This documentation provides information on how to deploy and operate a
Mirantis Kubernetes Engine (MKE). The documentation is intended to help
operators to understand the core concepts of the product. The documentation
provides sufficient information to deploy and operate the solution.
The information provided in this documentation set is being constantly
improved and amended based on the feedback and kind requests from the
consumers of MKE.
Mirantis Kubernetes Engine (MKE, formerly Universal Control Plane or UCP)
is the industry-leading container orchestration platform for developing
and running modern applications at scale, on private clouds, public clouds,
and on bare metal.
MKE delivers immediate value to your business by allowing you to adopt modern
application development and delivery models that are cloud-first and
cloud-ready. With MKE you get a centralized place with a graphical UI to manage
and monitor your Kubernetes and/or Swarm cluster instance.
Your business benefits from using MKE as a container orchestration platform,
especially in the following use cases:
More than one container orchestrator
Whether your application requirements are complex and require medium
to large clusters or simple ones that can be deployed quickly on development
environments, MKE gives you a container orchestration choice.
Deploy Kubernetes, Swarm, or both types of clusters and manage them
on a single MKE instance or centrally manage your instance using
Mirantis Container Cloud.
Robust and scalable applications deployment
Monolithic applications are old school, microservices are the modern way
to deploy an application at scale. Delivering applications through
an automated CI/CD pipeline can dramatically improve time-to-market
and service agility. Adopting microservices becomes a lot easier
when using Kubernetes and/or Swarm clusters to deploy and test
microservice-based applications.
Multi-tenant software offerings
Containerizing existing monolithic SaaS applications enables quicker
development cycles, automated continuous integration and deployment.
But these applications need to allow multiple users to share a single
instance of a software application. MKE can operate multi-tenant
environments, isolate teams and organizations, separate cluster
resources, and so on.
The MKE Reference Architecture provides a technical overview of Mirantis
Kubernetes Engine (MKE). It is your source for the product hardware and
software specifications, standards, component information, and configuration
detail.
Mirantis Kubernetes Engine (MKE) allows you to adopt modern application
development and delivery models that are cloud-first and cloud-ready. With MKE
you get a centralized place with a graphical UI to manage and monitor your
Kubernetes and/or Swarm cluster instance.
The core MKE components are:
ucp-cluster-agent
Reconciles the cluster-wide state, including Kubernetes
addons such as Kubecompose and KubeDNS, managing replication configurations
for the etcd and RethinkDB clusters, and syncing the node inventories of
SwarmKit and Swarm Classic. This component is a single-replica service that
runs on any manager node in the cluster.
ucp-manager-agent
Reconciles the node-local state on manager nodes,
including the configuration of the local Docker daemon, local date volumes,
certificates, and local container components. Each manager node in the
cluster runs a task from this service.
ucp-worker-agent
Performs the same reconciliation operations as
ucp-manager-agent but on worker nodes. This component runs a task on
each worker node.
The following MKE component names differ based on the node’s operating
system:
Take careful note of the minimum and recommended hardware requirements for MKE
manager and worker nodes prior to deployment.
Note
High availability (HA) installations require transferring files between
hosts.
On manager nodes, MKE only supports the workloads it requires to run.
Windows container images are typically larger than Linux
container images. As such, provision more local storage for Windows
nodes and for any MSR repositories that store Windows container
images.
Manager nodes manage a swarm and persist the swarm state. Using several
containers per node, the ucp-manager-agent automatically deploys all
MKE components on manager nodes, including the MKE web UI and the data stores
that MKE uses.
Note
Some Kubernetes components are run as Swarm services because the MKE control
plane is itself a Docker Swarm cluster.
The following tables detail the MKE services that run on manager
nodes:
The centralized service for identity and authentication used by MKE and
MSR.
ucp-auth-store
A container that stores authentication configurations and data for
users, organizations, and teams.
ucp-auth-worker
A container that performs scheduled LDAP synchronizations and cleans
authentication and authorization data.
ucp-client-root-ca
A certificate authority to sign client bundles.
ucp-cluster-agent
The agent that monitors the cluster-wide MKE components. Runs on only
one manager node.
ucp-cluster-root-ca
A certificate authority used for TLS communication between MKE
components.
ucp-controller
The MKE web server.
ucp-hardware-info
A container for collecting disk/hardware information about the host.
ucp-interlock
A container that monitors Swarm workloads configured to use layer 7
routing. Only runs when you enable layer 7 routing.
ucp-interlock-config
A service that manages Interlock configuration.
ucp-interlock-extension
A service that verifies the run status of the Interlock extension.
ucp-interlock-proxy
A service that provides load balancing and proxying for Swarm workloads.
Runs only when layer 7 routing is enabled.
ucp-kube-apiserver
A master component that serves the Kubernetes API. It persists its state
in etcd directly, and all other components communicate directly with
the API server. The Kubernetes API server is configured to encrypt
Secrets using AES-CBC with a 256-bit key. The encryption key is never
rotated, and the encryption key is stored on manager nodes, in a file
on disk.
ucp-kube-controller-manager
A master component that manages the desired state of controllers and
other Kubernetes objects. It monitors the API server and performs
background tasks when needed.
ucp-kubelet
The Kubernetes node agent running on every node, which is responsible
for running Kubernetes pods, reporting the health of the node, and
monitoring resource usage.
ucp-kube-proxy
The networking proxy running on every node, which enables pods to
contact Kubernetes services and other pods by way of cluster IP
addresses.
ucp-kube-scheduler
A master component that manages Pod scheduling, which communicates with
the API server only to obtain workloads that need to be scheduled.
ucp-kv
A container used to store the MKE configurations. Do not use it in your
applications, as it is for internal use only. Also used by Kubernetes
components.
ucp-manager-agent
The agent that monitors the manager node and ensures that the right MKE
services are running.
ucp-proxy
A TLS proxy that allows secure access from the local Mirantis Container
Runtime to MKE components.
ucp-sf-notifier
A Swarm service that sends notifications to Salesforce when alerts are
configured by OpsCare, and later when they are triggered.
ucp-swarm-manager
A container used to provide backward compatibility with Docker Swarm.
An MKE service that accounts for the removal of dockershim from
Kubernetes as of version 1.24, thus enabling MKE to continue using
Docker as the container runtime.
k8s_calico-kube-controllers
A cluster-scoped Kubernetes controller used to coordinate Calico
networking. Runs on one manager node only.
k8s_calico-node
The Calico node agent, which coordinates networking fabric according
to the cluster-wide Calico configuration. Part of the calico-node
DaemonSet. Runs on all nodes. Configure the container network interface
(CNI) plugin using the --cni-installer-url flag. If this flag is not
set, MKE uses Calico as the default CNI plugin.
k8s_enable-strictaffinity
An init container for Calico controller that sets the StrictAffinity in
Calico networking according to the configured boolean value.
k8s_firewalld-policy_calico-node
An init container for calico-node that verifies whether systems with
firewalld are compatible with Calico.
k8s_install-cni_calico-node
A container in which the Calico CNI plugin binaries are installed and
configured on each host. Part of the calico-node DaemonSet. Runs on
all nodes.
k8s_ucp-coredns_coredns
The CoreDNS plugin, which provides service discovery for Kubernetes
services and Pods.
k8s_ucp-gatekeeper_gatekeeper-controller-manager
The Gatekeeper manager controller for Kubernetes that provides policy
enforcement. Only runs when OPA Gatekeeper is enabled in MKE.
k8s_ucp-gatekeeper-audit_gatekeeper-audit
The audit controller for Kubernetes that provides audit functionality of
OPA Gatekeeper. Only runs when OPA Gatekeeper is enabled in MKE.
k8s_ucp-kube-compose
A custom Kubernetes resource component that translates Compose files
into Kubernetes constructs. Part of the Compose deployment. Runs on one
manager node only.
k8s_ucp-kube-compose-api
The API server for Kube Compose, which is part of the compose
deployment. Runs on one manager node only.
k8s_ucp-kube-ingress-controller
The Ingress controller for Kubernetes, which provides layer 7 routing
for Kubernertes services. Only runs with Ingress for Kubernetes
enabled.
k8s_ucp-metrics-inventory
A container that generates the inventory targets for Prometheus server.
Part of the Kubernetes Prometheus Metrics plugin.
k8s_ucp-metrics-prometheus
A container used to collect and process metrics for a node. Part of the
Kubernetes Prometheus Metrics plugin.
k8s_ucp-metrics-proxy
A container that runs a proxy for the metrics server. Part of the
Kubernetes Prometheus Metrics plugin.
Worker nodes are instances of MCR that participate in a swarm for the purpose
of executing containers. Such nodes receive and execute tasks dispatched from
manager nodes. Worker nodes must have at least one manager node, as they do not
participate in the Raft distributed state, perform scheduling, or serve
the swarm mode HTTP API.
Note
Some Kubernetes components are run as Swarm services because the MKE control
plane is itself a Docker Swarm cluster.
The following tables detail the MKE services that run on worker nodes.
A container for collecting host information regarding disks and
hardware.
ucp-interlock-config
A service that manages Interlock configuration.
ucp-interlock-extension
A helper service that reconfigures the ucp-interlock-proxy service,
based on the Swarm workloads that are running.
ucp-interlock-proxy
A service that provides load balancing and proxying for swarm
workloads. Only runs when you enable layer 7 routing.
ucp-kube-proxy
The networking proxy running on every node, which enables Pods to
contact Kubernetes services and other Pods through cluster IP
addresses. Named ucp-kube-proxy-win in Windows systems.
ucp-kubelet
The Kubernetes node agent running on every node, which is responsible
for running Kubernetes Pods, reporting the health of the node, and
monitoring resource usage. Named ucp-kubelet-win in Windows
systems.
ucp-pod-cleaner-win
A service that removes all the Kubernetes Pods that remain once
Kubernetes components are removed from Windows nodes. Runs only on
Windows nodes.
ucp-proxy
A TLS proxy that allows secure access from the local Mirantis Container
Runtime to MKE components.
ucp-tigera-node-win
The Calico node agent that coordinates networking fabric for Windows
nodes according to the cluster-wide Calico configuration. Runs on
Windows nodes when Kubernetes is set as the orchestrator.
ucp-tigera-felix-win
A Calico component that runs on every machine that provides endpoints.
Runs on Windows nodes when Kubernetes is set as the orchestrator.
ucp-worker-agent-x and ucp-worker-agent-y
A service that monitors the worker node and ensures that the correct MKE
services are running. The ucp-worker-agent service ensures that only
authorized users and other MKE services can run Docker commands on the
node. The ucp-worker-agent-<x/y> deploys a set of containers onto
worker nodes, which is a subset of the containers that
ucp-manager-agent deploys onto manager nodes. This component is
named ucp-worker-agent-win-<x/y> on Windows nodes.
An MKE service that accounts for the removal of dockershim from
Kubernetes as of version 1.24, thus enabling MKE to continue using
Docker as the container runtime.
k8s_calico-node
The Calico node agent that coordinates networking fabric according to
the cluster-wide Calico configuration. Part of the calico-node
DaemonSet. Runs on all nodes.
k8s_firewalld-policy_calico-node
An init container for calico-node that verifies whether systems with
firewalld are compatible with Calico.
k8s_install-cni_calico-node
A container that installs the Calico CNI plugin
binaries and configuration on each host. Part of the calico-node
DaemonSet. Runs on all nodes.
Admission controllers are plugins that govern and enforce
cluster usage. There are two types of admission controllers:
default and custom. The tables below list the available admission controllers.
For more information, see
Kubernetes documentation: Using Admission Controllers.
Note
You cannot enable or disable custom admission controllers.
Adds a default storage class to PersistentVolumeClaim objects that
do not request a specific storage class.
DefaultTolerationSeconds
Sets the pod default forgiveness toleration to tolerate the
notready:NoExecute and unreachable:NoExecute taints
based on the default-not-ready-toleration-seconds and
default-unreachable-toleration-seconds Kubernetes API server input
parameters if they do not already have toleration for the
node.kubernetes.io/not-ready:NoExecute or
node.kubernetes.io/unreachable:NoExecute taints. The default value
for both input parameters is five minutes.
LimitRanger
Ensures that incoming requests do not violate the constraints in a
namespace LimitRange object.
MutatingAdmissionWebhook
Calls any mutating webhooks that match the request.
NamespaceLifecycle
Ensures that users cannot create new objects in namespaces undergoing
termination and that MKE rejects requests in nonexistent namespaces.
It also prevents users from deleting the reserved default,
kube-system, and kube-public namespaces.
NodeRestriction
Limits the Node and Pod objects that a kubelet can modify.
PersistentVolumeLabel (deprecated)
Attaches region or zone labels automatically to PersistentVolumes as
defined by the cloud provider.
PodNodeSelector
Limits which node selectors can be used within a namespace by reading a
namespace annotation and a global configuration.
ResourceQuota
Observes incoming requests and ensures they do not violate any of the
constraints in a namespace ResourceQuota object.
ServiceAccount
Implements automation for ServiceAccount resources.
ValidatingAdmissionWebhook
Calls any validating webhooks that match the request.
Annotates Docker Compose-on-Kubernetes Stack resources with
the identity of the user performing the request so that the Docker
Compose-on-Kubernetes resource controller can manage Stacks
with correct user authorization.
Detects the deleted ServiceAccount resources to correctly remove
them from the scheduling authorization backend of an MKE node.
Simplifies creation of the RoleBindings and
ClusterRoleBindings resources by automatically converting
user, organization, and team Subject names into their
corresponding unique identifiers.
Prevents users from deleting the built-in cluster-admin,
ClusterRole, or ClusterRoleBinding resources.
Prevents under-privileged users from creating or updating
PersistentVolume resources with host paths.
Works in conjunction with the built-in PodSecurityPolicies
admission controller to prevent under-privileged users from
creating Pods with privileged options. To grant non-administrators
and non-cluster-admins access to privileged attributes, refer to
Use admission controllers for access in the MKE Operations Guide.
CheckImageSigning
Enforces MKE Docker Content Trust policy which, if enabled, requires
that all pods use container images that have been digitally signed by
trusted and authorized users, which are members of one or more teams in
MKE.
UCPNodeSelector
Adds a com.docker.ucp.orchestrator.kubernetes:* toleration to pods
in the kube-system namespace and removes the
com.docker.ucp.orchestrator.kubernetes tolerations from pods in
other namespaces. This ensures that user workloads do not run on
swarm-only nodes, which MKE taints with
com.docker.ucp.orchestrator.kubernetes:NoExecute. It also adds a
node affinity to prevent pods from running on manager nodes depending
on MKE settings.
Every Kubernetes Pod includes an empty pause container, which bootstraps the
Pod to establish all of the cgroups, reservations, and namespaces before its
individual containers are created. The pause container image is always present,
so the pod resource allocation happens instantaneously as containers are
created.
To display pause containers:
When using the client bundle, pause containers are hidden by default.
To display pause containers when using the client bundle:
dockerps-a|grep-Ipause
To display pause containers when not using the client bundle:
Certificate and keys for the authentication and authorization
service.
ucp-auth-store-certs
Certificate and keys for the authentication and authorization
store.
ucp-auth-store-data
Data of the authentication and authorization store, replicated
across managers.
ucp-auth-worker-certs
Certificate and keys for authentication worker.
ucp-auth-worker-data
Data of the authentication worker.
ucp-client-root-ca
Root key material for the MKE root CA that issues client
certificates.
ucp-cluster-root-ca
Root key material for the MKE root CA that issues certificates
for swarm members.
ucp-controller-client-certs
Certificate and keys that the MKE web server uses to communicate
with other MKE components.
ucp-controller-server-certs
Certificate and keys for the MKE web server running in the node.
ucp-kv
MKE configuration data, replicated across managers.
ucp-kv-certs
Certificates and keys for the key-value store.
ucp-metrics-data
Monitoring data that MKE gathers.
ucp-metrics-inventory
Configuration file that the ucp-metrics service uses.
ucp-node-certs
Certificate and keys for node communication.
ucp-backup
Backup artifacts that are created while processing a backup. The
artifacts persist on the volume for the duration of the backup and are
cleaned up when the backup completes, though the volume itself remains.
mke-containers
Symlinks to MKE component log files, created by ucp-agent.
Symlinks to MKE component log files, created by ucp-agent.
You can customize the volume driver for the volumes by creating
the volumes prior to installing MKE. During installation, MKE determines
which volumes do not yet exist on the node and creates those volumes using the
default volume driver.
By default, MKE stores the data for these volumes at
/var/lib/docker/volumes/<volume-name>/_data.
You can interact with MKE either through the web UI or the CLI.
With the MKE web UI you can manage your swarm, grant and revoke user
permissions, deploy, configure, manage, and monitor your applications.
In addition, MKE exposes the standard Docker API, so you can continue using
such existing tools as the Docker CLI client. As MKE secures your
cluster with RBAC, you must configure your Docker CLI client and
other client tools to authenticate your requests using client
certificates that you can download from your MKE profile page.
MKE allows administrators to authorize users to view, edit, and use cluster
resources by granting role-based permissions for specific resource sets.
To authorize access to cluster resources across your organization, high-level
actions that MKE administrators can take include the following:
Add and configure subjects (users, teams, organizations, and service
accounts).
Define custom roles (or use defaults) by adding permitted operations per
resource type.
Group cluster resources into resource sets of Swarm collections or Kubernetes
namespaces.
Create grants by combining subject, role, and resource set.
Note
Only administrators can manage Role-based access control (RBAC).
The following table describes the core elements used in RBAC:
Element
Description
Subjects
Subjects are granted roles that define the permitted operations for
one or more resource sets and include:
User
A person authenticated by the authentication backend. Users can belong
to more than one team and more than one organization.
Team
A group of users that share permissions defined at the team level. A
team can be in only one organization.
Organization
A group of teams that share a specific set of permissions, defined by
the roles of the organization.
Service account
A Kubernetes object that enables a workload to access cluster resources
assigned to a namespace.
Roles
Roles define what operations can be done by whom. A role is a set of
permitted operations for a type of resource, such as a container or
volume. It is assigned to a user or a team with a grant.
For example, the built-in RestrictedControl role includes
permissions to view and schedule but not to update nodes. Whereas a
custom role may include permissions to read, write, and execute
(r-w-x) volumes and secrets.
Most organizations use multiple roles to fine-tune the appropriate
access for different subjects. Users and teams may have different roles
for the different resources they access.
Resource sets
Users can group resources into two types of resource sets to control
user access: Docker Swarm collections and Kubernetes namespaces.
Docker Swarm collections
Collections have a directory-like structure that holds Swarm resources.
You can create collections in MKE by defining a directory path and
moving resources into it. Alternatively, you can use labels in your
YAML file to assign application resources to the path. Resource types
that users can access in Swarm collections include containers,
networks, nodes, services, secrets, and volumes.
Each Swarm resource can be in only one collection at a time, but
collections can be nested inside one another to a maximum depth of two
layers. Collection permission includes permission for child
collections.
For child collections and users belonging to more than one team,
the system concatenates permissions from multiple roles into an
effectiverole for the user, which specifies the operations that
are allowed for the target.
Kubernetes namespaces
Namespaces are virtual clusters that allow multiple teams to access a
given cluster with different permissions. Kubernetes automatically sets
up four namespaces, and users can add more as necessary, though unlike
Swarm collections they cannot be nested. Resource types that users can
access in Kubernetes namespaces include pods, deployments, network
policies, nodes, services, secrets, and more.
