Configure MetalLB

This section describes how to set up and verify MetalLB parameters during configuration of subnets for a managed cluster creation.

Caution

This section also applies to the bootstrap procedure of a management or regional cluster with the following differences:

  • Instead of the Cluster object, configure templates/bm/cluster.yaml.template.

  • Instead of the MetalLBConfig object, configure templates/bm/metallbconfig.yaml.template.

  • Instead of creating specific IPAM objects such as Subnet and MetalLBConfigTemplate, add their configuration to templates/bm/ipam-objects.yaml.template.

The Kubernetes objects described below are created for a management or regional cluster from template files during bootstrap.

To configure MetalLB:

  1. Optional. Configure parameters related to MetalLB components life cycle such as deployment and update using the metallb Helm chart values in the Cluster spec section. For example:

  2. Configure the MetalLB parameters related to LB address allocation and announcement for cluster services:

    Select from the following options:

    • Recommended. Default. Create MetalLBConfig and MetalLBConfigTemplate objects. This method allows using the Subnet object to define MetalLB address pools. For details, see API documentation: MetalLBConfig and MetalLBConfigTemplate.

      For configuration examples that use MetalLBConfig and MetalLBConfigTemplate, see the following sections:

      Note

      For managed clusters, this configuration method is available as Technology Preview and will become generally available in one of the following Container Cloud releases.

      Since Container Cloud 2.24.4, in the Technology Preview scope, you can use BGP for announcement of external addresses of Kubernetes load-balanced services for managed clusters. To configure the BGP announcement mode for MetalLB, use MetalLBConfig and MetalLBConfigTemplate objects.

      The use of BGP is required to announce services LB IP addresses when using MetalLB on nodes that are distributed across multiple racks. In this case, setting of rack-id labels on nodes is required, they are used in node selectors for BGPPeer, BGPAdvertisement, or both MetalLB objects to properly configure BGP connections from each node.

      Configuration example of the Machine object for the BGP announcement mode
      apiVersion: cluster.k8s.io/v1alpha1
      kind: Machine
      metadata:
        name: test-cluster-compute-1
        namespace: managed-ns
        labels:
          cluster.sigs.k8s.io/cluster-name: test-cluster
          ipam/RackRef: rack-1  # reference to the "rack-1" Rack
          kaas.mirantis.com/provider: baremetal
          kaas.mirantis.com/region: region-one
      spec:
        providerSpec:
          value:
            ...
            nodeLabels:
            - key: rack-id   # node label can be used in "nodeSelectors" inside
              value: rack-1  # "BGPPeer" and/or "BGPAdvertisement" MetalLB objects
        ...
      
      Configuration example of the MetalLBConfigTemplate object for the BGP announcement mode
      apiVersion: ipam.mirantis.com/v1alpha1
      kind: MetalLBConfigTemplate
      metadata:
        name: test-cluster-metallb-config-template
        namespace: managed-ns
        labels:
          cluster.sigs.k8s.io/cluster-name: test-cluster
          kaas.mirantis.com/provider: baremetal
          kaas.mirantis.com/region: region-one
      spec:
        templates:
          ...
          bgpPeers: |
            - name: svc-peer-1
              spec:
                peerAddress: 10.77.42.1
                peerASN: 65100
                myASN: 65101
                nodeSelectors:
                  - matchLabels:
                      rack-id: rack-1  # references the nodes having
                                       # the "rack-id=rack-1" label
          bgpAdvertisements: |
            - name: services
              spec:
                ipAddressPools:
                  - services
                peers:
                  - svc-peer-1
                  ...
      

      The bgpPeers and bgpAdvertisements fields are used to configure BGP announcement instead of l2Advertisements.

      The use of BGP for announcement also allows for better balancing of service traffic between cluster nodes as well as gives more configuration control and flexibility for infrastructure administrators. For configuration examples, refer to MetalLB configuration examples. For configuration procedure, refer to Configure BGP announcement for cluster API LB address.

      The following rules and requirements apply to configuration of MetalLBConfig and MetalLBConfigTemplate:

      • Define one MetalLBConfig and MetalLBConfigTemplate object per cluster.

      • Define the following mandatory labels:

        cluster.sigs.k8s.io/cluster-name

        Specifies the cluster name where the MetalLB address pool is used.

        kaas.mirantis.com/region

        Specifies the region name of the cluster where the MetalLB address pool is used.

        kaas.mirantis.com/provider

        Specifies the provider of the cluster where the MetalLB address pool is used.

      • You can use MetalLBConfig without MetalLBConfigTemplate but not the opposite way.

      • You can use the MetalLBConfig and MetalLBConfigTemplate objects to optimize the announcement of the services LB addresses using the interfaces selector for the l2Advertisements object. This selector allows for announcement of addresses only on selected host interfaces. For details, see API Reference: MetalLBConfigTemplate spec.

        Mirantis recommends this configuration if nodes use separate host networks for different types of traffic. The pros of such configuration are as follows: less spam on other interfaces and networks, limited chances to reach services LB addresses from irrelevant interfaces and networks.

      • When using MetalLBConfigTemplate:

        • MetalLBConfig must reference MetalLBConfigTemplate by name:

          spec:
            templateName: <managed-metallb-template>
          
        • You can use Subnet objects for defining MetalLB address pools. Refer to MetalLB configuration guidelines for subnets for guidelines on configuring MetalLB address pools using Subnet objects.

