For details, go through KKP integration details
For usage outside of KKP please follow the guide along. This guide assumes that the KubeLB manager cluster has been configured by following the installation guide.
Each cluster that wants load balancer services is treated as a unique tenant by KubeLB. This means that the KubeLB manager needs to be aware of the tenant clusters. To register a tenant in the KubeLB manager cluster, we need to create a namespace with the unique name of tenant and labelling it with kubelb.k8c.io/managed-by: kubelb.
We then create a restricted service account in the tenant cluster that will be used by the KubeLB CCM to communicate with the KubeLB manager cluster. Eventually, we need a kubeconfig that can be configured in the KubeLB CCM to communicate with the KubeLB manager cluster.
This script can be used for creating the required RBAC and generating the kubeconfig:
#!/usr/bin/env bash
set -euox pipefail
if [ $# -ne 1 ] ; then
echo 'No cluster ID provided'
exit 1
fi
clusterId=$1
namespace=$clusterId
kubectl create namespace "$namespace"
kubectl label namespace "$namespace" kubelb.k8c.io/managed-by=kubelb
cat <<EOF | kubectl apply -n "$namespace" -f -
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubelb-agent
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: kubelb-agent-role
rules:
- apiGroups:
- kubelb.k8c.io
resources:
- loadbalancers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- kubelb.k8c.io
resources:
- loadbalancers/status
verbs:
- get
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubelb-agent-rolebinding
subjects:
- kind: ServiceAccount
name: kubelb-agent
roleRef:
kind: Role
name: kubelb-agent-role
apiGroup: rbac.authorization.k8s.io
EOF
# your server name goes here
server=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
token_name=$(kubectl -n $namespace get sa kubelb-agent -o jsonpath='{.secrets[0].name}')
ca=$(kubectl -n $namespace get secret/$token_name -o jsonpath='{.data.ca\.crt}')
token=$(kubectl -n $namespace get secret/$token_name -o jsonpath='{.data.token}' | base64 --decode)
echo "
apiVersion: v1
kind: Config
clusters:
- name: kubelb-cluster
cluster:
certificate-authority-data: ${ca}
server: ${server}
contexts:
- name: default-context
context:
cluster: kubelb-cluster
namespace: $namespace
user: default-user
current-context: default-context
users:
- name: default-user
user:
token: ${token}"
For CCM, during installation we need to provide the kubeconfig that we generated in the previous step. Also, the tenantName field in the values.yaml should be set to the name of the tenant cluster.