Grants
Grants consist of a subject, role, and resource set, and define how
specific users can access specific resources. All the grants of an
organization taken together constitute an access control list (ACL),
which is a comprehensive access policy for the organization.
For complete information on how to configure and use role-based access control
in MKE, refer to Authorize role-based access.
The MKE Installation Guide provides everything you need to install
and configure Mirantis Kubernetes Engine (MKE). The guide offers
detailed information, procedures, and examples that are specifically
designed to help DevOps engineers and administrators install and
configure the MKE container orchestration platform.
Before installing MKE, plan a single host name strategy to use consistently
throughout the cluster, keeping in mind that MKE and MCR both use host names.
There are two general strategies for creating host names: short host names and
fully qualified domain names (FQDN). Consider the following examples:
MCR uses three separate IP ranges for the docker0, docker_gwbridge, and
ucp-bridge interfaces. By default, MCR assigns the first available subnet
in default-address-pools (172.17.0.0/16) to docker0, the second
(172.18.0.0/16) to docker_gwbridge, and the third (172.19.0.0/16)
to ucp-bridge.
Note
The ucp-bridge bridge network specifically supports MKE component
containers.
You can reassign the docker0, docker_gwbridge, and ucp-bridge
subnets in default-address-pools. To do so, replace the relevant values in
default-address-pools in the /etc/docker/daemon.json file, making sure
that the setting includes at least three IP pools. Be aware that you must
restart the docker.service to activate your daemon.json file edits.
By default, default-address-pools contains the following values:
The list of CIDR ranges used to allocate subnets for local bridge
networks.
base
The CIDR range allocated for bridge networks in each IP address pool.
size
The CIDR netmask that determines the subnet size to allocate from the
base pool. If the size matches the netmask of the base,
then the pool contains one subnet. For example,
{"base":"172.17.0.0/16","size":16} creates the subnet:
172.17.0.0/16 (172.17.0.1 - 172.17.255.255).
For example, {"base":"192.168.0.0/16","size":20} allocates
/20 subnets from 192.168.0.0/16, including the following subnets for
bridge networks:
MCR creates and configures the host system with the docker0 virtual network
interface, an ethernet bridge through which all traffic between MCR
and the container moves. MCR uses docker0 to handle all container
routing. You can specify an alternative network interface when you start the
container.
MCR allocates IP addresses from the docker0 configurable IP range to the
containers that connect to docker0. The default IP range, or subnet, for
docker0 is 172.17.0.0/16.
You can change the docker0 subnet in /etc/docker/daemon.json using the
settings in the following table. Be aware that you must restart the
docker.service to activate your daemon.json file edits.
Parameter
Description
default-address-pools
Modify the first pool in default-address-pools.
Caution
By default, MCR assigns the second pool to docker_gwbridge. If you
modify the first pool such that the size does not match the base
netmask, it can affect docker_gwbridge.
{"default-address-pools":[{"base":"172.17.0.0/16","size":16}, <-- Modify this value{"base":"172.18.0.0/16","size":16},{"base":"172.19.0.0/16","size":16},{"base":"172.20.0.0/16","size":16},{"base":"172.21.0.0/16","size":16},{"base":"172.22.0.0/16","size":16},{"base":"172.23.0.0/16","size":16},{"base":"172.24.0.0/16","size":16},{"base":"172.25.0.0/16","size":16},{"base":"172.26.0.0/16","size":16},{"base":"172.27.0.0/16","size":16},{"base":"172.28.0.0/16","size":16},{"base":"172.29.0.0/16","size":16},{"base":"172.30.0.0/16","size":16},{"base":"192.168.0.0/16","size":20}]}
fixed-cidr
Configures a CIDR range.
Customize the subnet for docker0 using standard CIDR notation.
The default subnet is 172.17.0.0/16, the network gateway is
172.17.0.1, and MCR allocates IPs 172.17.0.2 - 172.17.255.254
for your containers.
{"fixed-cidr":"172.17.0.0/16",}
bip
Configures a gateway IP address and CIDR netmask of the docker0
network.
Customize the subnet for docker0 using the
<gatewayIP>/<CIDRnetmask> notation.
The default subnet is 172.17.0.0/16, the network gateway is
172.17.0.1, and MCR allocates IPs 172.17.0.2 - 172.17.255.254
for your containers.
The docker_gwbridge is a virtual network interface that connects
overlay networks (including ingress) to individual MCR container networks.
Initializing a Docker swarm or joining a Docker host to a swarm automatically
creates docker_gwbridge in the kernel of the Docker host. The default
docker_gwbridge subnet (172.18.0.0/16) is the second available subnet
in default-address-pools.
To change the docker_gwbridge subnet, open daemon.json and modify the
second pool in default-address-pools:
{"default-address-pools":[{"base":"172.17.0.0/16","size":16},{"base":"172.18.0.0/16","size":16}, <-- Modify this value{"base":"172.19.0.0/16","size":16},{"base":"172.20.0.0/16","size":16},{"base":"172.21.0.0/16","size":16},{"base":"172.22.0.0/16","size":16},{"base":"172.23.0.0/16","size":16},{"base":"172.24.0.0/16","size":16},{"base":"172.25.0.0/16","size":16},{"base":"172.26.0.0/16","size":16},{"base":"172.27.0.0/16","size":16},{"base":"172.28.0.0/16","size":16},{"base":"172.29.0.0/16","size":16},{"base":"172.30.0.0/16","size":16},{"base":"192.168.0.0/16","size":20}]}
Caution
Modifying the first pool to customize the docker0 subnet can affect
the default docker_gwbridge subnet. Refer to
docker0 for more information.
You can only customize the docker_gwbridge settings before you join
the host to the swarm or after temporarily removing it.
The default address pool that Docker Swarm uses for its overlay network is
10.0.0.0/8. If this pool conflicts with your current network
implementation, you must use a custom IP address pool. Prior to installing MKE,
specify your custom address pool using the --default-addr-pool
option when initializing swarm.
Note
The Swarm default-addr-pool and MCR default-address-pools settings
define two separate IP address ranges used for different purposes.
A node.Status.Addr of 0.0.0.0 can cause unexpected problems. To
prevent any such issues, add the --advertise-addr flag to the
docker swarm join command.
To resolve the 0.0.0.0 situation, initiate the following workaround:
Stop the docker daemon that has .Status.Addr0.0.0.0.
In the /var/lib/docker/swarm/docker-state.json file, apply the correct
node IP to AdvertiseAddr and LocalAddr.
Kubernetes uses two internal IP ranges, either of
which can overlap and conflict with the underlying infrastructure, thus
requiring custom IP ranges.
The pod network
Either Calico or Azure IPAM services gives each Kubernetes pod
an IP address in the default 192.168.0.0/16 range. To customize this
range, during MKE installation, use the --pod-cidr flag with the
ucp install command.
The services network
You can access Kubernetes services with a VIP in the default 10.96.0.0/16
Cluster IP range. To customize this range, during MKE installation, use
the --service-cluster-ip-range flag with the ucp install
command.
The storage path for such persisted data as images, volumes, and cluster state
is docker data root (data-root in /etc/docker/daemon.json).
MKE clusters require that all nodes have the same docker data-root for the
Kubernetes network to function correctly. In addition, if the data-root is
changed on all nodes you must recreate the Kubernetes network configuration in
MKE by running the following commands:
The no-new-privileges setting prevents the container application processes
from gaining new privileges during the execution process.
For most Linux distributions, MKE supports setting no-new-privileges to
true in the /etc/docker/daemon.json file. The parameter is not,
however, supported on RHEL 7.9, CentOS 7.9, Oracle Linux 7.8, and Oracle Linux
7.9.
This option is not supported on Windows. It is a Linux kernel feature.
MCR hosts that run the devicemapper storage driver use the loop-lvm
configuration mode by default. This mode uses sparse files to build
the thin pool used by image and container snapshots and is designed to work
without any additional configuration.
Note
Mirantis recommends that you use direct-lvm mode in production
environments in lieu of loop-lvm mode. direct-lvm mode is more
efficient in its use of system resources than loop-lvm mode, and you can
scale it as necessary.
To report accurate memory metrics, MCR requires that you enable specific kernel
settings that are often disabled on Ubuntu and Debian systems. For detailed
instructions on how to do this, refer to the Docker documentation,
Your kernel does not support cgroup swap limit capabilities.
A well-configured network is essential for the proper functioning of your MKE
deployment. Pay particular attention to such key factors as IP address
provisioning, port management, and traffic enablement.
When installing MKE on a host, you need to open specific ports to
incoming traffic. Each port listens for incoming traffic from a particular set
of hosts, known as the port scope.
MKE uses the following scopes:
Scope
Description
External
Traffic arrives from outside the cluster through end-user interaction.
Internal
Traffic arrives from other hosts in the same cluster.
Self
Traffic arrives to Self ports only from processes on the same host.
These ports, however, do not need to be open to outside traffic.
Open the following ports for incoming traffic on each host type:
Hosts
Port
Scope
Purpose
Managers, workers
TCP 179
Internal
BGP peers, used for Kubernetes networking
Managers
TCP 443 (configurable)
External, internal
MKE web UI and API
Managers
TCP 2376 (configurable)
Internal
Docker swarm manager, used for backwards compatibility
Managers
TCP 2377 (configurable)
Internal
Control communication between swarm nodes
Managers, workers
UDP 4789
Internal
Overlay networking
Managers
TCP 6443 (configurable)
External, internal
Kubernetes API server endpoint
Managers, workers
TCP 6444
Self
Kubernetes API reverse proxy
Managers, workers
TCP, UDP 7946
Internal
Gossip-based clustering
Managers
TCP 9055
Internal
ucp-rethinkdb-exporter metrics
Managers, workers
TCP 9091
Internal
Felix Prometheus calico-node metrics
Managers
TCP 9094
Self
Felix Prometheus kube-controller metrics
Managers, workers
TCP 9099
Self
Calico health check
Managers, workers
TCP 9100
Internal
ucp-node-exporter metrics
Managers, workers
TCP 10248
Self
Kubelet health check
Managers, workers
TCP 10250
Internal
Kubelet
Managers, workers
TCP 12376
Internal
TLS authentication proxy that provides access to MCR
Managers, workers
TCP 12378
Self
etcd reverse proxy
Managers
TCP 12379
Internal
etcd Control API
Managers
TCP 12380
Internal
etcd Peer API
Managers
TCP 12381
Internal
MKE cluster certificate authority
Managers
TCP 12382
Internal
MKE client certificate authority
Managers
TCP 12383
Internal
Authentication storage backend
Managers
TCP 12384
Internal
Authentication storage backend for replication across
managers
Swarm workloads that require the use of encrypted overlay networks must
use iptables proxier with either the managed CNI or an unmanaged
alternative. Be aware that the other networking options detailed here
automatically disable Docker Swarm encrypted overlay networks.
Tigera, with customers paying for additional features
Cilium Open Source
Community
Planned
Mirantis
Community or Isovalent
Cilium Enterprise
Isovalent
Isovalent
Mirantis
Isovalent
To enable kube-proxy with iptables proxier while using the managed CNI:
Using default option kube-proxy with iptables proxier is the
equivalent of specifying --kube-proxy-mode=iptables at install time. To
verify that the option is operational, confirm the presence of the following
line in the ucp-kube-proxy container logs:
To enable kube-proxy with ipvs proxier while using the managed CNI:
Prior to MKE installation, verify that the following kernel modules are
available on all Linux manager and worker nodes:
ipvs
ip_vs_rr
ip_vs_wrr
ip_vs_sh
nf_conntrack_ipv4
Specify --kube-proxy-mode=ipvs at install time.
Optional. Once installation is complete, configure the following
ipvs-related parameters in the MKE configuration file (otherwise, MKE will
use the Kubernetes default parameter settings):
ipvs_exclude_cidrs=""
ipvs_min_sync_period=""
ipvs_scheduler=""
ipvs_strict_arp=false
ipvs_sync_period=""
ipvs_tcp_timeout=""
ipvs_tcpfin_timeout=""
ipvs_udp_timeout=""
For more information on using these parameters, refer to kube-proxy
in the Kubernetes documentation.
Note
The ipvs-related parameters have no install time counterparts and
therefore must only be configured once MKE installation is complete.
Verify that kube-proxy with ipvs proxier is operational by confirming the
presence of the following lines in the ucp-kube-proxy container logs:
Verify that the prerequisites for eBPF use have been met, including kernel
compatibility, for all Linux manager and worker nodes. Refer to the Calico
documentation Enable the eBPF dataplane for more
information.
Specify --calico-ebpf-enabled at install time.
Verify that eBPF mode is operational by confirming the presence of the
following lines in the ucp-kube-proxy container logs:
Verify that the prerequisites for eBPF use have been met, including kernel
compatibility, for all Linux manager and worker nodes. Refer to the Calico
documentation Enable the eBPF dataplane for
more information.
Specify the following parameters at install time:
--unmanaged-cni
--kube-proxy-mode=disabled
--kube-default-drop-masq-bits
Verify that eBPF mode is operational by confirming the presence of the
following lines in ucp-kube-proxy container logs:
Calico is the default networking plugin for MKE. The default Calico
encapsulation setting for MKE is VXLAN, however the plugin also supports
IP-in-IP encapsulation. Refer to the Calico documentation on Overlay
networking for
more information.
Important
NetworkManager can impair the Calico agent routing function. To resolve
this issue, you must create a file called
/etc/NetworkManager/conf.d/calico.conf with the following content:
You can enable Multus CNI in the MKE cluster when you install MKE, using the
--multus-cni flag with the MKE install CLI command.
Multus CNI acts as a meta plugin, enabling the attachment of multiple network
interfaces to multi-homed Pods. Refer to Multus CNI on GitHub for more information.
Avoid firewall conflicts in the following Linux distributions:
Linux distribution
Procedure
SUSE Linux Enterprise Server 12 SP2
Installations have the FW_LO_NOTRACK flag turned on by default in
the openSUSE firewall. It speeds up packet processing on the
loopback interface but breaks certain firewall setups that redirect
outgoing packets via custom rules on the local machine.
To turn off the FW_LO_NOTRACK option:
In /etc/sysconfig/SuSEfirewall2, set FW_LO_NOTRACK="no".
Either restart the firewall or reboot the system.
SUSE Linux Enterprise Server 12 SP3
No change is required, as installations have the FW_LO_NOTRACK flag
turned off by default.
Before performing SUSE Linux Enterprise Server (SLES) installations, consider
the following prerequisite steps:
For SLES 15 installations, disable CLOUD_NETCONFIG_MANAGE prior to
installing MKE:
Set CLOUD_NETCONFIG_MANAGE="no" in the
/etc/sysconfig/network/ifcfg-eth0 network interface configuration
file.
Run the service network restart command.
By default, SLES disables connection tracking. To allow
Kubernetes controllers in Calico to reach the Kubernetes API server, enable
connection tracking on the loopback interface for SLES by running the
following commands for each node in the cluster:
Network lag of more than two seconds between MKE manager nodes can cause
problems in your MKE cluster. For example, such a lag can indicate to MKE
components that the other nodes are down, resulting in unnecessary leadership
elections that will result in temporary outages and reduced performance. To
resolve the issue, decrease the latency of the MKE node communication network.
Configure all containers in an MKE cluster to regularly synchronize with a
Network Time Protocol (NTP) server, to ensure consistency between all
containers in the cluster and to circumvent unexpected behavior that can lead
to poor performance.
Though MKE does not include a load balancer, you can configure your own to
balance user requests across all manager nodes. Before that, decide whether you
will add nodes to the load balancer using their IP address or their fully
qualified domain name (FQDN), and then use that strategy consistently
throughout the cluster. Take note of all IP addresses or FQDNs before you start
the installation.
If you plan to deploy both MKE and MSR, your load balancer must be able to
differentiate between the two: either by IP address or port number. Because
both MKE and MSR use port 443 by default, your options are as follows:
Configure your load balancer to expose either MKE or MSR on a port other than
443.
Configure your load balancer to listen on port 443 with separate virtual IP
addresses for MKE and MSR.
Configure separate load balancers for MKE and MSR, both listening on port
443.
If you want to install MKE in a high-availability configuration with a load
balancer in front of your MKE controllers, include the
appropriate IP address and FQDN for the load balancer VIP. To do so, use one
or more --san flags either with the ucp install command or in
interactive mode when MKE requests additional SANs.
MKE supports the setting of values for all IPVS related parameters that are
exposed by kube-proxy.
Kube-proxy runs on each cluster node, its role being to load-balance traffic
whose destination is services (via cluster IPs and node ports) to the correct
backend pods. Of the modes in which kube-proxy can run, IPVS (IP Virtual
Server) offers the widest choice of load balancing algorithms and superior
scalability.
You can only enable IPVS for MKE at installation, and it persists throughout
the life of the cluster. Thus, you cannot switch to iptables at a
later stage or switch over existing MKE clusters to use IPVS proxier.
Use the --existing-config parameter when installing MKE. You can also
change these values post-install using the MKE-sucp/config-toml
endpoint.
Caution
If you are using MKE 3.3.x with IPVS proxier and plan to upgrade to MKE
3.4.x, you must upgrade to MKE 3.4.3 or later as earlier versions of MKE
3.4.x do not support IPVS proxier.
You can customize MKE to use certificates signed by an External
Certificate Authority (ECA). When using your own certificates,
include a certificate bundle with the following:
ca.pem file with the root CA public certificate.
cert.pem file with the server certificate and any intermediate CA
public certificates. This certificate should also have Subject Alternative
Names (SANs) for all addresses used to reach the MKE manager.
key.pem file with a server private key.
You can either use separate certificates for every manager node or one
certificate for all managers. If you use separate certificates, you must use a
common SAN throughout. For example, MKE permits the following on a three-node
cluster:
node1.company.example.org with the SAN mke.company.org
node2.company.example.org with the SAN mke.company.org
node3.company.example.org with the SAN mke.company.org
If you use a single certificate for all manager nodes, MKE automatically copies
the certificate files both to new manager nodes and to those promoted to a
manager role.
Skip this step if you want to use the default named volumes.
MKE uses named volumes to persist data. If you want to customize
the drivers that manage such volumes, create the volumes
before installing MKE. During the installation process, the installer
will automatically detect the existing volumes and start using them.
Otherwise, MKE will create the default named volumes.
Sets whether arptables rules apply to bridged network traffic.
If the bridge module is not loaded, and thus no bridges are present,
this key is not present.
call-ip6tables
Default: No default
MKE:1
Sets whether ip6tables rules apply to bridged network traffic.
If the bridge module is not loaded, and thus no bridges are present,
this key is not present.
call-iptables
Default: No default
MKE:1
Sets whether iptables rules apply to bridged network traffic.
If the bridge module is not loaded, and thus no bridges are present,
this key is not present.
filter-pppoe-tagged
Default: No default
MKE:0
Sets whether netfilter rules apply to bridged PPPOE network
traffic. If the bridge module is not loaded, and thus no bridges are
present, this key is not present.
filter-vlan-tagged
Default: No default
MKE:0
Sets whether netfilter rules apply to bridged VLAN network traffic. If
the bridge module is not loaded, and thus no bridges are present, this
key is not present.
pass-vlan-input-dev
Default: No default
MKE:0
Sets whether netfilter strips the incoming VLAN interface name from
bridged traffic. If the bridge module is not loaded, and thus no bridges
are present, this key is not present.
