2 Using the Oracle Cloud Infrastructure Load Balancer
Important:
The software described in this documentation is either in Extended Support or Sustaining Support. See Oracle Open Source Support Policies for more information.
We recommend that you upgrade the software described by this documentation as soon as possible.
This chapter discusses how to install and use the Oracle Cloud Infrastructure Cloud Controller Manager module to set up a load balancer for Kubernetes applications in Oracle Cloud Native Environment on Oracle Cloud Infrastructure instances.
Prerequisites
This section contains the prerequisite information you need to set up the Oracle Cloud Infrastructure Cloud Controller Manager module.
Setting up the Health Check Endpoint Network Ports
When using a Kubernetes LoadBalancer service with the
ServiceInternalTrafficPolicy
set to Cluster
(the default), a health check endpoint is expected to be available on TCP port
10256. kube-proxy
creates a listener on this port, which enables
access to the LoadBalancer service to verify that kube-proxy
is
healthy on the nodes. The LoadBalancer service determines which nodes can have
traffic routed to them using this policy. To allow traffic on this port, you must
open TCP port 10256 on all Kubernetes nodes. On each Kubernetes node, run:
sudo firewall-cmd --zone=public --add-port=10256/tcp
sudo firewall-cmd --zone=public --add-port=10256/tcp --permanent
sudo systemctl restart firewalld.service
For more information on the
ServiceInternalTrafficPolicy
, see the upstream documentation
at:
https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/
Make sure traffic is allowed for TCP port 10256 in the network security list.
Gather Oracle Cloud Infrastructure Identifiers
Gather information about your Oracle Cloud Infrastructure environment. The most common information you need is:
-
The identifier for the region.
-
The OCID for the tenancy.
-
The OCID for the compartment.
-
The OCID for the user.
-
The public key fingerprint for the API signing key pair.
-
The private key file for the API signing key pair. The private key must be copied to the primary control plane node. This is the first control plane node listed in the
--master-nodes
option when you create the Kubernetes module. - The OCID for the Virtual Cloud Network (VCN).
- The OCIDs for two subnets in the VCN for high availability if required.
- The quota to use for the load balancers.
- The shape to use for the load balancers.
For information on finding each of these identifiers or components, see the Oracle Cloud Infrastructure documentation.
Deploying the Oracle Cloud Infrastructure Cloud Controller Manager Module
If you have already installed the Oracle Cloud Infrastructure Cloud Controller Manager module to make use of Oracle Cloud Infrastructure storage, you do not need to create another module to provision application load balancers. The Oracle Cloud Infrastructure Cloud Controller Manager module is used to provision both Oracle Cloud Infrastructure storage and load balancers.
You can deploy all the modules required to set up a Oracle Cloud Infrastructure load balancer for a Kubernetes
cluster using a single olcnectl module create
command. This method might be
useful if you want to deploy the Oracle Cloud Infrastructure Cloud Controller Manager module at the same time as deploying a
Kubernetes cluster.
If you have an existing deployment of the Kubernetes module, you can specify that instance when deploying the Oracle Cloud Infrastructure Cloud Controller Manager module.
This section guides you through installing each component required to deploy the Oracle Cloud Infrastructure Cloud Controller Manager module .
For the full list of the Platform CLI command options available when creating modules, see
the olcnectl module create
command in Platform Command-Line Interface.
To deploy the Oracle Cloud Infrastructure Cloud Controller Manager module:
-
If you do not already have an environment set up, create one into which the modules can be deployed. For information on setting up an environment, see Getting Started. The name of the environment in this example is
myenvironment
. -
If you do not already have a Kubernetes module set up or deployed, set one up.
For information on adding a Kubernetes module to an environment, see Container Orchestration. The name of the Kubernetes module in this example is
mycluster
. -
If you do not already have a Helm module created and installed, create one. The Helm module in this example is named
myhelm
and is associated with the Kubernetes module namedmycluster
using the--helm-kubernetes-module
option.olcnectl module create \ --environment-name myenvironment \ --module helm \ --name myhelm \ --helm-kubernetes-module mycluster
-
If you are deploying a new Helm module, use the
olcnectl module validate
command to validate the Helm module can be deployed to the nodes. For example:olcnectl module validate \ --environment-name myenvironment \ --name myhelm
-
If you are deploying a new Helm module, use the
olcnectl module install
command to install the Helm module. For example:olcnectl module install \ --environment-name myenvironment \ --name myhelm
The Helm software packages are installed on the control plane nodes, and the Helm module is deployed into the Kubernetes cluster.
