https://rancher.com/ logo
Title
b

bored-rain-98291

08/02/2022, 2:46 PM
Im reading the network docs on rke2 under network options. Why would anyone customize the CNI plugins? i havent been exposed to this part of kubernetes in the past so im trying to understand.
r

rapid-helmet-86074

08/02/2022, 3:04 PM
What degree of change you're talking about. If you want to change the IP space that your pods & services use then your CNI would be needing to pay attention to those options, and that seems like an easy one. Another one I've heard is some people with Calico like doing fancy things since it just uses BGP so you can technically hook things outside the cluster to reach inside with that. Though that seems like a likely niche use case.
b

bored-rain-98291

08/02/2022, 3:06 PM
Hi Bill! I just setup an azure k8s cluster for a different project. It was great that i could deploy and immediately get an external ip address to the service. I have this same need where several developers are going to be deploying their services to an RKE2 cluster on bare metal (well in vms). But i understand that is a big challenge on metal.
its a govt type project and they dont want everything exposed to the world
i know metal lb is recommended but its still in alpha
r

rapid-helmet-86074

08/02/2022, 3:08 PM
You might be interested in this then: https://projectcalico.docs.tigera.io/security/hosts . I've had it mentally bookmarked to go back and look at since the CNIs don't work with firewalld.
For my bare metal RKE2 clusters I don't use a Kubernetes LoadBalancer at all. I just leave the default nginx ingress controller on all my workers and use an external HAProxy instance that I have a wildcard DNS entry for and I set HAProxy to round robin through my workers and I expose services by creating an Ingress object with a hostname within the wildcard.
b

bored-rain-98291

08/02/2022, 3:10 PM
hey thanks! ive been preparing for my CKA exam for a while and am hoping one of these days this stuff just clicks
wow and that works well? awsome!
r

rapid-helmet-86074

08/02/2022, 3:10 PM
If you're just doing a normal web app that's enough. I know when we tried looking at Prisma Cloud Compute it had some things it wanted more ports exposed for and I needed to monkey around a bit to get around not using LoadBalancer s.
Works fine for me. I do my Rancher poor man's HA by using a DNS hostname with three A records too and that seems to work ok.
b

bored-rain-98291

08/02/2022, 3:11 PM
so i would need to change away from flannel to calico correct?
cni plugin?
r

rapid-helmet-86074

08/02/2022, 3:12 PM
For the firewall bits on the tigera.io then yes, though it might work with Canal too (which is Flannel + Calico)
b

bored-rain-98291

08/02/2022, 3:13 PM
right
so the ‘big issue’ with metal and k8s is that there is no load balancer
r

rapid-helmet-86074

08/02/2022, 3:13 PM
I picked Calico when I played vanilla because poking around what I found suggested that the cloud providers use it. For RKE2 I've just used default, which is Canal if installed manually & Calico if installed through the UI (though it's just a dropdown option to switch).
MetalLB would be your LoadBalancer object, but you'll also have to remember to assign it IPs and that's also where I was a little leery as then I'd have to know my services when laying out my network space or change them to paths within a set number of hosts. I prefer the flexibility of making up hostnames on the fly for development.
b

bored-rain-98291

08/02/2022, 3:15 PM
exactly!
forgive the redundancy but you are using a tigera product? is it open source/free? or did you have to purchase?
r

rapid-helmet-86074

08/02/2022, 3:16 PM
I've only used FOSS versions. For customer getting commercial support the plan for that is through Rancher.
(I'm assuming Rancher-bundled version is FOSS version)
b

bored-rain-98291

08/02/2022, 3:17 PM
ah ok - so what is the specific product from tigera i need to configure? or is it already part of rke2?
i plan to discuss this option with the team since it seems the most positive lol
r

rapid-helmet-86074

08/02/2022, 3:19 PM
The Tigera link is the FOSS Calico docs.
b

bored-rain-98291

08/02/2022, 3:19 PM
lol ah ok - so basically i have everything i need
i never setup the web interface for rancher which was probably stupid
r

rapid-helmet-86074

08/02/2022, 3:19 PM
To the best of my knowledge, if you find something missing let me know as I may run into it later too.
b

bored-rain-98291

08/02/2022, 3:20 PM
thanks for the link. You helped me again!
r

rapid-helmet-86074

08/02/2022, 3:21 PM
Not necessarily. The Rancher UI takes a Kubernetes cluster (if you want it HA), so if you just want RKE2 and don't plan on using Rancher UI to manage Kubernetes clusters (auth definitely managed through there, also some handy user-friendly bits) then that's still a perfectly viable option. RKE2 is certainly nice on its own.
No problem. Happy to help out.
b

bored-rain-98291

08/02/2022, 3:23 PM
agreed and we arent using the ha version since its just a dev cluster. 1 master 2 agents.
r

rapid-helmet-86074

08/02/2022, 3:27 PM
You could play around with the Rancher UI by running it in a Docker container and see if you think it's worth it or not. If you've got devs afraid of the command line that want a UI then Rancher UI makes it nicer to get to a shell in a container or the logs, but you can do all the same with kubectl or other commands already. As a note, if you want RKE2 with SELinux enforcing then you can't deploy RKE2 through the UI yet and have to still manually install and join later as a pre-existing cluster.
b

bored-rain-98291

08/02/2022, 3:28 PM
good to know - thanks! most of the devs are forced to use terminal in other projects they work on so im not too worried about it