Welcome to CloudVeneto's Experimental Container-as-a-Service (CaaS) Platform!

CaaS provides an easy way to run containerized software packages in the cloud. Unlike the more widely recognized Kubernetes-as-a-Service (KaaS) model, where users are responsible for creating and managing their Kubernetes clusters, with CaaS we offer a fully managed orchestration platform as a cloud service. This means you don't need an in-depth understanding of Kubernetes infrastructure management. Instead, you can effortlessly deploy your containers to our Kubernetes-based platform using the straightforward kubectl command line interface.

Please be aware that our CaaS service is currently in an experimental phase, so some issues may arise. If you encounter any problems, we kindly ask you to report them to support@cloudveneto.it. Your feedback is invaluable for enhancing the quality of our service.

In this section, we will guide you through the process of accessing our CaaS platform and running your containers.


Overview

Before accessing the platform, it is important to grasp some key concepts about the architecture, usability, security, and a few limitations. We assume that you already have a basic understanding of Kubernetes (https://kubernetes.io).


The Architecture

Kubernetes manages your workloads by placing containers in pods, which are then scheduled to run on nodes. In our CaaS, each node is essentially a virtual machine provided within the CloudVeneto infrastructure. These nodes are under your control but are configured by our platform. In contrast, the control plane, responsible for orchestrating container deployments and cluster management, is fully managed by CloudVeneto.

This separation of responsibilities ensures a streamlined user experience while providing the following benefits:

  • Flexibility: You have the freedom to manage your nodes according to your specific requirements in terms of CPU, RAM, and storage (flavor) without to worry about their setup.
  • Isolation: Your pods run on dedicated nodes, effectively creating a virtual cluster tailored to your needs.
  • Resource Sharing: You can share one or more nodes with users who belong to your CloudVeneto project.
  • Service Deployment: You can either use pre-deployed services (e.g., nginx) or deploy new ones in your own namespace. 

Please note that the nodes you create utilize the quota assigned to your CloudVeneto project. Therefore, the size of your virtual cluster is constrained by the available resources at any given moment. Since node creation typically takes just a few minutes (usually less than 5 minutes), we encourage you to create new nodes as needed but also to promptly remove them when they are no longer necessary in order to conserve cloud resources.

Security

Running pods on your own nodes (i.e., virtual machines) ensures a high level of isolation. However, Kubernetes doesn't provide complete isolation for users within the same namespace. To address this specific limitation, we have introduced integrated add-ons for Kubernetes. These enhancements include authentication mechanisms based on Keystone and IAM tokens, along with refined authorization procedures to ensure comprehensive user and resource isolation.

Kindly be aware that pods running on shared nodes do not achieve full isolation as they share the same computing resources (virtual machine) and rely on the security capabilities of the container runtime, such as Docker or Containerd.

Accessing the CaaS

Accessing the platform requires the correct configuration of kubectl, the Kubernetes management client.

To simplify the configuration and authentication process, two distinct plugins for kubectl have been developed: kubectl-openstack and kubectl-iam. These plugins are differentiated based on the type of authentication required.

  • kubectl-openstack: This plugin is required for all users registered with CloudVeneto and is based on the OpenStack authentication model, using the Keystone token.

  • kubectl-iam: This plugin is required for all INFN-PD users not registered to CloudVeneto. Supported IAM services are: "https://iam.cloud.infn.it" and "https://iam.quantumtea.it". QUESTO PUNTO VA CHIARITO

Configuring kubectl with the kubectl-openstack plugin

Prerequisites

  • install kubectl (guide)
  • have an OpenStack password configured through the CloudVeneto dashboard.

Plugin installation

Download the kubectl-openstack file and copy it to /usr/local/bin/ . You may need to make the file executable (chmod 755 kubectl-openstack).

Usage

To view the syntax and the list of parameters use the help:

$ kubectl-openstack --help
Usage: kubectl-openstack [FLAG] -user <USERNAME> -password <PASSOWRD> -project <PROJECT>

Options:
  -force
    	overwrite the existing configuration
  -password string
    	your CloudVeneto password
  -project string
    	your CloudVeneto project
  -user string
    	your CloudVeneto username

After configuring kubectl with the kubectl-openstack plugin, the kubeconfig file (/home/<username>/.kube/config) is either created or updated if it already exists. This file contains the Keystone token and various parameters essential for kubectl to manage authentication.