        The use of MetalLBConfigTemplate object gives more flexibility when describing MetalLB configuration as it allows to use variables, functions, and the Go template expressions inside object templates.

      • Intersection of IP address ranges within any single MetalLB address pool is not allowed.

      • At least one MetalLB address pool must have the auto-assign policy enabled so that unannotated services can have load balancer IPs allocated for them.

      • When configuring multiple address pools with the auto-assign policy enabled, keep in mind that it is not determined in advance which pool of those multiple address pools is used to allocate an IP for a particular unannotated service.

    • Deprecated since Container Cloud 2.24.0. Configure the configInline value in the MetalLB chart of the Cluster object. This functionality will be removed in one of the following releases.

    • Deprecated since Container Cloud 2.24.0. Configure the Subnet objects without MetalLBConfigTemplate. This functionality will be removed in one of the following releases.

    Caution

    If the MetalLBConfig object is not used for MetalLB configuration related to address allocation and announcement of services LB, then automated migration applies during creation of clusters of any type or cluster update to Container Cloud 2.24.0.

    During automated migration, the MetalLBConfig and MetalLBConfigTemplate objects are created and contents of the MetalLB chart configInline value is converted to the parameters of the MetalLBConfigTemplate object.

    Any change to the configInline value made on a Container Cloud 2.24.0 cluster will be reflected in the MetalLBConfigTemplate object.

    This automated migration will be removed in one of the following releases together with the possibility to use the configInline value of the MetalLB chart. After that, any changes in MetalLB configuration related to address allocation and announcement of services LB will be applied using the MetalLBConfigTemplate and Subnet objects only.

    Select from the following options:

    • Configure the configInline value for the MetalLB chart in the Cluster object.

      Caution

      The use of configInline value for the MetalLB chart in the Cluster object is deprecated since Container Cloud 2.24.0 and will be removed in one of the following releases.

    • Configure Subnet objects. For details, see MetalLB configuration guidelines for subnets.

    • Configure both the configInline value for the MetalLB chart and Subnet objects.

      The resulting MetalLB address pools configuration will contain address ranges from both cluster specification and Subnet objects. All address ranges for L2 address pools will be aggregated into a single L2 address pool and sorted as strings.

      Caution

      The use of configInline value for the MetalLB chart in the Cluster object is deprecated since Container Cloud 2.24.0 and will be removed in one of the following releases.

    • Technology Preview since Container Cloud 2.21.1 that applies to managed clusters only. Configure MetalLB address pools and advertisement parameters using the MetalLBConfig object. If you plan to use the MetalLBConfig object in future, refer to the configuration steps for Container Cloud 2.24.0 or later.

      You can use this object instead of Subnet objects and MetalLB chart values in the Cluster object. Do not mix both configuration methods.

      1. Verify that no subnets with the ipam/SVC-MetalLB label are defined for a particular managed cluster.

      2. Verify that the configInline value is absent for the MetalLB chart in the Cluster object. Other fields in values for the MetalLB chart are allowed.

      3. Create the MetalLBConfig object that must reference the target cluster name. Define one MetalLBConfig object per cluster.

      4. Add MetalLB configuration parameters to the MetalLBConfig object definition as described in MetalLBConfig.

  3. Verify the current MetalLB configuration:

    Verify the MetalLB configuration that is stored in MetalLB objects:

    kubectl -n metallb-system get ipaddresspools,l2advertisements
    

    The example system output:

    NAME                                    AGE
    ipaddresspool.metallb.io/default        129m
    ipaddresspool.metallb.io/services-pxe   129m
    
    NAME                                      AGE
    l2advertisement.metallb.io/default        129m
    l2advertisement.metallb.io/services-pxe   129m
    

    Verify one of the listed above MetalLB objects:

    kubectl -n metallb-system get <object> -o json | jq '.spec'
    

    The example system output for ipaddresspool objects:

    $ kubectl -n metallb-system get ipaddresspool.metallb.io/default -o json | jq '.spec'
    {
      "addresses": [
        "10.0.11.61-10.0.11.80"
      ],
      "autoAssign": true,
      "avoidBuggyIPs": false
    }
    $ kubectl -n metallb-system get ipaddresspool.metallb.io/services-pxe -o json | jq '.spec'
    {
      "addresses": [
        "10.0.0.61-10.0.0.70"
      ],
      "autoAssign": false,
      "avoidBuggyIPs": false
    }
    

    Verify the MetalLB configuration that is stored in the ConfigMap object:

    kubectl -n metallb-system get cm metallb -o jsonpath={.data.config}
    

    An example of a successful output:

    address-pools:
    - name: default
      protocol: layer2
      addresses:
      - 10.0.11.61-10.0.11.80
    - name: services-pxe
      protocol: layer2
      auto-assign: false
      addresses:
      - 10.0.0.61-10.0.0.70
    

    The auto-assign parameter will be set to false for all address pools except the default one. So, a particular service will get an address from such an address pool only if the Service object has a special metallb.universe.tf/address-pool annotation that points to the specific address pool name.

    Note

    It is expected that every Container Cloud service on a management and regional cluster will be assigned to one of the address pools. Current consideration is to have two MetalLB address pools:

    • services-pxe is a reserved address pool name to use for the Container Cloud services in the PXE network (Ironic API, HTTP server, caching server).

    • default is an address pool to use for all other Container Cloud services in the management network. No annotation is required on the Service objects in this case.