The *.vs.* default values persist, changing only because the ipvs
kernel module was not previously loaded. For more information, refer
to the Linux kernel documentation.
Parameter
Values
Description
conf.all.accept_redirects
Default:1
MKE:0
Sets whether ICMP redirects are permitted. This key affects all
interfaces.
conf.all.forwarding
Default:0
MKE:1
Sets whether network traffic is forwarded. This key affects all
interfaces.
conf.all.route_localnet
Default:0
MKE:1
Sets 127/8 for local routing. This key
affects all interfaces.
conf.default.forwarding
Default:0
MKE:1
Sets 127/8 for local routing. This key
affects new interfaces.
conf.lo.forwarding
Default:0
MKE:1
Sets forwarding for localhost traffic.
ip_forward
Default:0
MKE:1
Sets whether traffic forwards between interfaces. For Kubernetes to run,
this parameter must be set to 1.
vs.am_droprate
Default:10
MKE:10
Sets the always mode drop rate used in mode 3 of the drop_rate
defense.
vs.amemthresh
Default:1024
MKE:1024
Sets the available memory threshold in pages, which is used in the
automatic modes of defense. When there is not enough available memory,
this enables the strategy and the variable is set to 2. Otherwise,
the strategy is disabled and the variable is set to 1.
vs.backup_only
Default:0
MKE:0
Sets whether the director function is disabled while the server is in
back-up mode, to avoid packet loops for DR/TUN methods.
vs.cache_bypass
Default:0
MKE:0
Sets whether packets forward directly to the original destination when
no cache server is available and the destination address is not local
(iph->daddrisRTN_UNICAST). This mostly applies to transparent web
cache clusters.
vs.conn_reuse_mode
Default:1
MKE:1
Sets how IPVS handles connections detected on port reuse. It is a
bitmap with the following values:
0 disables any special handling on port reuse. The new
connection is delivered to the same real server that was servicing the
previous connection, effectively disabling expire_nodest_conn.
bit1 enables rescheduling of new connections when it is safe.
That is, whenever expire_nodest_conn and for TCP sockets, when
the connection is in TIME_WAIT state (which is only possible if
you use NAT mode).
bit2 is bit 1 plus, for TCP connections, when connections
are in FIN_WAIT state, as this is the last state seen by load
balancer in Direct Routing mode. This bit helps when adding new
real servers to a very busy cluster.
vs.conntrack
Default:0
MKE:0
Sets whether connection-tracking entries are maintained for connections
handled by IPVS. Enable if connections handled by IPVS
are to be subject to stateful firewall rules. That is, iptables
rules that make use of connection tracking. Otherwise, disable this
setting to optimize performance. Connections handled by
the IPVS FTP application module have connection tracking entries
regardless of this setting, which is only available when IPVS is
compiled with CONFIG_IP_VS_NFCT enabled.
vs.drop_entry
Default:0
MKE:0
Sets whether entries are randomly dropped in the connection hash table,
to collect memory back for new connections. In the current
code, the drop_entry procedure can be activated every second, then
it randomly scans 1/32 of the whole and drops entries that are in the
SYN-RECV/SYNACK state, which should be effective against syn-flooding
attack.
The valid values of drop_entry are 0 to 3, where 0 indicates
that the strategy is always disabled, 1 and 2 indicate automatic
modes (when there is not enough available memory, the strategy
is enabled and the variable is automatically set to 2,
otherwise the strategy is disabled and the variable is set to
1), and 3 indicates that the strategy is always enabled.
vs.drop_packet
Default:0
MKE:0
Sets whether rate packets are dropped prior to being forwarded to real
servers. Rate 1 drops all incoming packets.
The value definition is the same as that for drop_entry. In
automatic mode, the following formula determines the rate:
rate = amemthresh / (amemthresh - available_memory) when available
memory is less than the available memory threshold. When mode 3 is
set, the always mode drop rate is controlled by the
/proc/sys/net/ipv4/vs/am_droprate.
vs.expire_nodest_conn
Default:0
MKE:0
Sets whether the load balancer silently drops packets when its
destination server is not available. This can be useful when the
user-space monitoring program deletes the destination server (due to
server overload or wrong detection) and later adds the server back, and
the connections to the server can continue.
If this feature is enabled, the load balancer terminates the connection
immediately whenever a packet arrives and its destination server is not
available, after which the client program will be notified that the
connection is closed. This is equivalent to the feature that is
sometimes required to flush connections when the destination is not
available.
vs.ignore_tunneled
Default:0
MKE:0
Sets whether IPVS configures the ipvs_property on all packets of
unrecognized protocols. This prevents users from routing such tunneled
protocols as IPIP, which is useful in preventing the rescheduling
packets that have been tunneled to the IPVS host (that is, to prevent
IPVS routing loops when IPVS is also acting as a real server).
vs.nat_icmp_send
Default:0
MKE:0
Sets whether ICMP error messages (ICMP_DEST_UNREACH) are sent for
VS/NAT when the load balancer receives packets from real servers but the
connection entries do not exist.
vs.pmtu_disc
Default:0
MKE:0
Sets whether all DF packets that exceed the PMTU are rejected with
FRAG_NEEDED, irrespective of the forwarding method. For the TUN
method, the flag can be disabled to fragment such packets.
vs.schedule_icmp
Default:0
MKE:0
Sets whether scheduling ICMP packets in IPVS is enabled.
vs.secure_tcp
Default:0
MKE:0
Sets the use of a more complicated TCP state transition table.
For VS/NAT, the secure_tcp defense delays entering the
TCPESTABLISHED state until the three-way handshake completes. The
value definition is the same as that of drop_entry and
drop_packet.
vs.sloppy_sctp
Default:0
MKE:0
Sets whether IPVS is permitted to create a connection state on any
packet, rather than an SCTP INIT only.
vs.sloppy_tcp
Default:0
MKE:0
Sets whether IPVS is permitted to create a connection state on any
packet, rather than a TCP SYN only.
vs.snat_reroute
Default:0
MKE:1
Sets whether the route of SNATed packets is recalculated from real
servers as if they originate from the director. If disabled, SNATed
packets are routed as if they have been forwarded by the director.
If policy routing is in effect, then it is possible that the route
of a packet originating from a director is routed differently to a
packet being forwarded by the director.
If policy routing is not in effect, then the recalculated route will
always be the same as the original route. It is an optimization
to disable snat_reroute and avoid the recalculation.
vs.sync_persist_mode
Default:0
MKE:0
Sets the synchronization of connections when using persistence. The
possible values are defined as follows:
0 means all types of connections are synchronized.
1 attempts to reduce the synchronization traffic depending on
the connection type. For persistent services, avoid synchronization
for normal connections, do it only for persistence templates.
In such case, for TCP and SCTP it may need enabling sloppy_tcp and
sloppy_sctp flags on back-up servers. For non-persistent services
such optimization is not applied, mode 0 is assumed.
vs.sync_ports
Default:1
MKE:1
Sets the number of threads that the master and back-up servers can use
for sync traffic. Every thread uses a single UDP port, thread 0 uses the
default port 8848, and the last thread uses port
8848+sync_ports-1.
vs.sync_qlen_max
Default: Calculated
MKE: Calculated
Sets a hard limit for queued sync messages that are not yet sent. It
defaults to 1/32 of the memory pages but actually represents
number of messages. It will protect us from allocating large
parts of memory when the sending rate is lower than the queuing
rate.
vs.sync_refresh_period
Default:0
MKE:0
Sets (in seconds) the difference in the reported connection timer that
triggers new sync messages. It can be used to avoid sync messages for
the specified period (or half of the connection timeout if it is lower)
if the connection state has not changed since last sync.
This is useful for normal connections with high traffic, to reduce
sync rate. Additionally, retry sync_retries times with period of
sync_refresh_period/8.
vs.sync_retries
Default:0
MKE:0
Sets sync retries with period of sync_refresh_period/8. Useful
to protect against loss of sync messages. The range of the
sync_retries is 0 to 3.
vs.sync_sock_size
Default:0
MKE:0
Sets the configuration of SNDBUF (master) or RCVBUF (slave) socket
limit. Default value is 0 (preserve system defaults).
vs.sync_threshold
Default:350
MKE:350
Sets the synchronization threshold, which is the minimum number of
incoming packets that a connection must receive before the
connection is synchronized. A connection will be synchronized every time
the number of its incoming packets modulus sync_period equals the
threshold. The range of the threshold is 0 to sync_period.
When sync_period and sync_refresh_period are 0, send sync only
for state changes or only once when packets matches sync_threshold.
vs.sync_version
Default:1
MKE:1
Sets the version of the synchronization protocol to use when sending
synchronization messages. The possible values are:
``0 ``selects the original synchronization protocol (version 0). This
should be used when sending synchronization messages to a legacy
system that only understands the original synchronization protocol.
1 selects the current synchronization protocol (version 1). This
should be used whenever possible.
Kernels with this sync_version entry are able to receive messages
of both version 1 and version 2 of the synchronization protocol.
The net.netfilter.nf_conntrack_<subtree> default values persist,
changing only when the nf_conntrack kernel module has not been
previously loaded. For more information, refer to the
Linux kernel documentation.
Parameter
Values
Description
acct
Default:0
MKE:0
Sets whether connection-tracking flow accounting is enabled. Adds 64-bit
byte and packet counter per flow.
buckets
Default: Calculated
MKE: Calculated
Sets the size of the hash table. If not specified during module loading,
the default size is calculated by dividing total memory by 16384 to
determine the number of buckets. The hash table will never have fewer
than 1024 and never more than 262144 buckets. This sysctl is only
writeable in the initial net namespace.
checksum
Default:0
MKE:0
Sets whether the checksum of incoming packets is verified. Packets with
bad checksums are in an invalid state. If this is enabled, such packets
are not considered for connection tracking.
dccp_loose
Default:0
MKE:1
Sets whether picking up already established connections for Datagram
Congestion Control Protocol (DCCP) is permitted.
dccp_timeout_closereq
Default: Distribution dependent
MKE:64
The parameter description is not yet available in the Linux kernel
documentation.
dccp_timeout_closing
Default: Distribution dependent
MKE:64
The parameter description is not yet available in the Linux kernel
documentation.
dccp_timeout_open
Default: Distribution dependent
MKE:43200
The parameter description is not yet available in the Linux kernel
documentation.
dccp_timeout_partopen
Default: Distribution dependent
MKE:480
The parameter description is not yet available in the Linux kernel
documentation.
dccp_timeout_request
Default: Distribution dependent
MKE:240
The parameter description is not yet available in the Linux kernel
documentation.
dccp_timeout_respond
Default: Distribution dependent
MKE:480
The parameter description is not yet available in the Linux kernel
documentation.
dccp_timeout_timewait
Default: Distribution dependent
MKE:240
The parameter description is not yet available in the Linux kernel
documentation.
events
Default:0
MKE:1
Sets whether the connection tracking code provides userspace with
connection-tracking events through ctnetlink.
expect_max
Default: Calculated
MKE:1024
Sets the maximum size of the expectation table. The default value is
nf_conntrack_buckets / 256. The minimum is 1.
frag6_high_thresh
Default: Calculated
MKE:4194304
Sets the maximum memory used to reassemble IPv6 fragments. When
nf_conntrack_frag6_high_thresh bytes of memory is allocated for this
purpose, the fragment handler tosses packets until
nf_conntrack_frag6_low_thresh is reached. The size of this parameter
is calculated based on system memory.
frag6_low_thresh
Default: Calculated
MKE:3145728
See nf_conntrack_frag6_high_thresh. The size of this parameter is
calculated based on system memory.
frag6_timeout
Default:60
MKE:60
Sets the time to keep an IPv6 fragment in memory.
generic_timeout
Default:600
MKE:600
Sets the default for a generic timeout. This refers to layer 4 unknown
and unsupported protocols.
gre_timeout
Default:30
MKE:30
Set the GRE timeout from the conntrack table.
gre_timeout_stream
Default:180
MKE:180
Sets the GRE timeout for streamed connections. This extended timeout
is used when a GRE stream is detected.
helper
Default:0
MKE:0
Sets whether the automatic conntrack helper assignment is enabled.
If disabled, you must set up iptables rules to assign
helpers to connections. See the CT target description in the
iptables-extensions(8) main page for more information.
icmp_timeout
Default:30
MKE:30
Sets the default for ICMP timeout.
icmpv6_timeout
Default:30
MKE:30
Sets the default for ICMP6 timeout.
log_invalid
Default:0
MKE:0
Sets whether invalid packets of a type specified by value are logged.
max
Default: Calculated
MKE:131072
Sets the maximum number of allowed connection tracking entries. This
value is set to nf_conntrack_buckets by default.
Connection-tracking entries are added to the table twice, once for the
original direction and once for the reply direction (that is, with
the reversed address). Thus, with default settings a maxed-out
table will have an average hash chain length of 2, not 1.
sctp_timeout_closed
Default: Distribution dependent
MKE:10
The parameter description is not yet available in the Linux kernel
documentation.
sctp_timeout_cookie_echoed
Default: Distribution dependent
MKE:3
The parameter description is not yet available in the Linux kernel
documentation.
sctp_timeout_cookie_wait
Default: Distribution dependent
MKE:3
The parameter description is not yet available in the Linux kernel
documentation.
sctp_timeout_established
Default: Distribution dependent
MKE:432000
The parameter description is not yet available in the Linux kernel
documentation.
sctp_timeout_heartbeat_acked
Default: Distribution dependent
MKE:210
The parameter description is not yet available in the Linux kernel
documentation.
sctp_timeout_heartbeat_sent
Default: Distribution dependent
MKE:30
The parameter description is not yet available in the Linux kernel
documentation.
sctp_timeout_shutdown_ack_sent
Default: Distribution dependent
MKE:3
The parameter description is not yet available in the Linux kernel
documentation.
sctp_timeout_shutdown_recd
Default: Distribution dependent
MKE:0
The parameter description is not yet available in the Linux kernel
documentation.
sctp_timeout_shutdown_sent
Default: Distribution dependent
MKE:0
The parameter description is not yet available in the Linux kernel
documentation.
tcp_be_liberal
Default:0
MKE:0
Sets whether only out of window RST segments are marked as INVALID.
tcp_loose
Default:0
MKE:1
Sets whether already established connections are picked up.
tcp_max_retrans
Default:3
MKE:3
Sets the maximum number of packets that can be retransmitted without
receiving an acceptable ACK from the destination. If this number
is reached, a shorter timer is started. Timeout for unanswered.
tcp_timeout_close
Default: Distribution dependent
MKE:10
The parameter description is not yet available in the Linux kernel
documentation.
tcp_timeout_close_wait
Default: Distribution dependent
MKE:3600
The parameter description is not yet available in the Linux kernel
documentation.
tcp_timeout_fin_wait
Default: Distribution dependent
MKE:120
The parameter description is not yet available in the Linux kernel
documentation.
tcp_timeout_last_ack
Default: Distribution dependent
MKE:30
The parameter description is not yet available in the Linux kernel
documentation.
tcp_timeout_max_retrans
Default: Distribution dependent
MKE:300
The parameter description is not yet available in the Linux kernel
documentation.
tcp_timeout_syn_recv
Default: Distribution dependent
MKE:60
The parameter description is not yet available in the Linux kernel
documentation.
tcp_timeout_syn_sent
Default: Distribution dependent
MKE:120
The parameter description is not yet available in the Linux kernel
documentation.
tcp_timeout_time_wait
Default: Distribution dependent
MKE:120
The parameter description is not yet available in the Linux kernel
documentation.
tcp_timeout_unacknowledged
Default: Distribution dependent
MKE:30
The parameter description is not yet available in the Linux kernel
documentation.
timestamp
Default:0
MKE:0
Sets whether connection-tracking flow timestamping is enabled.
udp_timeout
Default:30
MKE:30
Sets the UDP timeout.
udp_timeout_stream
Default:120
MKE:120
Sets the extended timeout that is used whenever a UDP stream is
detected.
The net.nf_conntrack_<subtree> default values persist, changing only
when the nf_conntrack kernel module has not been previously loaded.
For more information, refer to the Linux kernel documentation.
Parameter
Values
Description
max
Default: Calculated
MKE:131072
Sets the maximum number of connections to track. The size of this
parameter is calculated based on system memory.
To protect kernel parameters from being overridden by kublet, you can either
invoke the --kube-protect-kernel-defaults command option at the time of
MKE install, or following MKE install you can adjust the cluster_config|kube_protect_kernel_defaults parameter in the MKE configuration file.
Important
When enabled, kubelet can fail to start if the kernel parameters on
the nodes are not properly set. You must set those kernel parameters
on the nodes before you install MKE or before adding a new node to an
existing cluster.
Create a configuration file called /etc/sysctl.d/90-kubelet.conf
and add the following snippet to it:
The ucp install command runs in interactive mode,
prompting you for the necessary configuration values. For more information
about the ucp install command, including how to install MKE on a
system with SELinux enabled, refer to the MKE Operations Guide:
mirantis/ucp install.
Note
MKE installs Project Calico for Kubernetes container-to-container
communication. However, you may install an alternative CNI plugin, such as
Cilium, Weave, or Flannel. For more information, refer to the
MKE Operations Guide: Installing an unmanaged CNI plugin.
After you Install the MKE image, proceed with
downloading your MKE license as described below. This section also contains
steps to apply your new license using the MKE web UI.
Warning
Users are not authorized to run MKE without a valid license. For more
information, refer to Mirantis Agreements and Terms.
To download your MKE license:
Open an email from Mirantis Support with the subject
Welcome to Mirantis’ CloudCare Portal and follow the instructions
for logging in.
If you did not receive the CloudCare Portal email, it is likely that
you have not yet been added as a Designated Contact. To remedy this,
contact your Designated Administrator.
In the top navigation bar, click Environments.
Click the Cloud Name associated with the license you want to
download.
Scroll down to License Information and click the
License File URL. A new tab opens in your browser.
Click View file to download your license file.
To update your license settings in the MKE web UI:
Log in to your MKE instance using an administrator account.
In the left navigation, click Settings.
On the General tab, click Apply new license. A file
browser dialog displays.
Navigate to where you saved the license key (.lic) file, select it,
and click Open. MKE automatically updates with the new settings.
Note
Though MKE is generally a subscription-only service, Mirantis offers a free
trial license by request. Use our contact form to request a free trial license.
This section describes how to customize your MKE installation on AWS.
Note
You may skip this topic if you plan to install MKE on AWS with no
customizations or if you will only deploy Docker Swarm workloads. Refer to
Install the MKE image for the appropriate installation instruction.
Tag your instance, VPC, security-groups, and subnets by specifying
kubernetes.io/cluster/<unique-cluster-id> in the Key field
and <cluster-type> in the Value field.
Possible <cluster-type> values are as follows:
owned, if the cluster owns and manages the resources that it creates
shared, if the cluster shares its resources between multiple clusters
For example, Key: kubernetes.io/cluster/1729543642a6 and
Value: owned.
To enable introspection and resource provisioning, specify an instance
profile with appropriate policies for manager nodes. The following is
an example of a very permissive instance profile:
To enable access to dynamically provisioned resources, specify an instance
profile with appropriate policies for worker nodes. The following is an
example of a very permissive instance profile:
After you perform the steps described in Prerequisites, run the
following command to install MKE on a master node. Substitute <ucp-ip> with
the private IP address of the master node.
