NAME in us eudokubectl --context kind-$CLUSTER_NAME label nodes --all topology.kubernetes.io/region=$CLUSTER_NAMEdonetip
Most cloud distributions of Kubernetes pre-label nodes with the names of their cloud regions.
(optional speed-up) Pull images on your machine and load them into the kind clusters. Otherwise, each kind cluster would pull images, which could take three times as long.
images=(# cert-manager dependencyquay.io/jetstack/cert-manager-controller:v1.7.1quay.io/jetstack/cert-manager-webhook:v1.7.1quay.io/jetstack/cert-manager-cainjector:v1.7.1quay.io/jetstack/cert-manager-ctl:v1.7.1# admiralty open sourcequay.io/admiralty/multicluster-scheduler-agent:0.15.1quay.io/admiralty/multicluster-scheduler-scheduler:0.15.1quay.io/admiralty/multicluster-scheduler-remove-finalizers:0.15.1quay.io/admiralty/multicluster-scheduler-restarter:0.15.1)for image in "${images[@]}"dodocker pull $imagefor CLUSTER_NAME in cd us eudokind load docker-image $image --name $CLUSTER_NAMEdonedoneInstall cert-manager in each cluster:
helm repo add jetstack https://charts.jetstack.iohelm repo updatefor CLUSTER_NAME in cd us eudohelm install cert-manager jetstack/cert-manager \--kube-context kind-$CLUSTER_NAME \--namespace cert-manager --create-namespace \--version v1.7.1 --set installCRDs=true \--wait --debug# --wait to ensure release is ready before next steps# --debug to show progress, for lack of a better way,# as this may take a few minutesdonenote
Admiralty Open Source uses cert-manager to generate a server certificate for its mutating pod admission webhook.
Installation
Install Admiralty in each cluster:
Configuration
Cross-Cluster Authentication
Install jq, the command-line JSON processor, if not already installed.
For each workload cluster,
- create a Kubernetes service account in the workload cluster for the management cluster,
- extract its default token,
- get a Kubernetes API address that is routable from the management cluster—here, the IP address of the kind workload cluster's only (master) node container in your machine's shared Docker network,
- prepare a kubeconfig using the token and address found above, and the server certificate from your kubeconfig (luckily also valid for this address, not just the address in your kubeconfig),
- save the prepared kubeconfig in a secret in the management cluster:
for CLUSTER_NAME in us eudo# i.kubectl --context kind-$CLUSTER_NAME create serviceaccount cd# ii.SECRET_NAME=$(kubectl --context kind-$CLUSTER_NAME get serviceaccount cd \--output json | \jq -r '.secrets[0].name')TOKEN=$(kubectl --context kind-$CLUSTER_NAME get secret $SECRET_NAME \--output json | \jq -r '.data.token' | \base64 --decode)# iii.IP=$(docker inspect $CLUSTER_NAME-control-plane \--format "{{ .NetworkSettings.Networks.kind.IPAddress }}")# iv.CONFIG=$(kubectl --context kind-$CLUSTER_NAME config view \--minify --raw --output json | \jq '.users[0].user={token:"'$TOKEN'"} | .clusters[0].cluster.server="https://'$IP':6443"')# v.kubectl --context kind-cd create secret generic $CLUSTER_NAME \--from-literal=config="$CONFIG"doneSecurity Notice
Kubernetes service account tokens exposed as secrets are valid forever, or until those secrets are deleted. A leak may go undetected indefinitely. If you use Kubernetes service account tokens as a cross-cluster authentication method in production, we recommend rotating the tokens as often as practical. However, there are other methods, including using Admiralty Cloud.
Other Platforms
If you're not using kind, your mileage may vary. The Kubernetes API address in your kubeconfig may or may not be routable from other clusters. If not, the server certificate in your kubeconfig may or may not be valid for the routable address that you'll find instead.
Multi-Cluster Scheduling
In the management cluster, create a Target for each workload cluster:
for CLUSTER_NAME in us eudocat <<EOF | kubectl --context kind-cd apply -f -apiVersion: multicluster.admiralty.io/v1alpha1kind: Targetmetadata:name: $CLUSTER_NAMEspec:kubeconfigSecret:name: $CLUSTER_NAMEEOFdoneIn the workload clusters, create a Source for the management cluster:
for CLUSTER_NAME in us eudocat <<EOF | kubectl --context kind-$CLUSTER_NAME apply -f -apiVersion: multicluster.admiralty.io/v1alpha1kind: Sourcemetadata:name: cdspec:serviceAccountName: cdEOFdone
Demo
Check that virtual nodes have been created in the management cluster to represent workload clusters:
kubectl --context kind-cd get nodes --watch# --watch until virtual nodes are created,# this may take a few minutes, then control-CLabel the
defaultnamespace in the management cluster to enable multi-cluster scheduling at the namespace level:kubectl --context kind-cd label ns default multicluster-scheduler=enabledCreate Kubernetes Jobs in the management cluster, utilizing all workload clusters (multi-cluster scheduling is enabled at the pod level with the
multicluster.admiralty.io/electannotation):for i in $(seq 1 10)docat <<EOF | kubectl --context kind-cd apply -f -apiVersion: batch/v1kind: Jobmetadata:name: global-$ispec:template:metadata:annotations:multicluster.admiralty.io/elect: ""spec:containers:- name: cimage: busyboxcommand: ["sh", "-c", "echo Processing item $i && sleep 5"]resources:requests:cpu: 100mrestartPolicy: NeverEOFdoneCheck that proxy pods for this job have been created in the management cluster, "running" on virtual nodes, and delegate pods have been created in the workload clusters, actually running their containers on real nodes:
while truedoclearfor CLUSTER_NAME in cd us eudokubectl --context kind-$CLUSTER_NAME get pods -o widedonesleep 2done# control-C when all pods have CompletedCreate Kubernetes Jobs in the management cluster, targeting a specific region with a node selector:
for i in $(seq 1 10)docat <<EOF | kubectl --context kind-cd apply -f -apiVersion: batch/v1kind: Jobmetadata:name: eu-$ispec:template:metadata:annotations:multicluster.admiralty.io/elect: ""spec:nodeSelector:topology.kubernetes.io/region: eucontainers:- name: cimage: busyboxcommand: ["sh", "-c", "echo Processing item $i && sleep 5"]resources:requests:cpu: 100mrestartPolicy: NeverEOFdoneCheck that proxy pods for this job have been created in the management cluster, and delegate pods have been created in the
eucluster only:while truedoclearfor CLUSTER_NAME in cd us eudokubectl --context kind-$CLUSTER_NAME get pods -o widedonesleep 2done# control-C when all pods have CompletedYou may observe transient pending candidate pods in the
uscluster.