Deckhouse Kubernetes Platform in Yandex Cloud

1
Selecting infrastructure
2
Installation information
3
Preparing environment
4
Installation
5
Getting access to the cluster
6
What can I do next?

Accessing to the master node

Deckhouse have finished installation process. It remains to make some settings, for which you need to connect to the master node.

Connect to the master node via SSH (the IP address of the master node was printed by the installer upon completion of the installation, but you can also find it using the cloud provider web interface/CLI tool):

ssh ubuntu@<MASTER_IP>

Check the kubectl is working by displaying a list of cluster nodes:

sudo -i d8 k get nodes

Example of the output...

$ sudo -i d8 k get nodes
NAME                                     STATUS   ROLES                  AGE   VERSION
cloud-demo-master-0                      Ready    control-plane,master   12h   v1.23.9
cloud-demo-worker-01a5df48-84549-jwxwm   Ready    worker                 12h   v1.23.9

It may take some time to start the Ingress controller after installing Deckhouse. Make sure that the Ingress controller has started before continuing:

sudo -i d8 k -n d8-ingress-nginx get po

Wait for the Pods to switch to Ready state.

Example of the output...

$ sudo -i d8 k -n d8-ingress-nginx get po
NAME                                       READY   STATUS    RESTARTS   AGE
controller-nginx-r6hxc                     3/3     Running   0          16h
kruise-controller-manager-78786f57-82wph   3/3     Running   0          16h

Also wait for the load balancer to be ready:

sudo -i d8 k -n d8-ingress-nginx get svc nginx-load-balancer

The EXTERNAL-IP value must be filled with a public IP address or DNS name.

Example of the output...

$ sudo -i d8 k -n d8-ingress-nginx get svc nginx-load-balancer
NAME                  TYPE           CLUSTER-IP      EXTERNAL-IP     PORT(S)                      AGE
nginx-load-balancer   LoadBalancer   10.222.91.204   1.2.3.4         80:30493/TCP,443:30618/TCP   1m

DNS

To access the web interfaces of Deckhouse services, you need to:

The DNS names template is used to configure Ingress resources of system applications. For example, the name grafana is assigned to the Grafana interface. Then, for the template %s.kube.company.my Grafana will be available at grafana.kube.company.my, etc.

The guide will use sslip.io to simplify configuration.

Run the following command on the master node to get the load balancer IP and to configure template for DNS names to use the sslip.io:

BALANCER_IP=$(sudo -i d8 k -n d8-ingress-nginx get svc nginx-load-balancer -o json | jq -r '.status.loadBalancer.ingress[0].ip') && \
echo "Balancer IP is '${BALANCER_IP}'." && sudo -i d8 k patch mc global --type merge \
  -p "{\"spec\": {\"settings\":{\"modules\":{\"publicDomainTemplate\":\"%s.${BALANCER_IP}.sslip.io\"}}}}" && echo && \
echo "Domain template is '$(sudo -i d8 k get mc global -o=jsonpath='{.spec.settings.modules.publicDomainTemplate}')'."

The command will also print the DNS name template set in the cluster. Example output:

Balancer IP is '1.2.3.4'.
moduleconfig.deckhouse.io/global patched

Domain template is '%s.1.2.3.4.sslip.io'.

Regenerating certificates after changing the DNS name template can take up to 5 minutes.

Other options...

Instead of using sslip.io, you can use other options.

  • If you have the DNS server and you can add a DNS records:
    • If your cluster DNS name template is a wildcard DNS (e.g., %s.kube.company.my), then add a corresponding wildcard A record containing the IP of the load balancer. To get the load balancer IP: 
      sudo /opt/deckhouse/bin/kubectl -n d8-ingress-nginx get svc nginx-load-balancer -o json | jq -r '.status.loadBalancer.ingress[0].ip'
    • If your cluster DNS name template is NOT a wildcard DNS template (e.g., %s-kube.company.my), then add A or CNAME recordscontaining the IP of the load balancer, for the following DNS names according to the Deckhouse DNS templates:
      • api
      • argocd
      • dashboard
      • documentation
      • dex
      • grafana
      • hubble
      • istio
      • istio-api-proxy
      • kubeconfig
      • openvpn-admin
      • prometheus
      • status
      • upmeter

      To get the load balancer IP: 

      sudo /opt/deckhouse/bin/kubectl -n d8-ingress-nginx get svc nginx-load-balancer -o json | jq -r '.status.loadBalancer.ingress[0].ip'

  • If you don't have a DNS server, then on the computer from which you need access to Deckhouse services add static records to the file /etc/hosts (for Linux, or %SystemRoot%\system32\drivers\etc\hosts for Windows).

    Make the following steps to add records to the /etc/hosts file on Linux, from which you need access to Deckhouse services (the PC)

    • [On the PC] Specify the DNS name template used in the DOMAIN_TEMPLATE variable (e.g., %s.kube.company.my): 

      DOMAIN_TEMPLATE='<DOMAIN_TEMPLATE>'

    • [On the master node] Get the IP of the load balancer: 

      BALANCER_IP=$(sudo /opt/deckhouse/bin/kubectl -n d8-ingress-nginx get svc nginx-load-balancer -o json | jq -r '.status.loadBalancer.ingress[0].ip') && \

    • [On the PC] Specify the load balancer IP used in the BALANCER_IP variable: 

      BALANCER_IP='<BALANCER_IP>'

    • [On the PC] Add records to the /etc/hosts file:

      for i in api argocd dashboard documentation dex grafana hubble istio istio-api-proxy kubeconfig openvpn-admin prometheus status upmeter; do echo "${BALANCER_IP}  ${DOMAIN_TEMPLATE} "| sed "s/%s/$i/"; done  | sudo bash -c "cat >>/etc/hosts"

Then, run the following command on the master node (specify the template for DNS names to use in the DOMAIN_TEMPLATE variable):

DOMAIN_TEMPLATE='<DOMAIN_TEMPLATE>'
sudo -i d8 k patch mc global --type merge -p "{\"spec\": {\"settings\":{\"modules\":{\"publicDomainTemplate\":\"${DOMAIN_TEMPLATE}\"}}}}"

Configure remote access to the cluster

On a personal computer follow these steps to configure the connection of kubectl to the cluster:

  • Open Kubeconfig Generator web interface. The name kubeconfig is reserved for it, and the address for access is formed according to the DNS names template (which you set up erlier). For example, for the DNS name template %s.1.2.3.4.sslip.io, the Kubeconfig Generator web interface will be available at https://kubeconfig.1.2.3.4.sslip.io.
  • Log in as a user admin@deckhouse.io. The user password generated in the previous step is <GENERATED_PASSWORD> (you can also find it in the User CustomResource in the config.yml file).
  • Select the tab with the OS of the personal computer.
  • Sequentially copy and execute the commands given on the page.
  • Check that kubectl connects to the cluster (for example, execute the command kubectl get no).
Go back Next: What can I do next?