Mirantis Kubernetes Engine (MKE) closely integrates with Microsoft
Azure for its Kubernetes Networking and Persistent Storage feature set.
MKE deploys the Calico CNI provider. In Azure, the Calico CNI leverages
the Azure networking infrastructure for data path networking and the
Azure IPAM for IP address management.
To avoid significant issues during the installation process, you must meet the
following infrastructure prerequisites to successfully deploy MKE on Azure.
Deploy all MKE nodes (managers and workers) into the
same Azure resource group. You can deploy the Azure networking components
(virtual network, subnets, security groups) in a second Azure resource
group.
Size the Azure virtual network and subnet appropriately for
your environment, because addresses from this pool will be consumed by
Kubernetes Pods.
Attach all MKE worker and manager nodes to the same Azure subnet.
Set internal IP addresses for all nodes to Static rather than
the Dynamic default.
Match the Azure virtual machine object name to the Azure
virtual machine computer name and the node operating system hostname that is
the FQDN of the host (including domain names). All characters in the names
must be in lowercase.
Ensure the presence of an Azure Service Principal with Contributor
access to the Azure resource group hosting the MKE nodes. Kubernetes uses
this Service Principal to communicate with the Azure API. The Service
Principal ID and Secret Key are MKE prerequisites.
If you are using a separate resource group for the networking components,
the same Service Principal must have NetworkContributor access to this
resource group.
Ensure that an open NSG between all IPs on the Azure subnet passes into MKE
during installation. Kubernetes Pods integrate into the underlying Azure
networking stack, from an IPAM and routing perspective with the Azure CNI
IPAM module. As such, Azure network security groups (NSG) impact pod-to-pod
communication. End users may expose containerized services on a range of
underlying ports, resulting in a manual process to open an NSG port every
time a new containerized service deploys on the platform, affecting only
workloads that deploy on the Kubernetes orchestrator.
To limit exposure, restrict the use of the Azure subnet to container host
VMs and Kubernetes Pods. Additionally, you can leverage Kubernetes Network
Policies to provide micro segmentation for containerized applications and
services.
The MKE installation requires the following information:
subscriptionId
Azure Subscription ID in which to deploy the MKE objects
tenantId
Azure Active Directory Tenant ID in which to deploy the MKE objects
MKE configures the Azure IPAM module for Kubernetes so that it can allocate IP
addresses for Kubernetes Pods. Per Azure IPAM module requirements, the
configuration of each Azure VM that is part of the Kubernetes cluster must
include a pool of IP addresses.
You can use automatic or manual IPs provisioning for the Kubernetes cluster on
Azure.
Automatic provisioning
Allows for IP pool configuration and maintenance for standalone Azure
virtual machines (VMs). This service runs within the calico-node
daemonset and provisions 128 IP addresses for each node by default.
Note
If you are using a VXLAN data plane, MKE automatically uses Calico IPAM.
It is not necessary to do anything specific for Azure IPAM.
New MKE installations use Calico VXLAN as the default data plane (the
MKE configuration calico_vxlan is set to true). MKE does not use
Calico VXLAN if the MKE version is lower than 3.3.0 or if you upgrade
MKE from lower than 3.3.0 to 3.3.0 or higher.
Manual provisioning
Manual provisioning of additional IP address for each Azure VM can be done
through the Azure Portal, the Azure CLI az network nic
ip-config create, or an ARM template.
For MKE to integrate with Microsoft Azure, the azure.json configuration
file must be identical across all manager and worker nodes in your cluster. For
Linux nodes, place the file in /etc/kubernetes on each host. For Windows
nodes, place the file in C:\k on each host. Because root owns the
configuration file, set its permissions to 0644 to ensure that the
container user has read access.
The following is an example template for azure.json.
To avoid significant issue during the installation process, follow
these guidelines to either use the appropriate size network in Azure or
take the necessary actions to fit within the subnet.
Configure the subnet and the virtual network associated with the primary
interface of the Azure VMs with an adequate address prefix/range. The number of
required IP addresses depends on the workload and the number of nodes in the
cluster.
For example, for a cluster of 256 nodes, make sure that the address space
of the subnet and the virtual network can allocate at least 128 * 256
IP addresses, in order to run a maximum of 128 pods concurrently on a
node. This is in addition to initial IP allocations to VM
network interface card (NICs) during Azure resource creation.
Accounting for the allocation of IP addresses to NICs that occur during VM
bring-up, set the address space of the subnet and virtual network to
10.0.0.0/16. This ensures that the network can dynamically allocate
at least 32768 addresses, plus a buffer for initial allocations for
primary IP addresses.
Note
The Azure IPAM module queries the metadata of an Azure VM to obtain a list
of the IP addresses that are assigned to the VM NICs. The IPAM module
allocates these IP addresses to Kubernetes pods. You configure the IP
addresses as ipConfigurations in the NICs associated with a VM or
scale set member, so that Azure IPAM can provide the addresses to Kubernetes
on request.
Manually provision IP address pools as part of an Azure VM scale set¶
Configure IP Pools for each member of the VM scale set during
provisioning by associating multiple ipConfigurations with the scale
set’s networkInterfaceConfigurations.
The following example networkProfile configuration for an ARM template
configures pools of 32 IP addresses for each VM in the VM scale set.
During an MKE installation, you can alter the number of Azure IP
addresses that MKE automatically provisions for pods.
By default, MKE will provision 128 addresses, from the same Azure subnet as the
hosts, for each VM in the cluster. If, however, you have manually attached
additional IP addresses to the VMs (by way of an ARM Template, Azure CLI or
Azure Portal) or you are deploying in to small Azure subnet (less than /16),
you can use an --azure-ip-count flag at install time.
Note
Do not set the --azure-ip-count variable to a value of less than 6 if
you have not manually provisioned additional IP addresses for each VM. The
MKE installation needs at least 6 IP addresses to allocate to the core MKE
components that run as Kubernetes pods (in addition to the VM’s private IP
address).
Below are several example scenarios that require the defining of the
--azure-ip-count variable.
Scenario 1: Manually provisioned addresses
If you have manually provisioned additional IP addresses for each VM and want
to disable MKE from dynamically provisioning more IP addresses, you must
pass --azure-ip-count0 into the MKE installation command.
Scenario 2: Reducing the number of provisioned addresses
Pass --azure-ip-count<custom_value> into the MKE installation command
to reduce the number of IP addresses dynamically allocated from 128 to a
custom value due to:
Primary use of the Swarm Orchestrator
Deployment of MKE on a small Azure subnet (for example, /24)
Plans to run a small number of Kubernetes pods on each node
To adjust this value post-installation, refer to the instructions on how to
download the MKE configuration file, change the value, and update
the configuration via the API.
Note
If you reduce the value post-installation, existing VMs will not
reconcile and you will need to manually edit the IP count in Azure.
Run the following command to install MKE on a manager node.
The --pod-cidr option maps to the IP address range that you configured
for the Azure subnet.
Note
The pod-cidr range must match the Azure virtual network’s subnet
attached to the hosts. For example, if the Azure virtual network had the
range 172.0.0.0/16 with VMs provisioned on an Azure subnet of
172.0.1.0/24, then the Pod CIDR should also be 172.0.1.0/24.
This requirement applies only when MKE does not use the VXLAN data plane.
If MKE uses the VXLAN data plane, the pod-cidr range must be
different than the node IP subnet.
The --host-address maps to the private IP address of the master node.
The --azure-ip-count serves to adjust the amount of IP addresses
provisioned to each VM.
You can create your own Azure custom roles for use with MKE. You can assign
these roles to users, groups, and service principals at management group (in
preview only), subscription, and resource group scopes.
Deploy an MKE cluster into a single resource group¶
A resource group
is a container that holds resources for an Azure solution. These resources are
the virtual machines (VMs), networks, and storage accounts that are associated
with the swarm.
To create a custom all-in-one role with permissions to deploy an MKE cluster
into a single resource group:
Create the role permissions JSON file.
For example:
{"Name":"Docker Platform All-in-One","IsCustom":true,"Description":"Can install and manage Docker platform.","Actions":["Microsoft.Authorization/*/read","Microsoft.Authorization/roleAssignments/write","Microsoft.Compute/availabilitySets/read","Microsoft.Compute/availabilitySets/write","Microsoft.Compute/disks/read","Microsoft.Compute/disks/write","Microsoft.Compute/virtualMachines/extensions/read","Microsoft.Compute/virtualMachines/extensions/write","Microsoft.Compute/virtualMachines/read","Microsoft.Compute/virtualMachines/write","Microsoft.Network/loadBalancers/read","Microsoft.Network/loadBalancers/write","Microsoft.Network/loadBalancers/backendAddressPools/join/action","Microsoft.Network/networkInterfaces/read","Microsoft.Network/networkInterfaces/write","Microsoft.Network/networkInterfaces/join/action","Microsoft.Network/networkSecurityGroups/read","Microsoft.Network/networkSecurityGroups/write","Microsoft.Network/networkSecurityGroups/join/action","Microsoft.Network/networkSecurityGroups/securityRules/read","Microsoft.Network/networkSecurityGroups/securityRules/write","Microsoft.Network/publicIPAddresses/read","Microsoft.Network/publicIPAddresses/write","Microsoft.Network/publicIPAddresses/join/action","Microsoft.Network/virtualNetworks/read","Microsoft.Network/virtualNetworks/write","Microsoft.Network/virtualNetworks/subnets/read","Microsoft.Network/virtualNetworks/subnets/write","Microsoft.Network/virtualNetworks/subnets/join/action","Microsoft.Resources/subscriptions/resourcegroups/read","Microsoft.Resources/subscriptions/resourcegroups/write","Microsoft.Security/advancedThreatProtectionSettings/read","Microsoft.Security/advancedThreatProtectionSettings/write","Microsoft.Storage/*/read","Microsoft.Storage/storageAccounts/listKeys/action","Microsoft.Storage/storageAccounts/write"],"NotActions":[],"AssignableScopes":["/subscriptions/6096d756-3192-4c1f-ac62-35f1c823085d"]}
Compute resources act as servers for running containers.
To create a custom role to deploy MKE compute resources only:
Create the role permissions JSON file.
For example:
{"Name":"Docker Platform","IsCustom":true,"Description":"Can install and run Docker platform.","Actions":["Microsoft.Authorization/*/read","Microsoft.Authorization/roleAssignments/write","Microsoft.Compute/availabilitySets/read","Microsoft.Compute/availabilitySets/write","Microsoft.Compute/disks/read","Microsoft.Compute/disks/write","Microsoft.Compute/virtualMachines/extensions/read","Microsoft.Compute/virtualMachines/extensions/write","Microsoft.Compute/virtualMachines/read","Microsoft.Compute/virtualMachines/write","Microsoft.Network/loadBalancers/read","Microsoft.Network/loadBalancers/write","Microsoft.Network/networkInterfaces/read","Microsoft.Network/networkInterfaces/write","Microsoft.Network/networkInterfaces/join/action","Microsoft.Network/publicIPAddresses/read","Microsoft.Network/virtualNetworks/read","Microsoft.Network/virtualNetworks/subnets/read","Microsoft.Network/virtualNetworks/subnets/join/action","Microsoft.Resources/subscriptions/resourcegroups/read","Microsoft.Resources/subscriptions/resourcegroups/write","Microsoft.Security/advancedThreatProtectionSettings/read","Microsoft.Security/advancedThreatProtectionSettings/write","Microsoft.Storage/storageAccounts/read","Microsoft.Storage/storageAccounts/listKeys/action","Microsoft.Storage/storageAccounts/write"],"NotActions":[],"AssignableScopes":["/subscriptions/6096d756-3192-4c1f-ac62-35f1c823085d"]}
MKE includes support for installing and running MKE on Google Cloud Platform
(GCP). You will learn in this section how to prepare your system for MKE
installation on GCP, how to perform the installation, and some limitations
with the support for GCP on MKE.
All MKE instances have the necessary authorization for managing cloud
resources.
GCP defines authorization through the use of service accounts, roles, and
access scopes. For information on how to best configure the authorization
required for your MKE instances, refer to
Google Cloud official documentation: Service accounts.
An example of a permissible role for a service account is roles/owner,
and an example of an access scope that provides access to most Google
services is https://www.googleapis.com/auth/cloud-platform. As a best
practice, define a broad access scope such as this to an instance and then
restrict access using roles.
All of your MKE instances include the same prefix.
Each instance is tagged with the prefix of its associated instance names. For
example, if the instance names are testcluster-m1 and
testcluster-m2, tag the associated instance with
testcluster.
An MKE cluster that is running Kubernetes 1.13.0 or later, which does not
already have network load-balancing functionality.
A cluster network configuration that is compatible with MetalLB.
Available IPv4 addresses that MetalLB can allocate.
BGP operating mode requires one or more routers capable of communicating with
BGP.
When using the L2 operating mode, traffic on port 7946 must be allowed
between nodes, as required by memberlist. You can configure TCP, UDP, and
other ports.
Verification that kube-proxy is running in iptables mode.
Verification of the absence of any cloud provider configuration
To install MKE on an offline host, you must first use a separate computer with
an Internet connection to download a single package with all the images and
then copy that package to the host where you will install MKE. Once the package
is on the host and loaded, you can install MKE offline as described in
Install the MKE image.
Note
During the offline installation, both manager and worker nodes must be
offline.
This topic describes how to uninstall MKE from your cluster. After uninstalling
MKE, your instances of MCR will continue running in swarm mode and your
applications will run normally. You will not, however, be able to do the
following unless you reinstall MKE:
Enforce role-based access control (RBAC) to the cluster.
Monitor and manage the cluster from a central place.
Join new nodes using dockerswarmjoin.
Note
You cannot join new nodes to your cluster after uninstalling MKE because
your cluster will be in swarm mode, and swarm mode relies on MKE to
provide the CA certificates that allow nodes to communicate with each
other. After the certificates expire, the nodes will not be able to
communicate at all. Either reinstall MKE before the certificates expire,
or disable swarm mode by running dockerswarmleave--force on every
node.
To uninstall MKE:
Note
If SELinux is enabled, you must temporarily disable it prior to running the
uninstall-ucp command.
Log in to a manager node using SSH.
Run the uninstall-ucp command in interactive mode, thus prompting
you for the necessary configuration values:
On each manager node, remove the remaining MKE volumes:
dockervolumerm$(dockervolumels-fname=ucp-q)
Note
For more information about the uninstall-ucp failure, refer
to the logs in /var/log on any manager node. Be aware that you will
not be able to access the logs if the volume /var/log:/var/log is
not mounted while running the ucp container.
MKE keeps the configuration by default in
case you want to reinstall MKE later with the same configuration. For all
available uninstall-ucp options, refer to
mirantis/ucp uninstall-ucp.
Optional. Restore the host IP tables to their pre-MKE installation values by
restarting the node.
Note
The Calico network plugin changed the host IP tables from their original
values during MKE installation.
Swarm-only mode is an MKE configuration that supports only Swarm orchestration.
Lacking Kubernetes and its operational and health-check dependencies, the
resulting highly-stable application is smaller than a typical
mixed-orchestration MKE installation.
You can only enable or disable Swarm-only mode at the time of MKE installation.
MKE preserves the Swarm-only setting through upgrades, backups, and system
restoration. Installing MKE in Swarm-only mode pulls only the images required
to run MKE in this configuration. Refer to Swarm-only images for more
information.
Note
Installing MKE in Swarm-only mode removes all Kubernetes options from the
MKE web UI.
In addition, MKE includes the --swarm-only flag with the bootstrapper
images command, which you can use to pull or to check the
required images on manager nodes.
Caution
To restore Swarm-only clusters, invoke the ucp restore command
with the --swarm-only option.
In Swarm-only mode, MKE runs the Prometheus server and the authenticating proxy
in a single container on each manager node. Thus, unlike in conventional MKE
installations, you cannot configure Prometheus server placement. Prometheus
does not collect Kubernetes metrics in Swarm-only mode, and it requires an
additional reserved port on manager nodes: 12387.
The MKE Operations Guide provides the comprehensive information
you need to run the MKE container orchestration platform. The guide is
intended for anyone who needs to effectively develop and securely administer
applications at scale, on private clouds, public clouds, and on bare metal.
You can access an MKE cluster in a variety of ways including through the MKE
web UI, Docker CLI, and kubectl (the Kubernetes CLI). To use the
Docker CLI and kubectl with MKE, first download a client certificate
bundle. This topic describes the MKE web UI, how to download and configure the
client bundle, and how to configure kubectl with MKE.
MKE allows you to control your cluster visually using the web UI. Role-based
access control (RBAC) gives administrators and non-administrators access to
the following web UI features:
Administrators:
Manage cluster configurations.
View and edit all cluster images, networks, volumes, and containers.
Manage the permissions of users, teams, and organizations.
Grant node-specific task scheduling permissions to users.
Non-administrators:
View and edit all cluster images, networks, volumes, and containers.
Requires administrator to grant access.
To access the MKE web UI:
Open a browser and navigate to https://<ip-address> (substituting
<ip-address> with the IP address of the machine that ran
docker run).
The expected Docker CLI server version starts with ucp/, and the
expected kubectl context name starts with ucp_.
Optional. Change your context directly using the client certificate bundle
.zip files. In the directory where you downloaded the user bundle, add
the new context:
If you use the client certificate bundle with buildkit, make
sure that builds are not accidentally scheduled on manager nodes. For more
information, refer to Manage services node deployment.
MKE installations include Kubernetes. Users can
deploy, manage, and monitor Kubernetes using either the MKE web UI or kubectl.
To install and use kubectl:
Identify which version of Kubernetes you are running by using the MKE web
UI, the MKE API version endpoint, or the Docker CLI
docker version command with the client bundle.
Caution
Kubernetes requires that kubectl and Kubernetes be within one
minor version of each other.
Helm recommends that you specify a Role and RoleBinding to limit
the scope of Tiller to a particular namespace. Refer to the
official Helm documentation
for more information.
With MKE, you can add labels to your nodes. Labels are metadata
that describe the node, such as:
node role (development, QA, production)
node region (US, EU, APAC)
disk type (HDD, SSD)
Once you apply a label to a node, you can specify constraints when deploying a
service to ensure that the service only runs on nodes that meet particular
criteria.
Hint
Use resource sets (MKE collections or Kubernetes namespaces) to organize access to your cluster, rather than creating labels
for authorization and permissions to resources.
The following example procedure applies the ssd label to a node.
Log in to the MKE web UI with administrator credentials.
Click Shared Resources in the navigation menu to expand the
selections.
Click Nodes. The details pane will display the full list of
nodes.
Click the node on the list that you want to attach labels to. The details
pane will transition, presenting the Overview information
for the selected node.
Click the settings icon in the upper-right corner to open the
Edit Node page.
Navigate to the Labels section and click Add
Label.
Add a label, entering disk into the Key field and ssd
into the Value field.
Click Save to dismiss the Edit Node page and return
to the node Overview.
The following example procedure deploys a service with a constraint that
ensures that the service only runs on nodes with SSD storage
node.labels.disk==ssd.
To deploy an application stack with service constraints:
Log in to the MKE web UI with administrator credentials.
Verify that the target node orchestrator is set to Swarm.