-
Create an Oracle Cloud Infrastructure Cloud Controller Manager module and associate it with the Helm module named
myhelm
using the--oci-ccm-helm-module
option. In this example, the Oracle Cloud Infrastructure Cloud Controller Manager module is namedmyoci
.olcnectl module create \ --environment-name myenvironment \ --module oci-ccm \ --name myoci \ --oci-ccm-helm-module myhelm \ --oci-region us-ashburn-1 \ --oci-tenancy ocid1.tenancy.oc1..unique_ID \ --oci-compartment ocid1.compartment.oc1..unique_ID \ --oci-user ocid1.user.oc1..unique_ID \ --oci-fingerprint b5:52:... \ --oci-private-key /home/opc/.oci/oci_api_key.pem \ --oci-vcn ocid1.vcn.oc1..unique_ID \ --oci-lb-subnet1 ocid1.subnet.oc1..unique_ID
The
--module
option sets the module type to create, which isoci-ccm
. You define the name of the Oracle Cloud Infrastructure Cloud Controller Manager module using the--name
option, which in this case ismyoci
.The
--oci-ccm-helm-module
option sets the name of the Helm module. If there is an existing Helm module with the same name, the Platform API Server uses that instance of Helm.The
--oci-region
option sets the Oracle Cloud Infrastructure region to use. The region in this example isus-ashburn-1
.The
--oci-tenancy
option sets the OCID for your tenancy.The
--oci-compartment
option sets the OCID for your compartment.The
--oci-user
option sets the OCID for the user.The
--oci-fingerprint
option sets the fingerprint for the public key for the Oracle Cloud Infrastructure API signing key.The
--oci-private-key
option sets the location of the private key for the Oracle Cloud Infrastructure API signing key. The private key must be available on the primary control plane node.The
--oci-vcn
option sets the OCID for the VCN on which to create load balancers.The
--oci-lb-subnet1
option sets the OCID for the VCN subnet on which to create load balancers.If you want to set up high availability for the load balancer, you should provide a second subnet on a different availability domain using the--oci-lb-subnet2
option. For example:--oci-lb-subnet2 ocid1.subnet.oc1..unique_ID \
Tip:
If you have an existing Oracle Cloud Infrastructure Cloud Controller Manager module used for Oracle Cloud Infrastructure storage, you can update it to include this networking information using the
olcnectl module update
command. This configures the module to provision load balancers. For example:olcnectl module update \ --environment-name myenvironment \ --name myoci \ --oci-vcn ocid1.vcn.oc1..unique_ID \ --oci-lb-subnet1 ocid1.subnet.oc1..unique_ID \ --oci-lb-subnet2 ocid1.subnet.oc1..unique_ID
If you do not include all the required options when adding the modules, you are prompted to provide them.
-
Use the
olcnectl module validate
command to validate the Oracle Cloud Infrastructure Cloud Controller Manager module can be deployed to the nodes. For example:olcnectl module validate \ --environment-name myenvironment \ --name myoci
-
Use the
olcnectl module install
command to install the Oracle Cloud Infrastructure Cloud Controller Manager module. For example:olcnectl module install \ --environment-name myenvironment \ --name myoci
The Oracle Cloud Infrastructure Cloud Controller Manager module is deployed into the Kubernetes cluster.
Verifying the Oracle Cloud Infrastructure Cloud Controller Manager Module Deployment
You can verify the Oracle Cloud Infrastructure Cloud Controller Manager module is deployed using the olcnectl
module instances
command on the operator node. For example:
olcnectl module instances \ --environment-name myenvironment INSTANCE MODULE STATE mycluster kubernetes installed myhelm helm installed myoci oci-ccm installed control1.example.com node installed ...
Note the entry for oci-ccm
in the
MODULE
column is in the
installed
state.
In addition, use the olcnectl module report
command to review information
about the module. For example, use the following command to review the Oracle Cloud Infrastructure Cloud Controller Manager module named myoci
in myenvironment
:
olcnectl module report \ --environment-name myenvironment \ --name myoci \ --children
For more information on the syntax for the olcnectl
module report
command, see Platform Command-Line Interface.
Creating an Application Using an Oracle Cloud Infrastructure Load Balancer
This section contains a basic test to verify you can create a Kubernetes application that uses an Oracle Cloud Infrastructure load balancer to provide external IP addresses.