In scenarios where you belong to multiple CloudVeneto projects, you can utilize the 'kubectl-openstack' command to configure kubectl for all your projects seamlessly.

The following example configures kubectl selecting CMS as project:

$ kubectl-openstack -user zangrand@infn.it -password ******** -project CMS
kubectl configured correctly

Now you can access the CaaS:

$ kubectl get pods
No resources found in cms namespace.

Before to run the first pod you must create a node.

Configuring kubectl with the kubectl-iam plugin

Prerequisites

Plugin installation

Download the kubectl-iam file and copy it to /usr/local/bin/ . You may need to make the file executable (chmod 755 kubectl-iam)

Usage

To view the syntax and the list of parameters use the help:

$ kubectl-iam --help
Usage: ./kubectl-iam [FLAG] -iam-url <URL> -group <GROUP>

Options:
  -force
    	overwrite the existing configuration
  -group string
    	your IAM group
  -iam-url string
    	the IAM url (default "https://iam.cloud.infn.it")

After configuring kubectl with the kubectl-iam plugin, the kubeconfig file (/home/<username>/.kube/config) is either created or updated if it already exists. This file contains the IAM token and various parameters essential for kubectl to manage authentication.

In scenarios where you belong to multiple CloudVeneto projects, you can utilize the 'kubectl-iam' command to configure kubectl for all your projects seamlessly.

The following example configures kubectl using IAM credentials:

$ kubectl-iam -iam-url https://iam.quantumtea.it -group QST
please open the link in your web browser: https://iam.quantumtea.it/device?user_code=BB3FXJ

or scan the QR code

█████████████████████████████████████████
█████████████████████████████████████████
████ ▄▄▄▄▄ ██  █▀██▀▄█ ▄ ▄▄▄██ ▄▄▄▄▄ ████
████ █   █ █ █ ▀▄█▄▀▄█▀█▄▄██ █ █   █ ████
████ █▄▄▄█ █ ▀▀██▄▄▄▄█▀▀▄  █▀█ █▄▄▄█ ████
████▄▄▄▄▄▄▄█ ▀ █ █ █ █▄▀ ▀ ▀ █▄▄▄▄▄▄▄████
████▄█  ▄▄▄▀▀▀▄ █ ▄█    ▀▀▄▀██  ▄  ▀▀████
████▀▄  ▀█▄█▀███▀ ▄   ▀█▀▀▀▀▄▀▀█ ▀  ▀████
████▄▄▄▀▀▀▄▀▀▄▀  ▀▄ ▄▀▀█▄ ▄▄▄▄▀▄▄ ▀  ████
████▀▄ ▄█ ▄█▀   ███ ▄▄▀█▄ ▀██  █   ▄█████
█████▀▄█▄▄▄ ██▀▄█▀▀▄▀▄▀▀ ▀▄  ▄▀ ▄ ▀▀ ████
████ ▀ ▄▄█▄ ▀ ▄▄  ▀ ▀█▄█ ▀▄██    ▀ ▀█████
████▀  ▀█ ▄▄▀▀▀▀ █▀ ▀▀▄▄▀▄  ▀▄▀██▄▀▄▀████
████ █ ▀▀▀▄▀ ▄▀▀▀ ▄█▀█▄ ▀▀▄██▀▄ ▄ ▀ █████
████▄████▄▄▄▀    ▄▀█▀ █ ▀█ █ ▄▄▄ █▀█▀████
████ ▄▄▄▄▄ █▀▄▀█▄██▄  ▀█  █  █▄█ ▀  ▀████
████ █   █ █  ▄██ ▄▀▄█▀██ ▄▀  ▄▄  ▀▀▀████
████ █▄▄▄█ █▄██▄▀▄▄ ▄█▀▀█ ▄█▄▀▄▄▀  ██████
████▄▄▄▄▄▄▄█▄█▄▄█▄▄▄█▄▄▄▄█▄▄▄██▄█▄█▄█████
█████████████████████████████████████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

..................................................................................
kubectl configured correctly

How to Create and Manage Kubernetes Cluster Nodes (ONLY with kubectl-openstack plugin)

Prerequisites

Before you can create and manage nodes in your Kubernetes cluster, make sure you have completed the following prerequisites:

  1. Configure kubectl with the kubectl-openstack plugin: Ensure that your kubectl is correctly configured with the kubectl-openstack plugin.