Click Shared Resources in the left-side navigation panel to
expand the selections.
Click Stacks. The details pane will display the full list of
stacks.
Click the Create Stack button to open the Create
Application page.
Under 1. Configure Application, enter “wordpress” into the
Name field .
Under ORCHESTRATOR NODE, select Swarm Services.
Under 2. Add Application File, paste the following stack file in
the docker-compose.yml editor:
If a node is set to use Kubernetes as its orchestrator while simultaneously
running Swarm services, you must deploy placement constraints to prevent those
services from being scheduled on the node.
The necessary service constraints will be automatically adopted by any new
MKE-created Swarm services, as well as by older Swarm services that you have
updated. MKE does not automatically add placement constraints, however, to
Swarm services that were created using older versions of MKE, as to do so would
restart the service tasks.
To add placement constraints to older Swarm services:
Identify the Swarm services that do not have placement constraints:
services=$(dockerservicels-q)forservicein$services;doifdockerserviceinspect$service--format'{{.Spec.TaskTemplate.Placement.Constraints}}'|grep-q-v'node.labels.com.docker.ucp.orchestrator.swarm==true';thenname=$(dockerserviceinspect$service--format'{{.Spec.Name}}')if[$name="ucp-agent"]||[$name="ucp-agent-win"]||[$name="ucp-agent-s390x"];thencontinuefiecho"Service $name (ID: $service) is missing the node.labels.com.docker.ucp.orchestrator.swarm=true placement constraint"fidone
Add placement constraints to the Swarm services you identified:
Note
All service tasks will restart, thus causing some amount of service
downtime.
services=$(dockerservicels-q)forservicein$services;doifdockerserviceinspect$service--format'{{.Spec.TaskTemplate.Placement.Constraints}}'|grep-q-v'node.labels.com.docker.ucp.orchestrator.swarm=true';thenname=$(dockerserviceinspect$service--format'{{.Spec.Name}}')if[$name="ucp-agent"]||[$name="ucp-agent-win"];thencontinuefiecho"Updating service $name (ID: $service)"dockerserviceupdate--detach=true--constraint-addnode.labels.com.docker.ucp.orchestrator.swarm==true$servicefidone
Add or remove a service constraint using the MKE web UI¶
You can declare the deployment constraints in your docker-compose.yml
file or when you create a stack. Also, you can apply constraints when
you create a service.
To add or remove a service constraint:
Verify whether a service has deployment constraints:
Navigate to the Services page and select that service.
In the details pane, click Constraints to list the constraint
labels.
Edit the constraints on the service:
Click Configure and select Details to open the
Update Service page.
A SAN (Subject Alternative Name) is a structured means for associating various
values (such as domain names, IP addresses, email addresses, URIs, and so on)
with a security certificate.
MKE always runs with HTTPS enabled. As such, whenever you connect to MKE, you
must ensure that the MKE certificates recognize the host name in use. For
example, if MKE is behind a load balancer that forwards traffic to your MKE
instance, your requests will not be for the MKE host name or IP address but for
the host name of the load balancer. Thus, MKE will reject the requests, unless
you include the address of the load balancer as a SAN in the MKE certificates.
Note
To use your own TLS certificates, confirm first that these certificates
have the correct SAN values.
To use the self-signed certificate that MKE offers out-of-the-box, you can
use the --san argument to set up the SANs during MKE
deployment.
To add new SANs using the MKE web UI:
Log in to the MKE web UI using administrator credentials.
Navigate to the Nodes page.
Click on a manager node to display the details pane for that node.
Click Configure and select Details.
In the SANs section, click Add SAN and enter one or
more SANs for the cluster.
Click Save.
Repeat for every existing manager node in the cluster.
Note
Thereafter, the SANs are automatically applied to any new manager nodes
that join the cluster.
To add new SANs using the MKE CLI:
Get the current set of SANs for the given manager node:
dockernodeinspect--format'{{ index .Spec.Labels "com.docker.ucp.SANs"}}'<node-id>
Example of system response:
default-cs,127.0.0.1,172.17.0.1
Append the desired SAN to the list (for example,
default-cs,127.0.0.1,172.17.0.1,example.com) and run:
Prometheus is an open-source systems monitoring and alerting toolkit to which
you can configure MKE as a target.
Prometheus runs as a Kubernetes deployment that, by default, is a DaemonSet
that runs on every manager node. A key benefit of this is that you can set the
DaemonSet to not schedule on any nodes, which effectively disables Prometheus
if you do not use the MKE web interface.
Along with events and logs, metrics are data sources that provide a view into
your cluster, presenting numerical data values that have a time-series
component. There are several sources from which you can derive metrics, each
providing different meanings for a business and its applications.
As the metrics data is stored locally on disk for each Prometheus server, it
does not replicate on new managers or if you schedule Prometheus to run
on a new node. The metrics are kept no longer than 24 hours.
MKE provides a base set of metrics that gets you into production without having
to rely on external or third-party tools. Mirantis strongly encourages, though,
the use of additional monitoring to provide more comprehensive visibility into
your specific MKE environment.
High-level aggregate metrics that typically combine technical,
financial, and organizational data to create IT infrastructure
information for business leaders. Examples of business metrics
include:
Company or division-level application downtime
Aggregation resource utilization
Application resource demand growth
Application
Metrics on APM tools domains (such as AppDynamics and
DynaTrace) that supply information on the state or performance of the
application itself.
Service state
Container platform
Host infrastructure
Service
Metrics on the state of services that are running on the container
platform. Such metrics have very low cardinality, meaning the
values are typically from a small fixed set of possibilities (commonly
binary).
Application health
Convergence of Kubernetes deployments and Swarm services
Cluster load by number of services or containers or pods
Note
Web UI disk usage (including free space) reflects only the MKE
managed portion of the file system: /var/lib/docker. To monitor
the total space available on each filesystem of an MKE worker or
manager, deploy a third-party monitoring solution to oversee
the operating system.
The container health, according to its healthcheck.
The 0 value indicates that the container is not reporting as
healthy, which is likely because it either does not have a healthcheck
defined or because healthcheck results have not yet been returned
Indicates whether the container is healthy, according to
its healthcheck.
The 0 value indicates that the container is not reporting as
healthy, which is likely because it either does not have a healthcheck
defined or because healthcheck results have not yet been returned
Total disk space on the Docker root directory on this node in bytes.
Note that the ucp_engine_disk_free_bytes metric is not available
for Windows nodes
In addition to the core metrics that MKE
exposes, you can use Prometheus to scrape a variety of metrics associated
with MKE middleware components.
Herein, Mirantis outlines the components that expose Prometheus metrics, as
well as offering detail on various key metrics. You should note, however, that
this information is not exhaustive, but is rather a guideline to metrics that
you may find especially useful in determining the overall health of your MKE
deployment.
For specific key metrics, refer to the Usage information, which
offers valuable insights on interpreting the data and using it to troubleshoot
your MKE deployment.
MKE deploys Kube State Metrics to expose metrics on
the state of Kubernetes objects, such as Deployments, nodes, and Pods. These
metrics are exposed in MKE on the ucp-kube-state-metrics service and can
be scraped at ucp-kube-state-metrics.kube-system.svc.cluster.local:8080.
You can use workqueue metrics to learn how long it takes for various
components to fulfill different actions and to check the level of work queue
activity.
The metrics offered below are based on kube-controller-manager,
however the same metrics are available for other Kubernetes components.
Usage
Abnormal workqueue metrics can be symptomatic of issues in the specific
component. For example, an increase in workqueue_depth for the
Kubernetes Controller Manager can indicate that the component is being
oversaturated. In such cases, review the logs of the affected component.
Relates to the size of the workqueue. The larger the workqueue, the more
material there is to process. A growing trend in the size of the
workqueue can be indicative of issues in the cluster.
The kubelet agent runs on every node in an MKE cluster. Once you have set up
the MKE client bundle you can view the available kubelet metrics for each node
in an MKE cluster using the commands detailed below:
Obtain the name of the first available node in your MKE cluster:
Indicates the total number of running Pods, which you can use to verify
whether the number of Pods is in the expected range for your cluster.
Usage
If the number of Pods is unexpected on a node, review your Node Affinity
or Node Selector rules to verify the scheduling of Pods for the
appropriate nodes.
Indicates the number of containers per node. You can query for a
specific container state (running, created, exited). A high
number of exited containers on a node can indicate issues on that node.
If the number of containers is unexpected on a node, check your
Node Affinity or Node Selector rules to verify the scheduling of Pods
for the appropriate nodes.
Kube Proxy runs on each node in an MKE cluster. Once you have set up the MKE
client bundle, you can view the available Kube Proxy metrics for each node in
an MKE cluster using the commands detailed below:
Note
The Kube Proxy metrics are only available when Kube Proxy is enabled in the
MKE configuration and is running in either ipvs or iptables mode.
Obtain the name of the first available node in your MKE cluster:
Reflects the latency of client requests, in seconds. Such information
can be useful in determining whether your cluster is experiencing
performance degradation.
Example query
The following query illustrates the latency for all POST requests.
Displays the latency in seconds between Kube Proxy network rules, which
are consistently synchronized between nodes. If the measurement is
increasing consistently it can result in Kube Proxy being out of sync
across the nodes.
Kube Controller Manager is a collection of different Kubernetes controllers
whose primary task is to monitor changes in the state of various Kubenetes
objects. It runs on all manager nodes in an MKE cluster.
Key Kube Controller Manager metrics are detailed as follows:
Reflects the latency of calls to the API server, in seconds. Such
information can be useful in determining whether your cluster is
experiencing slower cluster performance.
Example query
The following query displays the 99th percentile latencies on requests
to the API server.
Presents the total number of HTTP requests to Kube Controller Manager,
segmented by HTTP response code. A sudden increase in requests or an
increase in requests with error response codes can indicate issues with
the cluster.
Example query
The following query displays the rate of successful HTTP requests (those
offering 2xx response codes).
The Kube API server is the core of the Kubernetes control plane. It provides a
means for obtaining information on Kubernetes objects and is also used to
modify the state of API objects. MKE runs an instance of the Kube API server on
each manager node.
The following are a number of key Kube Apiserver metrics:
MKE deploys RethinkDB Exporter on all manager nodes, to
allow metrics scraping from RethinkDB. The RethinkDB Exporter exports most of
the statistics from the RethinkDB stats table.
You can monitor the read and write throughput for each RethinkDB replica by
reviewing the following metrics:
Current number of document reads and writes per second from the server.
These metrics are organized into read/write categories and by replica. For
example, to view all the table read metrics on a specific node you can run the
following query:
MKE deploys NodeLocalDNS on every node, with the Prometheus plugin enabled. You
can scrape NodeLocalDNS metrics on port 9253, which provides regular
CoreDNS metrics that include the standard RED (Rate, Errors, Duration) metrics:
queries
durations
error counts
The metrics path is fixed to /metrics.
Metric
Description
coredns_build_info
Information to build CoreDNS.
coredns_cache_entries
Number of entries in the cache.
coredns_cache_size
Cache size.
coredns_cache_hits_total
Counter of cache hits by cache type.
coredns_cache_misses_total
Counter of cache misses.
coredns_cache_requests_total
Total number of DNS resolution requests in different dimensions.
coredns_dns_request_duration_seconds_bucket
Histogram of DNS request duration (bucket).
coredns_dns_request_duration_seconds_count
Histogram of DNS request duration (count).
coredns_dns_request_duration_seconds_sum
Histogram of DNS request duration (sum).
coredns_dns_request_size_bytes_bucket
Histogram of the size of DNS request (bucket).
coredns_dns_request_size_bytes_count
Histogram of the size of DNS request (count).
coredns_dns_request_size_bytes_sum
Histogram of the size of DNS request (sum).
coredns_dns_requests_total
Number of DNS requests.
coredns_dns_response_size_bytes_bucket
Histogram of the size of DNS response (bucket).
coredns_dns_response_size_bytes_count
Histogram of the size of DNS response (count).
coredns_dns_response_size_bytes_sum
Histogram of the size of DNS response (sum).
coredns_dns_responses_total
DNS response codes and number of DNS response codes.
coredns_forward_conn_cache_hits_total
Number of cache hits for each protocol and data flow.
coredns_forward_conn_cache_misses_total
Number of cache misses for each protocol and data flow.
coredns_forward_healthcheck_broken_total
Unhealthy upstream count.
coredns_forward_healthcheck_failures_total
Count of failed health checks per upstream.
coredns_forward_max_concurrent_rejects_total
Number of requests rejected due to excessive concurrent requests.
MKE deploys Prometheus by default on the manager nodes to provide a built-in
metrics backend. For cluster sizes over 100 nodes, or if you need to scrape
metrics from Prometheus instances, Mirantis recommends that you deploy
Prometheus on dedicated worker nodes in the cluster.
To deploy Prometheus on worker nodes:
Source an admin bundle.
Verify that ucp-metrics pods are running on all managers:
If you use SELinux, label your ucp-node-certs
directories properly on the worker nodes before you move the
ucp-metrics workload to them. To run ucp-metrics on a worker
node, update the ucp-node-certs label by running:
Patch the ucp-metrics DaemonSet’s nodeSelector with the same key and
value in use for the node label. This example shows the key
ucp-metrics and the value "".
Create a Prometheus deployment and ClusterIP service using YAML.
Note
On bare metal clusters, enable MetalLB so that
you can create a service of the load balancer type, and then perform the
following steps:
Replace ClusterIP with LoadBalancer in the service YAML.
Access the service through the load balancer.
If you run Prometheus external to MKE, change the domain for the
inventory container in the Prometheus deployment from
ucp-controller.kube-system.svc.cluster.local to an external
domain, to access MKE from the Prometheus node.
Forward port 9090 on the local host to the ClusterIP. The tunnel
you create does not need to be kept alive as its only purpose is to expose
the Prometheus UI.
ssh-L9090:10.96.254.107:9090ANY_NODE
Visit http://127.0.0.1:9090 to explore the MKE metrics that Prometheus
is collecting.
The information offered herein on how to set up a Grafana instance connected
to MKE Prometheus is derived from the official Deploy Grafana on
Kubernetes documentation
and modified to work with MKE. As it deploys Grafana with default
credentials, Mirantis strongly recommends that you adjust the configuration
detail to meet your specific needs prior to deploying Grafana with MKE in a
production environment.
You can now navigate to the Grafana UI, which has the MKE Prometheus data
source installed at http://localhost:3000/. Log in initially using admin
for both the user name and password, taking care to change your credentials
after successful log in.
MKE uses native Kubernetes RBAC, which is active by default for Kubernetes
clusters. The YAML files of many ecosystem applications and integrations use
Kubernetes RBAC to access service accounts. Also, organizations looking to run
MKE both on-premises and in hosted cloud services want to run Kubernetes
applications in both environments without having to manually change RBAC in
their YAML file.
Note
Kubernetes and Swarm roles have separate views. Using the MKE web UI, you
can view all the roles for a particular cluster:
Click Access Control in the navigation menu at the left.
Click Roles.
Select the Kubernetes tab or the Swarm tab to view the specific roles for each.
You create Kubernetes roles either through the CLI using Kubernetes kubectl
tool or through the MKE web UI.
To create a Kubernetes role using the MKE web UI:
Log in to the the MKE web UI.
In the navigation menu at the left, click Access Control to
display the available options.
Click Roles.
At the top of the details pane, click the Kubernetes tab.
Click Create to open the Create Kubernetes
Object page.
Click Namespace to select a namespace for the role from one of
the available options.
Provide the YAML file for the role. To do this, either enter it in the
Object YAML editor, or upload an existing .yml file using the
Click to upload a .yml file selection link at the right.
To create a grant for a Kubernetes role in the MKE web UI:
Log in to the the MKE web UI.
In the navigation menu at the left, click Access Control to
display the available options.
Click the Grants option.
At the top of the details paine, click the Kubernetes tab. All
existing grants to Kubernetes roles are present in the details pane.
Click Create Role Binding to open the Create Role
Binding page.
Select the subject type at the top of the 1. Subject section
(Users, Organizations, or Service
Account).
Create a role binding for the selected subject type:
Users: Select a type from the User drop-down list.
Organizations: Select a type from the
Organization drop-down list. Optionally, you can also select
a team using the Team(optional) drop-down list, if any have
been established.
Service Account: Select a NAMESPACE from the
Namespace drop-down list, then a type from the
Service Account drop-down list.
Click Next to activate the 2. Resource Set section.
Select a resource set for the subject.
By default, the default namespace is indicated. To use a
different namespace, select the Select Namespace button
associated with the desired namespace.
For ClusterRoleBinding, slide the Apply Role Binding to
all namespace (Cluster Role Binding) selector to the right.
Click Next to activate the 3. Role section.
Select the role type.
Role
Cluster Role
Note
Cluster Role type is the only role type available if you enabled Apply Role Binding to all namespace (Cluster
Role Binding) in the 2. Resource Set section.
Audit logs are a chronological record of security-relevant activities by
individual users, administrators, or software components that have had an
effect on an MKE system. They focus on external user/agent actions and
security, rather than attempting to understand state or events of the system
itself.
Audit logs capture all HTTP actions (GET, PUT, POST, PATCH, DELETE) to all MKE
API, Swarm API, and Kubernetes API endpoints (with the exception of the ignored
list) that are invoked and and sent to Mirantis Container Runtime via stdout.
The benefits that audit logs provide include:
Historical troubleshooting
You can use audit logs to determine a sequence of past events that can help
explain why an issue occurred.
Security analysis and auditing
A full record of all user interactions with the container infrastructure
can provide your security team with the visibility necessary to root out
questionable or unauthorized access attempts.
Chargeback
Use audit log about the resources to generate chargeback information.
Alerting
With a watch on an event stream or a notification the event creates, you can
build alerting features on top of event tools that generate alerts for ops
teams (PagerDuty, OpsGenie, Slack, or custom solutions).
The enablement of auditing in MKE does not automatically enable auditing in
Kubernetes objects. To do this, you must set the
kube_api_server_auditing parameter in the MKE configuration file to
true.
Once you have set the kube_api_server_auditing parameter to true,
the following default auditing values are configured on the Kubernetes API
server:
--audit-log-maxage: 30
--audit-log-maxbackup: 10
--audit-log-maxsize: 10
For information on how to enable and configure the Kubernetes API server
audit values, refer to cluster_config table detail in the MKE
configuration file.
You can enable MKE audit logging using the MKE web user interface, the MKE API,
and the MKE configuration file.
The level setting supports the following variables:
""
"metadata"
"request"
Caution
The support_dump_include_audit_logs flag specifies whether user
identification information from the ucp-controller container logs is
included in the support bundle. To prevent this information from being sent
with the support bundle, verify that support_dump_include_audit_logs
is set to false. When disabled, the support bundle collection tool
filters out any lines from the ucp-controller container logs that
contain the substring auditID.
With regard to audit logging, for reasons having to do with system security a
number of MKE API endpoints are either ignored or have their information
redacted.
You can set MKE to automatically record and transmit data to Mirantis through
an encrypted channel for monitoring and analysis purposes. The data collected
provides the Mirantis Customer Success Organization with information that helps
us to better understand the operational use of MKE by our customers. It also
provides key feedback in the form of product usage statistics, which enable our
product teams to enhance Mirantis products and services.
Specifically, with MKE you can send hourly usage reports, as well as
information on API and UI usage.
