github.com/jlmeeker/kismatic@v1.10.1-0.20180612190640-57f9005a1f1a/docs/design-decisions/cloud-provider.md

github.com/jlmeeker/kismatic@v1.10.1-0.20180612190640-57f9005a1f1a/docs/design-decisions/cloud-provider.md (about)

     1  # Cloud Provider
     2  
     3  ## Motivation
     4  Cloud Provider support is an important feature of kubernetes that KET did not configure. This was mainly due to the lack of documentation around this functionality, however it is something that has been requested by the community to be supported in KET.
     5  
     6  ## Implementation
     7  Two new options are added to the `kubelet`, `kube-apiserver` and `kube-controller-manager` spec files  	
     8  
     9  `--cloud-provider` - options are aws, azure, cloudstack, fake, gce, mesos, openstack, ovirt, photon, rackspace, vsphere, or empty for e.g. bare metal setups.  
    10  `--cloud-config`- used by aws, gce, mesos, openshift, ovirt and rackspace  
    11  
    12  More detail [here](https://kubernetes.io/docs/getting-started-guides/scratch/#cloud-providers)
    13  
    14  ### Plan File Changes
    15  These options will be exposed in the plan file as follows: 
    16  ```
    17  cluster:
    18    kube_apiserver:
    19      option_overrides: {}
    20    cloud_provider:
    21      provider:
    22      config:
    23  ```
    24  
    25  `provider` - a string, maps to `--cloud-provider`  
    26  `config` - absolute path to the config file on the bastion node. This file will be copied to all machines to `/etc/kubernetes/cloud_config` 
    27  
    28  Initially we will target support(with tests) for `aws` and `openstack`, however we should not prevent the user from using any other provider.
    29  This can be accomplished with a warning at runtime or documentation.
    30  
    31  ### aws provider
    32  `aws` does not require the `cloud-config` and utilizes IAM policies to interact with the API.
    33  
    34  Provider integration enables 2 features:
    35  * using `LoadBalancer` service type, this will create an AWS ELB and assign a public DNS to the service
    36  * using a `StorageClass` with a the `provisioner: kubernetes.io/aws-ebs`
    37  * getting the required credentials to pull `ecr` images
    38  
    39  Sample `StorageClass`
    40  ```
    41  kind: StorageClass
    42  apiVersion: storage.k8s.io/v1
    43  metadata:
    44    name: slow
    45  provisioner: kubernetes.io/aws-ebs
    46  parameters:
    47    type: io1
    48    zones: us-east-1a, us-east-1c
    49    iopsPerGB: "10"
    50  ```
    51  
    52  Sample IAM poicies below:
    53  
    54  Master:
    55  ```
    56  {
    57      "Version": "2012-10-17",
    58      "Statement": [
    59          {
    60              "Effect": "Allow",
    61              "Action": [
    62                  "ec2:*"
    63              ],
    64              "Resource": [
    65                  "*"
    66              ]
    67          },
    68          {
    69              "Effect": "Allow",
    70              "Action": [
    71                  "elasticloadbalancing:*"
    72              ],
    73              "Resource": [
    74                  "*"
    75              ]
    76          }
    77      ]
    78  }
    79  ```
    80  Worker:
    81  ```
    82  {
    83      "Version": "2012-10-17",
    84      "Statement": [
    85          {
    86              "Effect": "Allow",
    87              "Action": "ec2:Describe*",
    88              "Resource": "*"
    89          },
    90          {
    91              "Effect": "Allow",
    92              "Action": "ec2:AttachVolume",
    93              "Resource": "*"
    94          },
    95          {
    96              "Effect": "Allow",
    97              "Action": "ec2:DetachVolume",
    98              "Resource": "*"
    99          },
   100          {
   101              "Effect": "Allow",
   102              "Action": [
   103                  "ecr:GetAuthorizationToken",
   104                  "ecr:BatchCheckLayerAvailability",
   105                  "ecr:GetDownloadUrlForLayer",
   106                  "ecr:GetRepositoryPolicy",
   107                  "ecr:DescribeRepositories",
   108                  "ecr:ListImages",
   109                  "ecr:BatchGetImage"
   110              ],
   111              "Resource": "*"
   112          }
   113      ]
   114  }
   115  ```
   116  
   117  ### openstack provider
   118  The only [example](https://stackoverflow.com/questions/32226108/kubernetes-openstack-integration) I've able to find.
   119  The [sourcecode](https://github.com/kubernetes/kubernetes/blob/release-1.7/pkg/cloudprovider/providers/openstack/openstack.go) can also be used for reference.
   120  ```
   121  [Global]
   122  auth-url = OS_AUTH_URL
   123  user-id = OS_USERNAME
   124  api-key = OS_PASSWORD
   125  tenant-id = OS_TENANT_ID
   126  tenant-name = OS_TENANT_NAME
   127  [LoadBalancer]
   128  subnet-id = 11111111-1111-1111-1111-111111111111
   129  ```
   130  This will require testing and someone with openstack experience.
   131  
   132  ### Validation
   133  * Confirm `--cloud-provider` is a valid option
   134  * Confirm `--cloud-config` is present on the local machine with the required permissions to copy the file 
   135  * Prevent `--cloud-provider` and `--cloud-config` from being set in `cluster.kube_apiserver.option_overrides: {}`
   136  
   137  ### Documentation
   138  * Modify Plan File Reference
   139  * Document how to use `aws` provider
   140  * Document how to use `openstack` provider