    1. Currently users accessing with IAM credentials cannot create nodes
  2. Verify the existence of the 'K8S' security group in the CloudVeneto project with the following rules, or create it:

Egress

IPv4AnyAny0.0.0.0/0
EgressIPv6AnyAny::/0
IngressIPv4ICMPAny0.0.0.0/0
IngressIPv4TCP22 (SSH)0.0.0.0/0
IngressIPv4TCPAny192.168.60.0/24
IngressIPv4UDPAny192.168.60.0/24
IngressIPv4TCPAny10.64.0.0/16
IngressIPv4UDPAny10.64.0.0/16


Creating a New Node

To create a new node in your Kubernetes cluster, you'll use kubectl, the standard Kubernetes command-line interface. Specifically, you will utilize the kubectl apply command, which takes a YAML file as input.

The YAML file required to create a new node should follow this structure:

---
apiVersion: osnode.infn.it/v1
kind: OpenStackNode
metadata:
  name: NODE_NAME
spec:
  flavor: FLAVOR_NAME
  keyPair: KEYPAIR_NAME
  policy: [shared | private ]
  • NODE_NAME: <Unique node name>
  • FLAVOR_NAME: <CloudVeneto flavor name>
  • KEYPAIR_NAME: <User-defined SSH keypair name>
  • shared | private: <Choose one: shared or private> 
In the following example, we request the creation of two nodes (osn-01 and osn-02), the first being shared and the second private, with different flavors (cloudveneto.medium and cloudveneto.large).
Both nodes use the same SSH keypair (my-key):
osnode.yml
---
apiVersion: osnode.infn.it/v1
kind: OpenStackNode
metadata:
  name: osn-01
spec:
  flavor: cloudveneto.medium
  keyPair: my-key
  policy: shared

---
apiVersion: osnode.infn.it/v1
kind: OpenStackNode
metadata:
  name: osn-02
spec:
  flavor: cloudveneto.large
  keyPair: my-key
  policy: private


$ kubectl apply -f osnode.yml
openstacknode.osnode.infn.it/osn-01 created
openstacknode.osnode.infn.it/osn-02 created

Verifying Node Status

To check the status of one or more nodes in your Kubernetes cluster, you can use the following commands:

  • To list all nodes and their basic information:

    $ kubectl get osn
NAME     PHASE     OWNER                 POLICY    PROVIDER      VM IPV4       AGE
osn-01   Running   zangrand-at-infn.it   private   CloudVeneto   10.64.53.40   169m
osn-02   Running   zangrand-at-infn.it   shared    CloudVeneto   10.64.53.67   169m

  • To list all nodes with additional details, including flavor, status, and IP address:

    $ kubectl get osn -o wide
NAME     PHASE     OWNER                 POLICY    PROVIDER      VM FLAVOR            VM STATUS   VM IPV4       AGE
osn-01   Running   zangrand-at-infn.it   private   CloudVeneto   cloudveneto.medium   ACTIVE      10.64.53.40   169m
osn-02   Running   zangrand-at-infn.it   shared    CloudVeneto   cloudveneto.medium   ACTIVE      10.64.53.67   169m

  • To view detailed information about a specific node (replace osn-01 with the desired node name):

    $ kubectl get osn -o wide osn-01
NAME     PHASE     OWNER                 POLICY    PROVIDER      VM FLAVOR            VM STATUS   VM IPV4       AGE
osn-01   Running   zangrand-at-infn.it   private   CloudVeneto   cloudveneto.medium   ACTIVE      10.64.53.40   169m

Removing Nodes

To remove one or more nodes and their associated VMs from CloudVeneto, use the following command:

$ kubectl delete osn <node_name_1> <node_name_2> ...

For example, to remove osn-01 and osn-02, you would run:

$ kubectl delete osn osn-01 osn-02
openstacknode.osnode.infn.it "osn-01" deleted
openstacknode.osnode.infn.it "osn-02" deleted

  • No labels