Caution
To send the telemetry, verify that dockerd and the MKE application container
can resolve api.segment.io and create a TCP (HTTPS) connection on port
443.
To enable telemetry in MKE:
Log in to the MKE web UI as an administrator.
At the top of the navigation menu at the left, click the user name
drop-down to display the available options.
Click Admin Settings to display the available
options.
Click Usage to open the Usage Reporting screen.
Toggle the Enable API and UI tracking slider to the right.
(Optional) Enter a unique label to identify the cluster in the usage
reporting.
Security Assertion Markup Language (SAML) is an open standard for the exchange
of authentication and authorization data between parties. It is commonly
supported by enterprise authentication systems. SAML-based single sign-on (SSO)
gives you access to MKE through a SAML 2.0-compliant identity provider.
MKE supports the Okta and ADFS
identity providers.
To integrate SAML authentication into MKE:
Configure the Identity Provider (IdP).
In the left-side navigation panel, navigate to
user name > Admin Settings > Authentication & Authorization.
Create (Edit) Teams to link with the Group memberships. This updates
team membership information when a user signs in with SAML.
Identity providers require certain values to successfully integrate
with MKE. As these values vary depending on the identity provider,
consult your identity provider documentation for instructions on
how to best provide the needed information.
URL for MKE, qualified with /enzi/v0/saml/acs. For example,
https://111.111.111.111/enzi/v0/saml/acs.
Service provider audience URI
URL for MKE, qualified with /enzi/v0/saml/metadata. For example,
https://111.111.111.111/enzi/v0/saml/metadata.
NameID format
Select Unspecified.
Application user name
Email. For example, a custom ${f:substringBefore(user.email,"@")}
specifies the user name portion of the email address.
Attribute Statements
Name: fullname
Value: user.displayName
Group Attribute Statement
Name: member-of
Filter: (user defined) for associate group membership.
The group name is returned with the assertion.
Name: is-admin
Filter: (user defined) for identifying whether the user is an admin.
Okta configuration
When two or more group names are expected to return with the assertion,
use the regex filter. For example, use the value apple|orange to
return groups apple and orange.
The service provider metadata URI value is the URL for
MKE, qualified with /enzi/v0/saml/metadata. For example,
https://111.111.111.111/enzi/v0/saml/metadata.
SAML configuration requires that you know the metadata URL for your chosen
identity provider, as well as the URL for the MKE host that contains the IP
address or domain of your MKE installation.
To configure SAML integration on MKE:
Log in to the MKE web UI.
In the navigation menu at the left, click the user name
drop-down to display the available options.
Click Admin Settings to display the available
options.
Click Authentication & Authorization.
In the Identity Provider section in the details pane, move the
slider next to SAML to enable the SAML settings.
In the SAML idP Server subsection, enter the URL for the
identity provider metadata in the IdP Metadata URL field.
Note
If the metadata URL is publicly certified, you can continue with the
default settings:
Skip TLS Verification unchecked
Root Certificates Bundle blank
Mirantis recommends TLS verification in production environments. If the
metadata URL cannot be certified by the default certificate authority
store, you must provide the certificates from the identity provider in
the Root Certificates Bundle field.
In the SAML Service Provider subsection, in the MKE
Host field, enter the URL that includes the IP address or
domain of your MKE installation.
The port number is optional. The current IP address or domain displays by
default.
(Optional) Customize the text of the sign-in button by entering the text for
the button in the Customize Sign In Button Text field. By
default, the button text is Sign in with SAML.
Copy the SERVICE PROVIDER METADATA URL, the
ASSERTION CONSUMER SERVICE (ACS) URL, and the SINGLE
LOGOUT (SLO) URL to paste into the identity provider workflow.
Click Save.
Note
To configure a service provider, enter the Identity Provider’s metadata
URL to obtain its metadata. To access the URL, you may need to provide the
CA certificate that can verify the remote server.
To link group membership with users, use the Edit or
Create team dialog to associate SAML group assertion with the
MKE team to synchronize user team membership when the user log in.
From the MKE web UI you can download a client bundle with which you can access
MKE using the CLI and the API.
A client bundle is a group of certificates that enable command-line access and
API access to the software. It lets you authorize a remote Docker engine to
access specific user accounts that are managed in MKE, absorbing all associated
RBAC controls in the process. Once you obtain the client bundle, you can
execute Docker Swarm commands from your remote machine to take effect on the
remote cluster.
Previously-authorized client bundle users can still access MKE, regardless
of the newly configured SAML access controls.
Mirantis recomments that you take the following steps to ensure that access
from the client bundle is in sync with the identity provider, and to thus
prevent any previously-authorized users from accessing MKE through their
existing client bundle:
Remove the user account from MKE that grants the client bundle
access.
If group membership in the identity provider changes, replicate
the change in MKE.
Continue using LDAP to sync group membership.
To download the client bundle:
Log in to the MKE web UI.
In the navigation menu at the left, click the user name
drop-down to display the available options.
Click your account name to display the available options.
Click My Profile.
Click the New Client Bundle drop-down in the details pane and
select Generate Client Bundle.
(Optional) Enter a name for the bundle into the Label field.
You can enhance the security and flexibility of MKE by implementing a SAML
proxy. With such a proxy, you can lock down your MKE deployment and still
benefit from the use of SAML authentication. The proxy, which sits between MKE
and Identity Providers (IdPs), forwards metadata requests between these two
entities, using designated ports during the configuration process.
To set up a SAML proxy in MKE:
Use the MKE web UI to add a proxy service.
Kubernetes
Log in to the MKE web UI as an administrator.
In the left-side navigation panel, navigate to
Kubernetes > Pods and click the Create
button to call the Create Kubernetes Object pane.
In the Namespace dropdown, select default.
In the Object YAML editor, paste the following
Deployment object YAML:
Be aware that the log entry can take up to five minutes to register.
Configure the SAML proxy.
MKE web UI
Log in to the MKE web UI as an administrator.
In the left-side navigation panel, navigate to
<user-name> > Admin Settings > Authentication &
Authorization to display the Authentication & Authorization pane.
Toggle the SAML control to enable SAML and expand the
SAML settings.
Enable the SAML Proxy setting to reveal the
Proxy URL, Proxy Username, and
Proxy Password fields.
Insert the pertinent field information and click Save.
CLI
Note
If upgrading from a previous version of MKE, you will need to add the
[auth.samlProxy] section to the MKE configuration file.
System for Cross-domain Identity Management (SCIM) is a standard for automating
the exchange of user identity information between identity domains or IT
systems. It offers an LDAP alternative for provisioning and managing users
and groups in MKE, as well as for syncing users and groups with an upstream
identity provider. Using SCIM schema and API, you can utilize Single
sign-on services (SSO) across various tools.
Mirantis certifies the use of Okta 3.2.0, however MKE offers the discovery
endpoints necessary to provide any system or application with the product
SCIM configuration.
In the SCIM configuration subsection, either enter the API
token in the API Token field or click Generate
to have MKE generate a UUID.
The base URL for all SCIM API calls is
https://<HostIP>/enzi/v0/scim/v2/. All SCIM methods are accessible
API endpoints of this base URL.
Bearer Auth is the API authentication method. When configured, you access SCIM
API endpoints through the Bearer<token> HTTP Authorization request header.
Note
SCIM API endpoints are not accessible by any other user (or their
token), including the MKE administrator and MKE admin Bearer token.
The only SCIM method MKE supports is an HTTP authentication request header
that contains a Bearer token.
Returns a list of SCIM users (by default, 200 users per page).
Use the startIndex and count query parameters to paginate long lists of
users. For example, to retrieve the first 20 Users, set startIndex to 1
and count to 20, provide the following JSON request:
GET Host IP/enzi/v0/scim/v2/Users?startIndex=1&count=20
Host: example.com
Accept: application/scim+json
Authorization: Bearer h480djs93hd8
The response to the previous query returns paging metadata that is similar to
the following example:
Reactivate inactive users by specifying "active":true. To deactivate
active users, specify "active":false. The value of the {id} should be
the user’s ID.
All attribute values are overwritten, including attributes for which empty
values or no values have been provided. If a previously set attribute value is
left blank during a PUT operation, the value is updated with a blank value
in accordance with the attribute data type and storage provider. The value of
the {id} should be the user’s ID.
Updates an existing group resource, allowing the addition or removal of
individual (or groups of) users from the group with a single operation. Add
is the default operation.
To remove members from a group, set the operation attribute of a member object
to delete.
Updates an existing group resource, overwriting all values for a group
even if an attribute is empty or is not provided.
PUT replaces all members of a group with members that are provided by way
of the members attribute. If a previously set attribute is left blank
during a PUT operation, the new value is set to blank in accordance with
the data type of the attribute and the storage provider.
Returns a JSON structure that describes the SCIM specification features
that are available on a service provider using a schemas attribute of
urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig.
MKE integrates with LDAP directory services, thus allowing you to
manage users and groups from your organization directory and to
automatically propagate the information to MKE and MSR.
Once you enable LDAP, MKE uses a remote directory server to create users
automatically, and all logins are forwarded thereafter to the directory server.
When you switch from built-in authentication to LDAP authentication, all
manually created users whose usernames fail to match any LDAP search
results remain available.
When you enable LDAP authentication, you configure MKE to create
user accounts only when users log in for the first time.
To control the integration of MKE with LDAP, you create user searches. For
these user searches, you use the MKE web UI to specify multiple search
configurations and specify multiple LDAP servers
with which to integrate. Searches start with the BaseDN, the Distinguished
Name of the node in the LDAP directory tree in which the search looks
for users.
MKE to LDAP synchronization workflow
The following occurs when MKE synchronizes with LDAP:
MKE creates a set of search results by iterating over each of the
user search configurations, in an order that you specify.
MKE choses an LDAP server from the list of domain servers by considering the
BaseDN from the user search configuration and selecting the domain
server with the longest domain suffix match.
Note
If no domain server has a domain suffix that matches the BaseDN from
the search configuration, MKE uses the default domain server.
MKE creates a list of users from the search and creates MKE
accounts for each one.
Note
If you select the Just-In-Time User Provisioning option, user
accounts are created only when users first log in.
Example workflow:
Consider an example with three LDAP domain servers and three user search
configurations.
The example LDAP domain servers:
LDAP domain server name
URL
default
ldaps://ldap.example.com
dc=subsidiary1,dc=com
ldaps://ldap.subsidiary1.com
dc=subsidiary2,dc=subsidiary1,dc=com
ldaps://ldap.subsidiary2.com
The example user search configurations:
User search configurations
Description
baseDN=\ou=people,dc=subsidiary1,dc=com
For this search configuration, dc=subsidiary1,dc=com is the only
server with a domain that is a suffix, so MKE uses the server
ldaps://ldap.subsidiary1.com for the search request.
For this search configuration, two of the domain servers have a
domain that is a suffix of this BaseDN. As
dc=subsidiary2,dc=subsidiary1,dc=com is the longer of the two,
however, MKE uses the server ldaps://ldap.subsidiary2.com for the
search request.
baseDN=\ou=eng,dc=example,dc=com
For this search configuration, no server with a domain specified is a
suffix of this BaseDN, so MKE uses the default server,
ldaps://ldap.example.com, for the search request.
Whenever user search results contain username collisions between the
domains, MKE uses only the first search result, and thus the ordering of the
user search configurations can be important. For example, if both the first and
third user search configurations result in a record with the username
jane.doe, the first has higher precedence and the second is ignored. As
such, it is important to implement a username attribute that is unique for
your users across all domains. As a best practice, choose something that is
specific to the subsidiary, such as the email address for each user.
MKE saves a minimum amount of user data required to operate, including any
user name and full name attributes that you specify in the configuration, as
well as the Distinguished Name (DN) of each synced user. MKE does not store
any other data from the directory server.
Use the MKE web UI to configure MKE to create and authenticate users using
an LDAP directory.
To configure an LDAP server, perform the following steps:
To set up a new LDAP server, configure the settings in the LDAP
Server subsection:
Control
Description
LDAP Server URL
The URL for the LDAP server.
Reader DN
The DN of the LDAP account that is used to search entries in the LDAP
server. As a best practice, this should be an LDAP read-only user.
Reader Password
The password of the account used to search entries in the LDAP
server.
Skip TLS verification
Sets whether to verify the LDAP server certificate when
TLS is in use. The connection is still encrypted, however it is
vulnerable to man-in-the-middle attacks.
Use Start TLS
Defines whether to authenticate or encrypt the connection after
connection is made to the LDAP server over TCP. To ignore the
setting, set the LDAP Server URL field to ldaps://.
No Simple Pagination (RFC 2696)
Indicates that your LDAP server does not support pagination.
Just-In-Time User Provisioning
Sets whether to create user accounts only when users log in for the
first time. Mirantis recommends using the default true value.
Note
Available as of MKE 3.6.4 The
disableReferralChasing setting, which is currently only available
by way of the MKE API, allows you to disable the default
behavior that occurs when a referral URL is received as a result of an
LDAP search request. Refer to LDAP Configuration through API for
more information.
In the LDAP Additional Domains subsection, click Add
LDAP Domain +. A set of input tools for configuring the additional domain
displays.
Configure the settings for the new LDAP domain:
Control
Description
LDAP Domain
Text field in which to enter the root domain component of this
server. A longest-suffix match of the BaseDN for LDAP searches
is used to select which LDAP server to use for search requests. If no
matching domain is found, the default LDAP server configuration is
put to use.
LDAP Server URL
Text field in which to enter the URL for the LDAP server.
Reader DN
Text field in which to enter the DN of the LDAP account that is used
to search entries in the LDAP server. As a best practice, this should
be an LDAP read-only user.
Reader Password
The password of the account used to search entries in the LDAP
server.
Skip TLS verification
Sets whether to verify the LDAP server certificate when
TLS is in use. The connection is still encrypted, however it is
vulnerable to man-in-the-middle attacks.
Use Start TLS
Sets whether to authenticate or encrypt the connection after
connection is made to the LDAP server over TCP. To ignore the
setting, set the LDAP Server URL field to ldaps://.
No Simple Pagination (RFC 2696)
Select if your LDAP server does not support pagination.
Note
Available as of MKE 3.6.4 The
disableReferralChasing setting, which is currently only available
by way of the MKE API, allows you to disable the default
behavior that occurs when a referral URL is received as a result of an
LDAP search request. Refer to LDAP Configuration through API for
more information.
Click Confirm to add the new LDAP domain.
Repeat the procedure to add any additional LDAP domains.
To add LDAP user search configurations to your LDAP integration:
In the LDAP User Search Configurations subsection, click
Add LDAP User Search Configuration +.A set of input tools for
configuring the LDAP user search configurations displays.
Field
Description
Base DN
Text field in which to enter the DN of the node in the directory tree,
where the search should begin seeking out users.
Username Attribute
Text field in which to enter the LDAP attribute that serves as
username on MKE. Only user entries with a valid username will be
created.
A valid username must not be longer than 100 characters and must not
contain any unprintable characters, whitespace characters, or any of
the following characters: /\[]:;|=,+*?<>'".
Full Name Attribute
Text field in which to enter the LDAP attribute that serves as the
user’s full name, for display purposes. If the field is left empty, MKE
does not create new users with a full name value.
Filter
Text field in which to enter an LDAP search filter to use to find
users. If the field is left empty, all directory entries in the
search scope with valid username attributes are created as users.
Search subtree instead of just one level
Whether to perform the LDAP search on a single level of the LDAP tree,
or search through the full LDAP tree starting at the BaseDN.
Match Group Members
Sets whether to filter users further, by selecting those who are also
members of a specific group on the directory server. The feature is
helpful when the LDAP server does not support memberOf search
filters.
Iterate through group members
Sets whether, when the Match Group Members option is
enabled to sync users, the sync is done by iterating over the target
group’s membership and making a separate LDAP query for each member,
rather than through the use of a broad user search filter. This
option can increase efficiency in situations where the number of
members of the target group is significantly smaller than the number
of users that would match the above search filter, or if your
directory server does not support simple pagination of search
results.
Group DN
Text field in which to enter the DN of the LDAP group from which to
select users, when the Match Group Members option is
enabled.
Group Member Attribute
Text field in which to enter the name of the LDAP group entry
attribute that corresponds to the DN of each of the group members.
Click Confirm to add the new LDAP user search configurations.
Repeat the procedure to add any additional user search configurations. More
than one such configuration can be useful in cases where users may be found
in multiple distinct subtrees of your organization directory. Any user entry
that matches at least one of the search configurations will be synced as a
user.
Prior to saving your configuration changes, you can use the dedicated
LDAP Test login tool to test the integration using the login
credentials of an LDAP user.
Input the credentials for the test user into the provided
Username and Passworfd fields:
Field
Description
Username
An LDAP user name for testing authentication to MKE. The value
corresponds to the Username Attribute that is specified
in the Add LDAP user search configurations section.
Password
The password used to authenticate (BIND) to the directory
server.
Click Test. A search is made against the directory using the
provided search BaseDN, scope, and filter. Once the user entry is found
in the directory, a BIND request is made using the input user DN and the
given password value.
Following LDAP integration, MKE synchronizes users at the top of the hour,
based on an intervial that is defined in hours.
To set LDAP synchronization, configure the following settings in the
LDAP Sync Configuration section:
Field
Description
Sync interval
The interval, in hours, to synchronize users between MKE and the LDAP
server. When the synchronization job runs, new users found in the LDAP
server are created in MKE with the default permission level. MKE users
that do not exist in the LDAP server become inactive.
Enable sync of admin users
This option specifies that system admins should be synced directly with
members of a group in your organization’s LDAP directory. The admins
will be synced to match the membership of the group. The configured
recovery admin user will also remain a system admin.
In addition to configuring MKE LDAP synchronization, you can also perform a hot
synchronization by clicking the Sync Now button in the
LDAP Sync Jobs subsection. Here you can also view the logs for each
sync jobs by clicking View Logs link associated with a particular
job.
Whenever a user is removed from LDAP, the effect on their MKE account
is determined by the Just-In-Time User Provisioning setting:
false: Users deleted from LDAP become inactive in MKE following the next
LDAP synchronization runs.
true: A user deleted from LDAP cannot authenticate. Their MKE accounts
remain active, however, and thus they can use their client bundles to run
commands. To prevent this, deactivate the user’s MKE user account.
MKE enables the syncing of teams within Organizations with LDAP, using either a
search query or by matching a group that is established in your LDAP directory.
Log in to the MKE web UI as an administrator.
Navigate to Access Control > Orgs & Teams to display the
Organizations that exist within your MKE instance.
Locate the name of the Organization that contains the MKE team that you want
to sync to LDAP and click it to display all of the MKE teams for that
Organization.
Hover your cursor over the MKE team that you want
to sync with LDAP to reveal its vertical ellipsis, at the far right.
Click the vertical ellipsis and select Edit to call the
Details screen for the team.
Toggle ENABLE SYNC TEAM MEMBERS to Yes to reveal
the LDAP sync controls.
Toggle LDAP MATCH METHOD to set the LDAP match method you want
to use to make the sync, Match Search Results (default) or
Match Group Members.
For Match Search Results:
Enter a Base DN into the Search Base DN field, as it is
established in LDAP.
Enter a search filter based on one or more attributes into the
Search filter field.
Optional. Check Search subtree instead of just one level to
enable search down through any sub-groups that exist within the group
you entered into the Search Base DN field.