To create a test application to use an Oracle Cloud Infrastructure load balancer:
-
Create a Kubernetes application that uses a LoadBalancer service. The deployment in this example creates an NGINX application with a replica count of 2, and an associated LoadBalancer service.
On a control plane node, create a file named
nginx-oci-lb.yaml
and copy the following into the file.--- apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment labels: app: nginx spec: replicas: 2 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: container-registry.oracle.com/olcne/nginx:1.17.7 ports: - containerPort: 80 --- kind: Service apiVersion: v1 metadata: name: nginx-service annotations: service.beta.kubernetes.io/oci-load-balancer-security-list-management-mode: "None" service.beta.kubernetes.io/oci-load-balancer-internal: "true" service.beta.kubernetes.io/oci-load-balancer-shape: "flexible" service.beta.kubernetes.io/oci-load-balancer-shape-flex-min: "10" service.beta.kubernetes.io/oci-load-balancer-shape-flex-max: "10" spec: selector: app: nginx type: LoadBalancer ports: - name: http port: 80 targetPort: 80
The
annotations
section contains the information required to provision an Oracle Cloud Infrastructure load balancer. This is where you set the load balancer shape. For example, to use a 10Mbps shape instead of the flexible shape as shown in the example above, you might use:annotations: service.beta.kubernetes.io/oci-load-balancer-security-list-management-mode: "None" service.beta.kubernetes.io/oci-load-balancer-internal: "true" service.beta.kubernetes.io/oci-load-balancer-shape: "10Mbps"
In some Oracle Cloud Infrastructure tenancies, you may also need to include theoci-load-balancer-subnet1
annotation to identify the network subnet, for example:service.beta.kubernetes.io/oci-load-balancer-subnet1: "ocid1.subnet.oc1..unique_ID"
For the full list of annotations you can include, see the upstream documentation at:
https://github.com/oracle/oci-cloud-controller-manager/blob/master/docs/load-balancer-annotations.md
-
Start the NGINX deployment and LoadBalancer service:
kubectl apply -f nginx-oci-lb.yaml deployment.apps/nginx-deployment created service/nginx-service created
-
You can see the
nginx-deployment
application is running using thekubectl get deployment
command:kubectl get deployments.apps NAME READY UP-TO-DATE AVAILABLE AGE nginx-deployment 2/2 2 2 31s
-
You can see the
nginx-deployment
service is running using thekubectl get svc
command:kubectl get svc nginx-service NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE nginx-service LoadBalancer 10.99.107.243 203.0.113.10 80:31288/TCP 10m
Oracle Cloud Infrastructure may take a few minutes to assign an IP address. Until this completes, the EXTERNAL-IP column shows the
pending
state for thenginx-service
. When the IP address is assigned, this field changes to show the IP address.Tip:
You can see the load balancer is created in the Oracle Cloud Infrastructure UI under Networking > Load Balancers.
You can see the EXTERNAL-IP for the
nginx-service
LoadBalancer has an IP address of203.0.113.10
. This IP address is provided by Oracle Cloud Infrastructure and is the external IP address that you can use to connect to the application. -
Use
curl
to connect to the NGINX application's IP address and add the port for the application (203.0.113.10:80
in this example) to show the NGINX default page.curl 203.0.113.10:80 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html>
-
You can delete the
nginx-service
LoadBalancer service using:kubectl delete svc nginx-service service "nginx-service" deleted
Tip:
You can see the load balancer is removed in the Oracle Cloud Infrastructure UI under Networking > Load Balancers.
-
You can delete the
nginx-deployment
application using:kubectl delete deployments.apps nginx-deployment deployment.apps "nginx-deployment" deleted
Removing the Oracle Cloud Infrastructure Cloud Controller Manager Module
You can remove a deployment of the Oracle Cloud Infrastructure Cloud Controller Manager module and leave the Kubernetes cluster in place. To do this, you remove the Oracle Cloud Infrastructure Cloud Controller Manager module from the environment.
Use the olcnectl module uninstall
command to remove the Oracle Cloud Infrastructure Cloud Controller Manager module. For example, to uninstall the Oracle Cloud Infrastructure Cloud Controller Manager module named myoci
in the
environment named myenvironment
:
olcnectl module uninstall \ --environment-name myenvironment \ --name myoci
The Oracle Cloud Infrastructure Cloud Controller Manager module is removed from the environment.