×
Community Blog Use CLI to Install an ACK Registered Cluster

Use CLI to Install an ACK Registered Cluster

This article explains how to use CLI to install an ACK registered cluster (with examples and FAQs).

By Liusheng

1. Precondition

  • A registered cluster is created and connected to a self-managed Kubernetes cluster. The cluster is in the running state.

2. Install onectl

MacOS and Linux systems are supported:

curl https://ack-one.oss-cn-hangzhou.aliyuncs.com/onectl/get-onectl.sh |bash

Verify onectl:

onectl version

Expected output:

onectl: v1.0.0+435cb69
  BuildDate: 2023-02-16T07:55:15Z
  GitCommit: 435cb69c9efdf369f036e3f5864c07ae871a793d
  GitTreeState: clean
  GoVersion: go1.18.9
  Compiler: gc
Platform: linux/amd64

3. Configure onectl

Usage Notes

Let’s take using onectl to install logtail-ds addon as an example. The AccessKey pair (AK) used in this step performs the following operations.

  • Check whether the RAM user has the ram:GetPolicy permission, which is required by logtail-ds. The RAM policy that provides this permission is named externalK8sPolicy-logtail-ds. If the policy does not exist, create the policy (ram:CreatePolicy) and add the policy to the RAM account (ram:AttachPolicyToUser).
  • Use this AccessKey pair to create a secret in the ACK registered cluster. The logtail-ds addon will mount the secret and use the AccessKey pair to access the Log Service resources.

We recommend using a RAM user and creating an AccessKey pair for an ACK registered cluster. You need to apply for a RAM user from the account administrator and complete the following operations for the RAM user:

  • Generate an AccessKey pair for a RAM user
  • Grant the following RAM permissions to a RAM user

The following operations are performed by the account administrator:

(1) onectl mode:

onectl  subuser create --name <subaccount_name> --main-access-key <main_access_key> --main-access-secret <main_access_secret>

Expected output:

Successfully create subuser account:
name: xxxx
new accessKeyId: xxxx
new accessKeySecret: xxxx

If you only need to authorize a RAM policy for a specified RAM account, you can execute the following statements:

onectl  subuser grant --name <subaccount_name> --new-ak=false --main-access-key <main_access_key> --main-access-secret <main_access_secret>

Expected output:

Successfully grant init ram policy subuser account
granted rampolicy name: externalK8sPolicy-init

(2) Console mode:

1.  Create a RAM user. Please see Create a RAM user for more information.

2.  Create an AccessKey pair for the RAM user. Please see Obtain an AccessKey pair for more information.

3.  Create a custom policy named externalK8sPolicy-tmp. The following template shows an example of the policy content. Please see Create a Custom Policy for more information.

{
  "Statement": [
    {
      "Action": [
        "cs:InstallClusterAddons"
      ],
      "Effect": "Allow",
      "Resource": [
        "acs:cs:*:*:cluster/*"
      ]
    },
    {
      "Action": [
        "ram:GetPolicy",
        "ram:CreatePolicy",
        "ram:AttachPolicyToUser"
      ],
      "Effect": "Allow",
      "Resource": [
        "*"
      ]
    }
  ],
  "Version": "1"
}

4.  Attach a custom RAM policy to the RAM user. Please see Grant permissions to a RAM user for more information.

Success Message

Use the RAM account and AccessKey pair information generated by the master account administrator to configure the following configurations:

onectl configure

Expected output:

Configuring profile 'default' ...
Access Key Id [xxxxxxxx]: 
Access Key Secret [xxxxxxxx]: 
Default SubAccount Username [xxxx]: 
Default Cluster Id (ClusterId of ACK Registry Cluster) [xxxxxxxxxxxxxxxx]: 
Default Kubeconfig Path (default is ~/.kube/config) []: 
Saving profile[default] ...
Done.
  • AccessKey Pair Information: onectl uses AK for two purposes:

(1) Use the AccessKey pair to call OpenAPI to query and create custom RAM policies, grant custom policies to RAM users, and install the ACK addon component.

(2) Configure the AccessKey pair for the ACK Addon component, enabling the ACK addon component to use the AccessKey pair to access cloud resources. Please ensure the AccessKey pair of the RAM user uses the minimum RAM permissions and keeps the AccessKey pair properly.

  • SubAccount Username: The username of the RAM user. In the following figure, the username of the RAM user is shuwei.