For Match Group Members:
Enter the group Distinguised Name (DN) into the Group DN
field.
Enter a member attribute into the Group Member field.
Toggle IMMEDIATELY SYNC TEAM MEMBERS as appropriate.
For identity providers that require a client redirect URI, use
https://<MKE_HOST>/login. For identity providers that do not permit the use
of an IP address for the host, use https://<mke-cluster-domain>/login.
The requested scopes for all identity providers are "openidemail". Claims
are read solely from the ID token that your identity provider returns. MKE does
not use the UserInfo URL to obtain user information. The default username
claim is sub. To use a different username claim, you must specify that
value with the usernameClaim setting in the MKE configuration file.
The following example details the MKE configuration file settings for using an
external identity provider.
For the *signInCriteria array, term is set to hosted domain
("hd") and value is set to the domain from which the user is
permitted to sign in.
For the *adminRoleCriteria array, matchType is set to "contains",
in case any administrators are assigned to multiple roles that include
admin.
Using an external identity provider to sign in to the MKE web UI creates a
new user session, and thus users who sign in this way will not be signed out
when their ID token expires. Instead, the session lifetime is set using the
auth.sessions parameters in the MKE configuration
file.
Verify that LDAP and SAML teams are both enabled for syncing.
In the left-side navigation panel, navigate to
Access Control > Orgs & Teams
Select the required organization and then select the required team.
Click the gear icon in the upper right corner.
On the Details tab, select ENABLE SYNC TEAM MEMBERS.
Select ALLOW NON-LDAP MEMBERS.
To determine a user’s authentication protocol:
Log in to the MKE web UI as an administrator.
In the left-side navigation panel, navigate to
Access Control > Users and select the target user.
If an LDAP DN attribute is present next to
Full Name and Admin, the user is managed by LDAP.
If, however, the LDAP DN attribute is not present, the user is
not managed by LDAP.
Unexpected behavior can result from having the same user name in both SAML and
LDAP.
If just-in-time (JIT) provisioning is enabled in LDAP, MKE only allows
log in attempts from the identity provider that first attempts to log in. MKE
then blocks all log in attempts from the second identify provider.
If JIT provisioning is disabled in LDAP, the LDAP synchronization, which occurs
at regular intervals, always overrides the ability of the SAML user account
to log in.
To allow overlapping user names:
There may at times be a user who has the same name in both LDAP and SAML who
you want to be able to sign in using either protocol.
Define a custom SAML attribute with a name of dn and a
value that is equivalent to the user account distinguished name (DN) with
the LDAP provider. Refer to Define a custom SAML attribute
in the Okta documentation for more information.
Note
MKE considers such users to be LDAP users. As such, should their LDAP DN
change, the custom SAML attribute must be updated to match.
Log in to the MKE web UI.
From the left-side navigation panel, navigate to
<user name> > Admin Settings > Authentication & Authorization
and scroll down to the LDAP section.
Under SAML integration, select
Allow LDAP users to sign in using SAML.
You can configure MKE to allow users to deploy and run services in worker
nodes only, to ensure that all cluster management functionality remains
performant and to enhance cluster security.
Important
If for whatever reason a user deploys a malicious service that can affect
the node on which it is running, that service will not be able to strike any
other nodes in the cluster or have any impact on cluster management
functionality.
Restrict services deployment to Swarm worker nodes¶
To keep manager nodes performant, it is necessary at times to restrict
service deployment to Swarm worker nodes.
To restrict services deployment to Swarm worker nodes:
Log in to the MKE web UI with administrator credentials.
Click the user name at the top of the navigation menu.
Navigate to Admin Settings > Orchestration.
Under Container Scheduling, toggle all of the sliders to the
left to restrict the deployment only to worker nodes.
Note
Creating a grant with the Scheduler role against the / collection
takes precedence over any other grants with NodeSchedule on
subcollections.
Restrict services deployment to Kubernetes worker nodes¶
By default, MKE clusters use Kubernetes taints and tolerations
to prevent user workloads from deploying to MKE manager or MSR nodes.
Note
Workloads deployed by an administrator in the kube-system namespace do
not follow scheduling constraints. If an administrator deploys a
workload in the kube-system namespace, a toleration is applied to bypass
the taint, and the workload is scheduled on all node types.
Schedule services deployment on manager and MSR nodes¶
Log in to the MKE web UI with administrator credentials.
Click the user name at the top of the navigation menu.
Navigate to Admin Settings > Orchestration.
Select from the following options:
Under Container Scheduling, toggle to the right the slider
for Allow administrators to deploy containers on MKE managers
or nodes running MSR.
Under Container Scheduling, toggle to the right the slider
for Allow all authenticated users, including service accounts,
to schedule on all nodes, including MKE managers and MSR nodes..
Following any scheduling action, MKE applies a toleration to new workloads, to
allow the Pods to be scheduled on all node types. For existing workloads,
however, it is necessary to manually add the toleration to the Pod
specification.
Add a toleration to the Pod specification for existing workloads¶
Add the following toleration to the Pod specification, either through the
MKE web UI or using the kubectl edit <object> <workload> command:
A NoSchedule taint is present on MKE manager and MSR nodes, and if you
disable scheduling on managers and/or workers a toleration for that taint
will not be applied to the deployments. As such, you should not schedule on
these nodes, except when the Kubernetes workload is deployed in the
kube-system namespace.
With MKE you can force applications to use only Docker images that are signed
by MKE users you trust. Every time a user attempts to deploy an application to
the cluster, MKE verifies that the application is using a trusted Docker
image. If a trusted Docker image is not in use, MKE halts the deployment.
By signing and verifying the Docker images, you ensure that the images in use
in your cluster are trusted and have not been altered, either in
the image registry or on their way from the image registry to your MKE cluster.
Example workflow
A developer makes changes to a service and pushes their changes to a
version control system.
A CI system creates a build, runs tests, and pushes an image to the Mirantis
Secure Registry (MSR) with the new changes.
The quality engineering team pulls the image, runs more tests, and signs
and pushes the image if the image is verified.
IT operations deploys the service, but only if the image in use is signed
by the QA team. Otherwise, MKE will not deploy.
To configure MKE to only allow running services that use Docker trusted
images:
Log in to the MKE web UI.
In the left-side navigation menu, click the user name drop-down to display
the available options.
Click Admin Settings > Docker Content Trust to reveal the
Content Trust Settings page.
Enable Run only signed images.
Important
At this point, MKE allows the deployment of any signed image, regardless
of signee.
(Optional) Make it necessary for the image to be signed by a particular
team or group of teams:
Click Add Team+ to reveal the two-part tool.
From the drop-down at the left, select an organization.
From the drop-down at the right, select a team belonging to the
organization you selected.
Repeat the procedure to configure additional teams.
Note
If you specify multiple teams, the image must be signed by
a member of each team, or someone who is a member of all of the
teams.
Click Save.
MKE immediately begins enforcing the image trust policy. Existing services
continue to run and you can restart them as necessary. From this point,
however, MKE only allows the deployment of new services that use a
trusted image.
MKE enables the setting of various user sessions properties, such as
session timeout and the permitted number of concurrent sessions.
To configure MKE login session properties:
Log in to the MKE web UI.
In the left-side navigation menu, click the user name drop-down to display
the available options.
Click Admin Settings > Authentication & Authorization to reveal
the MKE login session controls.
The following table offers information on the MKE login session controls:
Field
Description
Lifetime Minutes
The set duration of a login session in minutes, starting from the moment
MKE generates the session. MKE invalidates the active session once this
period expires and the user must re-authenticate to establish a
new session.
Default: 60
Minimum: 10
Renewal Threshold Minutes
The time increment in minutes by which MKE extends an active session
prior to session expiration. MKE extends the session by the amount
specified in Lifetime Minutes. The threshold value cannot be
greater than that set in Lifetime Minutes.
To specify that sessions not be extended, set the threshold value
to 0. Be aware, though, that this may cause MKE web
UI users to be unexpectedly logged out.
Default: 20
Maximum: 5 minutes less than Lifetime Minutes
Per User Limit
The maximum number of sessions a user can have running
simultaneously. If the creation of a new session results in the
exceeding of this limit, MKE will delete the session least recently put
to use. Specifically, every time you use a session token, the server
marks it with the current time (lastUsed metadata). When you create
a new session exceeds the per-user limit, the session
with the oldest lastUsed time is deleted, which is not necessarily
the oldest session.
To disable the Per User Limit setting, set the value to
0.
The MKE configuration file documentation is up-to-date for the latest MKE
release. As such, if you are running an earlier version of MKE, you may
encounter detail for configuration options and parameters that are not
applicable to the version of MKE you are currently running.
Refer to the MKE Release Notes for specific
version-by-version information on MKE configuration file additions and
changes.
The configuring of an MKE cluster takes place through the application of a TOML
file. You use this file, the MKE configuration file, to import and export MKE
configurations, to both create new MKE instances and to modify existing ones.
Refer to example-config in the MKE CLI reference documentation
to learn how to download an example MKE configuration file.
Put the MKE configuration file to work for the following use cases:
Set the configuration file to run at the install time of new MKE clusters
Use the API to import the file back into the same cluster
Use the API to import the file into multiple clusters
To make use of an MKE configuration file, you edit the file using either the
MKE web UI or the command line interface (CLI). Using the CLI, you can either
export the existing configuration file for editing, or use the
example-config command to view and edit an example TOML MKE
configuration file.
Working as an MKE admin, use the config-toml API from within the directory
of your client certificate bundle to export the current MKE settings to a TOML
file.
As detailed herein, the command set exports the current configuration for the
MKE hostname MKE_HOST to a file named mke-config.toml:
To customize a new MKE instance using a configuration file, you must create the
file prior to installation. Then, once the new configuration file is ready, you
can configure MKE to import it during the installation process using Docker
Swarm.
To import a configuration file at installation:
Create a Docker Swarm Config object named com.docker.mke.config and
the TOML value of your MKE configuration file contents.
When installing MKE on the cluster, specify the --existing-config flag
to force the installer to use the new Docker Swarm Config object for its
initial configuration.
Following the installation, delete the com.docker.mke.config object.
The length of time, in minutes, before the expiration of a session
where, if used, a session will be extended by the current configured
lifetime from then. A value of 0 disables session extension.
Default: 20
per_user_limit
no
The maximum number of sessions that a user can have simultaneously
active. If creating a new session will put a user over this
limit, the least recently used session is deleted.
A value of 0 disables session limiting.
Default: 10
store_token_per_session
no
If set, the user token is stored in sessionStorage instead of
localStorage. Setting this option logs the user out and
requires that they log back in, as they are actively changing the manner
in which their authentication is stored.
An array of claims that admin user ID tokens require for use with MKE. Creating
a new account using a token that satisfies the criteria determined by this
array automatically produces an administrator account.
Parameter
Required
Description
term
yes
Sets the name of the claim.
value
yes
Sets the value for the claim in the form of a string.
matchType
yes
Sets how the JWT claim is evaluated.
Valid values:
must - the JWT claim value must be the same as the configuration
value.
contains - the JWT claim value must contain the configuration
value.
The hardening_enabled option must be set to true to enable all
other hardening_configuration options.
Parameter
Required
Description
hardening_enabled
no
Parent option that when set to true enables security hardening
configuration options: limit_kernel_capabilities,
pid_limit, pid_limit_unspecified, and
use_strong_tls_ciphers.
Default: false
limit_kernel_capabilities
no
The option can only be enabled whenhardening_enabledis set
totrue.
Limits kernel capabilities to the minimum required by each container.
Components run using Docker default capabilities by default. When you
enable limit_kernel_capabilities all capabilities are
dropped, except those that are specifically in use by the component.
Several components run as privileged, with capabilities that cannot be
disabled.
Default: false
pid_limit
no
The option can only be enabled whenhardening_enabledis set
totrue.
Sets the maximum number of PIDs MKE can allow for their respective
orchestrators.
The pid_limit option must be set to the default 0 when it is
not in use.
Default: 0
pid_limit_unspecified
no
The option can only be enabled whenhardening_enabledis set
totrue.
When set to false, enables PID limiting, using the pid_limit
option value for the associated orchestrator.
Default: true
use_strong_tls_ciphers
no
The option can only be enabled whenhardening_enabledis set
totrue.
When set to true, in line with control 4.2.12 of the CIS Kubernetes
Benchmark 1.7.0, the use_strong_tls_ciphers parameter limits the
allowed ciphers for the cipher_suites_for_kube_api_server,
cipher_suites_for_kubelet and cipher_suites_for_etcd_server
parameters in the cluster_config table to the following:
An array of tables that specifies the MSR instances that are managed by the
current MKE instance.
Parameter
Required
Description
host_address
yes
Sets the address for connecting to the MSR instance tied to the MKE
cluster.
service_id
yes
Sets the MSR instance’s OpenID Connect Client ID, as registered with the
Docker authentication provider.
ca_bundle
no
Specifies the root CA bundle for the MSR instance if you are using a
custom certificate authority (CA). The value is a string with the
contents of a ca.pem file.
Specifies scheduling options and the default orchestrator for new nodes.
Note
If you run a kubectl command, such as kubectl describe
nodes, to view scheduling rules on Kubernetes nodes, the results that
present do not reflect the MKE admin settings conifguration. MKE uses taints
to control container scheduling on nodes and is thus unrelated to the
kubectlUnschedulable boolean flag.
Parameter
Required
Description
enable_admin_ucp_scheduling
no
Determines whether administrators can schedule containers on
manager nodes.
Valid values: true, false.
Default: false
You can also set the parameter using the MKE web UI:
Log in to the MKE web UI as an administrator.
Click the user name drop-down in the left-side navigation panel.
Click Admin Settings > Orchestration to view the
Orchestration screen.
Scroll down to the Container Scheduling section and
toggle on the Allow administrators to deploy containers on
MKE managers or nodes running MSR slider.
default_node_orchestrator
no
Sets the type of orchestrator to use for new nodes that join
the cluster.
Set to require the signing of images by content trust.
Valid values: true, false.
Default: false
You can also set the parameter using the MKE web UI:
Log in to the MKE web UI as an administrator.
Click the user name drop-down in the left-side navigation panel.
Click Admin Settings > Docker Content Trust to open the
Content Trust Settings screen.
Toggle on the Run only signed images slider.
require_signature_from
no
A string array that specifies which users or teams must sign images.
allow_repos
no
A string array that specifies repos that are to bypass content trust
check, for example, ["docker.io/mirantis/dtr-rethink","docker.io/mirantis/dtr-registry"....].
Configures the logging options for MKE components.
Parameter
Required
Description
protocol
no
The protocol to use for remote logging.
Valid values: tcp, udp.
Default: tcp
host
no
Specifies a remote syslog server to receive sent MKE controller logs. If
omitted, controller logs are sent through the default Docker daemon
logging driver from the ucp-controller container.
Set to enable attempted automatic license renewal when the
license nears expiration. If disabled, you must manually upload renewed
license after expiration.
Included when you need to set custom API headers. You can repeat this
section multiple times to specify multiple separate headers. If you
include custom headers, you must specify both name and value.
[[custom_api_server_headers]]
Item
Description
name
Set to specify the name of the custom header with name =
“X-Custom-Header-Name”.
value
Set to specify the value of the custom header with value = “Custom
Header Value”.
Configures the cluster that the current MKE instance manages.
The dns, dns_opt, and dns_search settings configure the DNS
settings for MKE components. These values, when assigned, override the
settings in a container /etc/resolv.conf file.
Parameter
Required
Description
controller_port
yes
Sets the port that the ucp-controller monitors.
Default: 443
kube_apiserver_port
yes
Sets the port the Kubernetes API server monitors.
kube_protect_kernel_defaults
no
Protects kernel parameters from being overridden by kubelet.
Default: false.
Important
When enabled, kubelet can fail to start if the following kernel
parameters are not properly set on the nodes before you install MKE
or before adding a new node to an existing cluster:
Sets the port that the ucp-swarm-manager monitors.
Default: 2376
swarm_strategy
no
Sets placement strategy for container scheduling. Be aware that this
does not affect swarm-mode services.
Valid values: spread, binpack, random.
dns
yes
Array of IP addresses that serve as nameservers.
dns_opt
yes
Array of options in use by DNS resolvers.
dns_search
yes
Array of domain names to search whenever a bare unqualified host name is
used inside of a container.
profiling_enabled
no
Determines whether specialized debugging endpoints are enabled for
profiling MKE performance.
Valid values: true, false.
Default: false
authz_cache_timeout
no
Sets the timeout in seconds for the RBAC information cache of MKE
non-Kubernetes resource listing APIs. Setting changes take immediate
effect and do not require a restart of the MKE controller.
Default: 0 (cache is not enabled)
Once you enable the cache, the result of non-Kubernetes resource listing
APIs only reflects the latest RBAC changes for the user when the
cached RBAC info times out.
kv_timeout
no
Sets the key-value store timeout setting, in milliseconds.
Default: 5000
kv_snapshot_count
Required
Sets the key-value store snapshot count.
Default: 20000
external_service_lb
no
Specifies an optional external load balancer for default links to
services with exposed ports in the MKE web interface.
cni_installer_url
no
Specifies the URL of a Kubernetes YAML file to use to install a
CNI plugin. Only applicable during initial installation. If left empty,
the default CNI plugin is put to use.
metrics_retention_time
no
Sets the metrics retention time.
metrics_scrape_interval
no
Sets the interval for how frequently managers gather metrics from nodes
in the cluster.
metrics_disk_usage_interval
no
Sets the interval for the gathering of storage metrics, an
operation that can become expensive when large volumes are present.
nvidia_device_plugin
no
Enables the nvidia-gpu-device-plugin, which is disabled by default.
rethinkdb_cache_size
no
Sets the size of the cache for MKE RethinkDB servers.
Default: 1GB
Leaving the field empty or specifying auto instructs
RethinkDB to automatically determine the cache size.
exclude_server_identity_headers
no
Determines whether the X-Server-Ip and X-Server-Name
headers are disabled.
Valid values: true, false.
Default: false
cloud_provider
no
Sets the cloud provider for the Kubernetes cluster.
pod_cidr
yes
Sets the subnet pool from which the IP for the Pod should be allocated
from the CNI IPAM plugin.
Default: 192.168.0.0/16
ipip_mtu
no
Sets the IPIP MTU size for the Calico IPIP tunnel interface.
azure_ip_count
yes
Sets the IP count for Azure allocator to allocate IPs per Azure virtual
machine.
service_cluster_ip_range
yes
Sets the subnet pool from which the IP for Services should be allocated.
Default: 10.96.0.0/16
nodeport_range
yes
Sets the port range for Kubernetes services within which the type
NodePort can be exposed.
Default: 32768-35535
custom_kube_api_server_flags
no
Sets the configuration options for the Kubernetes API server.
Be aware that this parameter function is only for development and
testing. Arbitrary Kubernetes configuration parameters are not tested
and supported under the MKE Software Support Agreement.
custom_kube_controller_manager_flags
no
Sets the configuration options for the Kubernetes controller manager.
Be aware that this parameter function is only for development and
testing. Arbitrary Kubernetes configuration parameters are not tested
and supported under the MKE Software Support Agreement.
custom_kubelet_flags
no
Sets the configuration options for kubelet.
