Integrating CTE for Kubernetes with Rancher Kubernetes Management Platform
Rancher is an open source software platform that enables Enterprise Kubernetes Container Management. It provides a CNCF-certified (Cloud Native Computing Foundation) Kubernetes distribution that can run on any Kubernetes cluster or distribution. It solves common Kubernetes installation complexities by removing most host dependencies, thereby presenting a stable path for deployment, upgrades & rollbacks.
This document describes installing Rancher and deploying a few workloads to a Kubernetes cluster provisioned by Rancher.
Test Environment
-
CTE for Kubernetes Agent: 1.2.0
-
CipherTrust Manager: 2.12.0
-
OS: Ubuntu 20.04
-
Rancher: 1.5.1
-
Kubernetes cert-manager: 1.5.1
Prerequisite
Create a 3-node Kubernetes cluster in which all of the worker nodes and master node are in the Ready state.
Policy and Policy Elements
CTE for Kubernetes Policy
| Name | Access |
|---|---|
| all_ops with Permit, Apply Key, Audit | |
| all_ops with Deny, Audit | |
| Default | No Access |
Steps to integrate Rancher with CTE for Kubernetes Cluster
You will need to use K3s for installation. K3s is a lightweight Kubernetes distribution created by Rancher Labs.
Create a Kubernetes cluster for Rancher
- Use the default K3s installation script, type:
curl -sfL https://get.k3s.io INSTALL_K3S_CHANNEL="v1.21" K3S_KUBECONFIG_MODE="644" sh -
Testing the cluster
In the previous step, K3s created a new Kubernetes cluster and installed the kubectl CLI which you can use to directly interact with the Kubernetes API.
-
To list all the nodes in the cluster and check their status, type:
kubectl get nodesSystem Response
All Pods are Running
Install Helm
Helm is a package manager for Kubernetes. It is used as the installation tool for Rancher when deploying Rancher onto a Kubernetes cluster.
-
Download Helm CLI, type:
curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 \ | bash -
Check for the version, type:
helm version --client -
Create a soft symlink between rancher,
/etc/rancher/k3s/k3s.yamland the Kubernetes config file,~/.kube/configso that helm can interact with your cluster, type:mkdir -p ~/.kube ln -s /etc/rancher/k3s/k3s.yaml ~/.kube/config -
Validate the connection, type:
helm ls --all-namespaces
Install Kubernetes Cert-Manager
Kubernetes cert-manager is an add-on that automates the management and issuance of TLS certificates from various issuing sources.
-
Obtain the latest version of the
cert-manager, type:kubectl apply --validate=false -f https://github.com/jetstack/certmanager/releases/download/v1.5.1/cert-manager.crds.yaml -
Add the Helm repository for Jetstack:
helm repo add jetstack https://charts.jetstack.io -
Install
cert-manager.helm install cert-manager jetstack/cert-manager --namespace cert-manager --version v1.5.1 --create-namespace -
Once the Helm chart is installed, you can monitor the rollout status of
cert-manager.kubectl -n cert-manager rollout status deploy/cert-managerSystem Response
Waiting for deployment cert-manager rollout to finish: 0 of 1 updated replicas are available... deployment "cert-manager" successfully rolled out -
You can also monitor the rollout status of
cert-manager-webhook.kubectl -n cert-manager rollout status deploy/cert-manager-webhook
Install Rancher
Install Rancher in HA mode on your Rancher01 Kubernetes cluster.
-
Add rancher-stable as a Helm repository, type:
helm repo add rancher-stable https://releases.rancher.com/servercharts/stable -
Install Rancher using the Helm install command, type:
helm install rancher rancher-stable/rancher \ --namespace cattle-system \ --set hostname=rancher.${vminfo:rancher01:public_ip}.sslip.io \ --set replicas=1 \ --set bootstrapPassword=RancherOnK3s \ --create-namespace \ -
Verify that Rancher is successfully deployed, type:
kubectl -n cattle-system rollout status deploy/rancher -
Get container details for the cattle-system namespace, type:
kubectl get pod -n cattle-system -
List all pods in all namespaces, type:
kubectl get pods --all-namespaces -
Verify Rancher is ready to access, type:
curl -kv https://rancher.${vminfo:Rancher01:public_ip}.sslip.io 2>&1 | grep -q "dynamiclistener-ca"; if [ $? != 0 ]; then echo "Rancher isn't ready yet"; sleep 5; continue; fi; break; done; echo "Rancher is Ready";