1

  • Cluster ID: The ID of the registered cluster
  • Kubeconfig Path: The kubeconfig path of the user-created cluster. Default value: ~/.kube/config

4. Use onectl to Install the Addon Plug-In

Example: Install the logtail-ds plug-in:

onectl addon install logtail-ds

Expected output:

Addon logtail-ds installed

5. Use onectl to Perform a Precheck before Creating a Node Pool

Perform a Precheck before Creating a Node Pool

onectl nodepool check

Expected output:

Have you add nodeaffinity to avoid your network plug-in running one ecs node? [y/n]
y
Is connected with intranet............... true
Is customized node init script added..... true
Is nodeaffinity added.................... true
Is terway addon installed................ true
nodepool check passed. [help doc: ]

Perform a Precheck before Creating a Node Pool That Has Auto Scaling Enabled

onectl nodepool check --enable-autoscaler=true

Expected output:

Have you add nodeaffinity to avoid your network plug-in running one ecs node? [y/n]
y
Is connected with intranet............... true
Is customized node init script added..... true
Is nodeaffinity added.................... true
Is terway addon installed................ true
Is autoscaler addon installed............ true
nodepool check passed. [help doc: ]

After all precheck items are passed, you can create the node pool.

FAQ

What Operations Does onectl Perform in the Background When I Use onectl to Install the Addon?

Prerequisites

The user has configured the AccessKey pair, RAM username, registered cluster ID, and kubeconfig path information of the current cluster using onectl configure.

Action

It checks whether a custom RAM policy named externalK8sPolicy-logtail-ds is created using the current RAM user. If no policy named externalK8sPolicy-logtail-ds is found, you must create a policy named externalK8sPolicy-logtail-ds and attach the policy to the current RAM user.

(2) Use the user-configured AccessKey pair to create a Secret kube-system/alibaba-addon-secret

(3) Call the OpenAPI to install the logtail-ds plug-in

What Do I Do If My Cluster Fails to Pass the Precheck before I Create a Node Pool?

(1) Is It Connected with the Intranet............... False

You must use the Internet proxy configuration of the registered cluster to connect to the self-managed cluster. Please make sure the on-cloud and off-cloud networks are interconnected before using the proxy configuration.

Reference Document: https://www.alibabacloud.com/help/en/ack/distributed-cloud-container-platform-for-kubernetes/user-guide/overview-of-hybrid-networks

(2) Is the Customized Node init Script Added..... False

The initialization method and version of a Kubernetes cluster must be consistent. Therefore, when adding Elastic Compute Service (ECS) instances to a node pool in the registered cluster, you must create a custom node initialization script first. The content of the node initialization script must be consistent with the node initialization method of your IDC cluster. On this basis, configure the ALIBABA_CLOUD_LABELS and ALIBABA_CLOUD_NODE_NAME environment variables issued by the registered cluster. (These variables will be assigned during ECS initialization.)

Reference Document: https://www.alibabacloud.com/help/en/ack/distributed-cloud-container-platform-for-kubernetes/user-guide/create-a-script-to-add-cluster-nodes

(3) Is nodeaffinity Added.................... False

If you want to add ECS instances to the registered cluster, make sure the nodes in the external cluster only run the network plug-in used by the external cluster and the nodes in the registered cluster only run the Terway network plug-in. ECS instances added to the node pools in the registered cluster are labeled with alibabacloud.com/external=true. Configure the nodeAffinity parameter in the configuration of the network plug-in used by the external cluster to prevent scheduling the network plug-in to ECS instances in the registered cluster.

Reference Document: https://www.alibabacloud.com/help/en/ack/distributed-cloud-container-platform-for-kubernetes/user-guide/deploy-and-configure-terway#section-jo1-b9e-q7v

(4) Is the Terway Addon Installed................ False

The nodes in the external cluster must run the network plug-in used by the external cluster, and the nodes in the registered cluster must run the Terway network plug-in. Before adding ECS instances to the node pools in the registered cluster, make sure Terway is installed in the registered cluster and runs as expected. You can run the onectl addon install terway-eniip command to install and configure Terway.

(5) Is the autoscaler Addon Installed............ false

If you want to enable auto scaling for node pools in the registered cluster, make sure the autoscaler component is installed in the registered cluster and runs as expected. You can run the onectl addon install autoscaler command to install and configure autoscaler.

0 1 0
Share on

Alibaba Container Service

121 posts | 26 followers

You may also like

Comments

Alibaba Container Service

121 posts | 26 followers

Related Products