Users will likely install Launchpad on a laptop or a VM with the intent of deploying MKE, MSR, or MCR onto VMs running on a public or private cloud that supports security groups for IP access control. Such an approach makes it fairly simple to configure networking in a way that provides adequate security and convenient access to the cluster for evaluation and experimentation.
The simplest way to configure the networking for a small, temporary cluster for evaluation:
Create a new virtual subnet (or VPC and subnet) for hosts.
Create a new security group called
de_hosts(or another name of your choice) that permits inbound IPv4 traffic on all ports, either from the security group de_hosts, or from the new virtual subnet only.
Create another new security group (for example,
admit_me) that permits inbound IPv4 traffic from your deployer machine’s public IP address only (for instance, the website whatismyip.com) to determine your public IP.
When launching hosts, attach them to the newly-created subnet and apply both new security groups.
(Optional) Once you know the IPv4 addresses (public, or VPN-accessible private) of your nodes, unless you are using local DNS it makes sense to assign names to your hosts (for example,
worker2… and so on). Then, insert IP addresses and names in your hostfile, thus letting you (and Launchpad) refer to hosts by hostname instead of IP address.
Once the hosts are booted, SSH into them from your deployer machine with your private key. For example:
ssh -i /my/private/keyfile username@mynode
After that, determine whether they can access the internet. One method for doing this is by pinging a Google nameserver:
$ ping 188.8.131.52
Now, proceed with installing Launchpad and configuring an MKE, MSR, or MCR deployment. Once completed, use your deployer machine to access the MKE web UI, run kubectl (after authenticating to your cluster) and other utilities (for example, Postman, curl, and so on).
Use a VPN¶
A more secure way to manage networking is to connect your deployer machine to
your VPC/subnet using a VPN, and to then modify the
de_hosts security group
to accept traffic on all ports from this source.
More deliberate network security¶
If you intend to deploy a cluster for longer-term evaluation, it makes sense to secure it more deliberately. In this case, a certain range of ports will need to be opened on hosts. Refer to the MKE documentation for details.
Launchpad can deploy certificate bundles obtained from a certificate provider to authenticate your cluster. These can be used in combination with DNS to allow you to reach your cluster securely on a fully-qualified domain name (FQDN). Refer to the MKE documentation for details.