Be aware that this parameter function is only for development and
testing. Arbitrary Kubernetes configuration parameters are not tested
and supported under the MKE Software Support Agreement.
custom_kubelet_flags_profilesAvailable since MKE 3.7.10
no
Sets a profile that can be applied to the kubelet agent on any node.
custom_kube_scheduler_flags
no
Sets the configuration options for the Kubernetes scheduler.
Be aware that this arameter function is only for development and
testing. Arbitrary Kubernetes configuration parameters are not tested
and supported under the MKE Software Support Agreement.
local_volume_collection_mapping
no
Set to store data about collections for volumes in the MKE local KV
store instead of on the volume labels. The parameter is used to enforce
access control on volumes.
manager_kube_reserved_resources
no
Reserves resources for MKE and Kubernetes components that are
running on manager nodes.
worker_kube_reserved_resources
no
Reserves resources for MKE and Kubernetes components that are
running on worker nodes.
kubelet_max_pods
yes
Sets the number of Pods that can run on a node.
Maximum: 250
Default: 110
kubelet_pods_per_core
no
Sets the maximum number of Pods per core.
0 indicates that there is no limit on the number of Pods per core.
The number cannot exceed the kubelet_max_pods setting.
Recommended: 10
Default: 0
secure_overlay
no
Enables IPSec network encryption in Kubernetes.
Valid values: true, false.
Default: false
image_scan_aggregation_enabled
no
Enables image scan result aggregation. The feature displays image
vulnerabilities in shared resource/containers and shared
resources/images pages.
Valid values: true, false.
Default: false
swarm_polling_disabled
no
Determines whether resource polling is disabled for both Swarm and
Kubernetes resources, which is recommended for production instances.
Valid values: true, false.
Default: false
oidc_client_id
no
Sets the OIDC client ID, using the eNZi service ID that is in the ODIC
authorization flow.
hide_swarm_ui
no
Determines whether the UI is hidden for all Swarm-only object types (has
no effect on Admin Settings).
Valid values: true, false.
Default: false
You can also set the parameter using the MKE web UI:
Log in to the MKE web UI as an administrator.
In the left-side navigation panel, click the user name
drop-down.
Click Admin Settings > Tuning to open the
Tuning screen.
Toggle on the Hide Swarm Navigation slider located under
the Configure MKE UI heading.
unmanaged_cni
yes
Sets Calico as the CNI provider, managed by MKE. Note that Calico is the
default CNI provider.
calico_ebpf_enabled
yes
Enables Calico eBPF mode.
kube_default_drop_masq_bits
yes
Sets the use of Kubernetes default values for iptables drop and
masquerade bits.
kube_proxy_mode
yes
Sets the operational mode for kube-proxy.
Valid values: iptables, ipvs, disabled.
Default: iptables
cipher_suites_for_kube_api_server
no
Sets the value for the kube-apiserver--tls-cipher-suites
parameter.
cipher_suites_for_kubelet
no
Sets the value for the kubelet--tls-cipher-suites parameter.
cipher_suites_for_etcd_server
no
Sets the value for the etcd server --cipher-suites
parameter.
image_prune_schedule
no
Sets the cron expression used for the scheduling of image pruning. The
parameter accepts either full crontab specifications or descriptors, but
not both.
Full crontab specifications, which include <seconds><minutes><hours><dayofmonth><month><dayofweek>. For example,
"000***".
Descriptors, which are textual in nature, with a preceding @ symbol.
For example: "@midnight" or "@every1h30m".
Implement pubkey_auth_cache_enabled only in cases in which there are certain performance issues in high-load clusters, and only under the guidance of Mirantis Support personnel.
Enables public key authentication cache.
Note
ucp-controller must be restarted for setting changes to take
effect.
Default: false.
prometheus_memory_limit
no
The maximum amount of memory that can be used by the Prometheus
container.
Default: 2Gi.
prometheus_memory_request
no
The minimum amount of memory reserved for the Prometheus container.
Default: 1Gi.
shared_sans
no
Subject alternative names for manager nodes.
kube_manager_terminated_pod_gc_threshold
no
Allows users to set the threshold for the terminated Pod garbage
collector in Kube Controller Manager according to their cluster-specific
requirement.
Default: 12500
kube_api_server_request_timeout
no
Timeout for Kube API server requests.
Default: 1m
cadvisor_enabled
no
Enables the ucp-cadvisor comoponent, which runs a standalone
cadvisor instance on each node to provide additional container level
metrics with all expected labels.
Default: false
calico_controller_probes_tuning
no
Enables the user to specify values for the Calico controller liveness
and readiness probes.
Set the configuration for the NGINX Ingress Controller to manage traffic that
originates outside of your cluster (ingress traffic).
Note
Prior versions of MKE use Istio Ingress to manage traffic that originates
from outside of the cluster, which employs many of the same parameters as
NGINX Ingress Controller.
Parameter
Required
Description
enabled
No
Disables HTTP ingress for Kubernetes.
Valid values: true, false.
Default: false
ingress_num_replicas
No
Sets the number of NGINX Ingress Controller deployment replicas.
Default: 2
ingress_external_ips
No
Sets the list of external IPs for Ingress service.
Default: [] (empty)
ingress_enable_lb
No
Enables an external load balancer.
Valid values: true, false.
Default: false
ingress_preserve_client_ip
No
Enables preserving inbound traffic source IP.
Valid values: true, false.
Default: false
ingress_exposed_ports
No
Sets ports to expose.
For each port, provide arrays that contain the following port
information (defaults as displayed):
name = http2
port = 80
target_port = 0
node_port = 33000
name = https
port = 443
target_port = 0
node_port = 33001
name = tcp
port = 31400
target_port = 0
node_port = 33002
ingress_node_affinity
No
Sets node affinity.
key = com.docker.ucp.manager
value = ""
target_port = 0
node_port = 0
ingress_node_toleration
No
Sets node toleration.
For each node, provide an array that contains the following information
(defaults as displayed):
key = com.docker.ucp.manager
value = ""
operator = Exists
effect = NoSchedule
config_map
No
Sets advanced options for the NGINX proxy.
NGINX Ingress Controller uses ConfigMap to configure the NGINX
proxy. For the complete list of available options, refer to the NGINX
Ingress Controller documentation ConfigMap: configuration options.
Examples:
map-hash-bucket-size="128"
ssl-protocols="SSLv2"
ingress_extra_args.http_port
No
Sets the container port for servicing HTTP traffic.
Default: 80
ingress_extra_args.https_port
No
Sets the container port for servicing HTTPS traffic.
Default: 443
ingress_extra_args.enable_ssl_passthrough
No
Enables SSL passthrough.
Default: false
ingress_extra_args.default_ssl_certificate
No
Sets the Secret that contains an SSL certificate to be used as a default
TLS certificate.
Enable and disable OPA Gatekeeper for policy enforcement.
Note
By design, when the OPA Gatekeeper is disabled using the configuration file,
the Pods are deleted but the policies are not cleaned up. Thus, when the OPA
Gatekeeper is re-enabled, the cluster can immediately adopt the existing
policies.
The retention of the policies poses no risk, as they are just data on the
API server and have no value outside of a OPA Gatekeeper deployment.
Parameter
Required
Description
enabled
No
Enables the Gatekeeper function.
Valid values: true, false.
Default: false.
excluded_namespaces
No
Excludes from the Gatekeeper admission webhook all of the resources that
are contained in a list of namespaces. Specify as a comma-separated
list.
Length of time during which lameduck will run, expessed with integers
and time suffixes, such as s for seconds and m for minutes.
Note
The configured value for duration must be greater than 0s.
Default values are applied for any fields that are left blank.
Default: 7s.
Caution
Editing the CoreDNS config map outside of MKE to configure the lameduck
function is not supported. Any such attempts will be superseded by the
values that are configured in the MKE configuration file.
Configures backup scheduling and notifications for MKE.
Parameter
Required
Description
notification-delay
yes
Sets the number of days that elapse before a user is notified that they
have not performed a recent backup. Set to -1 to disable
notifications.
Default: 7
enabled
yes
Enables backup scheduling.
Valid values: true, false.
Default: false
path
yes
Sets the storage path for scheduled backups. Use
chmodo+w/<path> to ensure that other users have write privileges.
no_passphrase
yes
Sets whether a passphrase is necessary to encrypt the TAR file. A value
of true negates the use of a passphrase. A non-empty value in the
passphrase parameter requires that no-passphrase be set to
false.
Default: false
passphrase
yes
Encrypts the TAR file with a passphrase for all scheduled backups. Must
remain empty if no_passphrase is set to true.
Do not share the configuration file if a passphrase is used, as the
passphrase displays in plain text.
cron_spec
yes
Sets the cron expression in use for scheduling backups. The parameter
accepts either full crontab specifications or descriptors, but not both.
Full crontab specifications include <seconds><minutes><hours><dayofmonth><month><dayofweek>. For example:
"000***".
Descriptors, which are textual in nature, have a preceding @
symbol. For example: "@midnight" or "@every1h30m".
Minimum Time To Live (TTL) for retaining certain events in etcd.
Default: 0
cron_expression
yes
Sets the cron expression to use for scheduling backups.
cron_expression accepts either full crontab specifications or
descriptors. It does not, though, concurrenlty accept both.
Full crontab specifications include <seconds> <minutes> <hours>
<day-of-month> <month> <day-of-week>.
For example, 000**MON
Descriptors, which are textual in nature, have a preceding @
symbol. For example: “@weekly”, “@monthly” or “@every 72h”.
The etcd cleanup operation starts with the deletion of the events, which
is followed by the compacting of the etcd revisions. The cleanup
scheduling inerval must be set for a minimum of 72 hours.
Enables defragmentation of the etcd cluster after successful cleanup.
Warning
The etcd cluster defragmentation process can cause temporary
performance degradation. To minimize possible impact, schedule
cron_expression to occur during off-peak hours or periods of low
activity.
Valid values: true, false.
Default: false
defrag_pause_seconds
no
Sets the period of time, in seconds, to pause between issuing defrag
commands to etcd members.
Default: 60
defrag_timeout_seconds
no
Sets the period of time, in seconds, that each etcd member is allotted
to complete defragmentation. If the defragmentation of a member times
out before the process is successfully completed, the entire cluster
defragmentation is aborted.
Configures use of Windows GMSA credentia specifications.
Parameter
Required
Description
windows_gmsa
no
Allows creation of GMSA credential specifications for the Kubernetes
cluster, as well as automatic population of full credential
specifications for any Pod on which the GMSA credential specification is
referenced in the security context of that Pod.
For information on how to enable GMSA and how to obtain different
components of the GMSA specification for one or more GMSA accounts in
your domain, refer to the official Windows documentation.
For detail on how to use the MKE web UI to scale your cluster, refer to
Join Linux nodes or Join Windows worker nodes, depending on which
operating system you use. In particular, these topics offer information on
adding nodes to a cluster and configuring node availability.
You can also use the command line to perform all scaling operations.
Scale operation
Command
Obtain the join token
Run the following command on a manager node to obtain the join token
that is required for cluster scaling. Use either worker or manager for the
<node-type>:
dockerswarmjoin-token<node-type>
Configure a custom listen address
Specify the address and port where the new node listens for inbound
cluster management traffic:
Mirantis Kubernetes Engine (MKE) offers support for a Key
Management Service (KMS) plugin that allows access to third-party secrets
management solutions, such as Vault. MKE uses this plugin to facilitate
access from Kubernetes clusters.
MKE will not health check, clean up, or otherwise manage the KMS plugin. Thus,
you must deploy KMS before a machine becomes a MKE manager, or else it
may be considered unhealthy.
Use MKE to configure the KMS plugin configuration. MKE maintains
ownership of the Kubernetes EncryptionConfig file, where the KMS plugin is
configured for Kubernetes. MKE does not check the file contents following
deployment.
MKE adds new configuration options to the cluster configuration table.
Configuration of these options takes place through the API and not the MKE web
UI.
The following table presents the configuration options for the KMS plugin, all
of which are optional.
Parameter
Type
Description
kms_enabled
bool
Sets MKE to configure a KMS plugin.
kms_name
string
Name of the KMS plugin resource (for example, vault).
kms_endpoint
string
Path of the KMS plugin socket. The path must refer to a UNIX socket on
the host (for example, /tmp/socketfile.sock). MKE bind mounts this
file to make it accessible to the API server.
kms_cachesize
int
Number of data encryption keys (DEKs) to cache in the clear.
Mirantis Kubernetes Engine (MKE) can use local network drivers to orchestrate
your cluster. You can create a config network with a driver such as MAC VLAN,
and use this network in the same way as any other named network in MKE. In
addition, if it is set up as attachable you can attach containers.
Warning
Encrypting communication between containers on different nodes only works
with overlay networks.
To create a node-specific network for use with MKE, always do so through MKE,
using either the MKE web UI or the CLI with an admin bundle. If you create such
a network without MKE, it will not have the correct access label and
it will not be available in MKE.
In the left-side navigation menu, click Swarm > Networks.
Click Create to call the Create Network screen.
Select macvlan from the Drivers` dropdown.
Enter macvlan into the Name field.
Select the type of network to create, Network or
Local Config.
If you select Local Config, the SCOPE is
automatically set to Local. You subsequently select the nodes
for which to create the Local Config from those listed. MKE will prefix
the network with the node name for each selected node to ensure consistent
application of access labels, and you then select a Collection
for the Local Configs to reside in. All Local Configs with
the same name must be in the same collection, or MKE returns an error. If
you do not not select a Collection, the network is placed in
your default collection, which is / in a new MKE installation.
If you select Network, the SCOPE is automatically
set to Swarm. Choose an existing Local Config from
which to create the network. The network and its labels and collection
placement are inherited from the related Local Configs.
The self-deployed MKE Cluster Root CA server issues certificates for MKE
cluster nodes and internal components that enable the components to communicate
with each other. The server also issues certificates that are used in admin
client bundles.
To rotate the certificate material of the MKE Cluster Root CA or provide your
own certificate and private key:
Caution
If there are unhealthy nodes in the cluster, CA rotation will be unable to
complete. If rotation seems to be hanging, run docker node ls
--format "{{.ID}} {{.Hostname}} {{.Status}} {{.TLSStatus}}" to determine
whether any nodes are down or are otherwise unable to rotate TLS
certificates.
MKE Cluster Root CA server is coupled with Docker Swarm Root CA, as MKE
nodes are also swarm nodes. Thus, if users want to rotate the Docker Swarm
Root CA certificate, they must not use the docker swarm ca
command in any form as it may break their MKE cluster.
Rotating MKE Cluster Root CA causes several MKE components to restart,
which can result in cluster downtime. As such, Mirantis recommends
performing such rotations outside of peak business hours.
You should only rotate the MKE Cluster Root CA certificate for reasons of
security, a good example being if the certificate has been compromised.
The MKE Cluster Root CA certificate is valid for 20 years, thus rotation is
typically not necessary.
You must use the MKE CLI to rotate the existing root CA certificate or to
provide your own root CA certificate and private key:
SSH into one of the manager nodes of your cluster.
Make a backup prior to making changes to MKE
Cluster Root CA.
The self-deployed MKE etcd Root CA server issues certificates for MKE
components that enable the components to communicate with etcd cluster.
Important
If you upgraded your cluster from any version of MKE prior to MKE 3.7.2, the
etcd root CA will not be unique. To ensure the uniqueness of the etcd root
CA, rotate the etcd CA material using the instructions herein.
To rotate the certificate material of the MKE etcd Root CA or provide your
own certificate and private key:
Caution
Rotating MKE etcd Root CA causes several MKE components to restart,
which can result in cluster downtime. As such, Mirantis recommends
performing such rotations outside of peak business hours.
Other than the aforementioned purpose of ensuring the uniqueness of the
etcd root CA, you should only rotate the MKE etcd Root CA certificate for
reasons of security, a good example being if the certificate has been
compromised. The MKE etcd Root CA certificate is valid for 20 years, thus
rotation is typically not necessary.
You must use the MKE CLI to rotate the existing root CA certificate and private
key:
SSH into one of the manager nodes of your cluster.
Make a backup prior to making changes to MKE
etcd Root CA.
MKE deploys the MKE Client Root CA server to act as the default signer of the
Kubernetes Controller Manager, while also signing TLS certificates for
non-admin client bundles. In addition, this CA server is used by default when
accessing MKE API using HTTPS.
Note
To replace the MKE Client Root CA server with an external CA for MKE API use
only, refer to Use your own TLS certificates.
To rotate the existing root CA certificate or provide your own certificate
and private key:
Caution
As rotating the MKE Client Root CA invalidates all previously created
non-admin client bundles, you will need to recreate these bundles
following the rotation.
You should only rotate the MKE Client Root CA certificate for reasons of
security, a good example being if the certificate has been compromised.
The MKE Client Root CA certificate is valid for 20 years, thus rotation is
typically not necessary.
You must use the MKE CLI to rotate the existing root CA certificate or to
provide your own root CA certificate and private key:
SSH into one of the manager nodes of your cluster.
Make a backup prior to making changes to MKE
Cluster Root CA.
To ensure all communications between clients and MKE are encrypted, all MKE
services are exposed using HTTPS. By default, this is done using
self-signed TLS certificates that are not trusted by client tools such as
web browsers. Thus, when you try to access MKE, your browser warns that it
does not trust MKE or that MKE has an invalid certificate.
You can configure MKE to use your own TLS certificates. As a result, your
browser and other client tools will trust your MKE installation.
Mirantis recommends that you make this change outside of peak business hours.
Your applications will continue to run normally, but existing MKE client
certificates will become invalid, and thus users will have to download new
certificates to access MKE from the CLI.
To configure MKE to use your own TLS certificates and keys:
Log in to the MKE web UI as an administrator.
In the left-side navigation panel, navigate to
<user name> > Admin Settings > Certificates.
Upload your certificates and keys based on the following table.
Note
All keys and certificates must be uploaded in PEM format.
Type
Description
Private key
The unencrypted private key for MKE. This key must correspond to the
public key used in the server certificate. This key does not use a
password.
Click Upload Key to upload a PEM file.
Server certificate
The MKE public key certificate, which establishes a chain of trust up
to the root CA certificate. It is followed by the certificates of any
intermediate certificate authorities.
Click Upload Certificate to upload a PEM file.
CA certificate
The public key certificate of the root certificate authority that
issued the MKE server certificate. If you do not have a CA
certificate, use the top-most intermediate certificate instead.
Click Upload CA Certificate to upload a PEM file.
Client CA
This field may contain one or more Root CA certificates that the MKE
controller uses to verify that client certificates are issued by a
trusted entity.
Click Upload CA Certificate to upload a PEM file.
Click Download MKE Server CA Certificate to download the
certificate as a PEM file.
Note
MKE is automatically configured to trust its internal CAs, which
issue client certificates as part of generated client bundles.
However, you may supply MKE with additional custom root CA
certificates using this field to enable MKE to trust the client
certificates issued by your corporate or trusted third-party
certificate authorities. Note that your custom root certificates
will be appended to MKE internal root CA certificates.
Click Save.
After replacing the TLS certificates, your users will not be able to
authenticate with their old client certificate bundles. Ask your users
to access the MKE web UI and download new client certificate
bundles.
Mirantis offers its own image registry, Mirantis Secure Registry (MSR), which
you can use to store and manage the images that you deploy to your cluster.
This topic describes how to use MKE to push the official WordPress image to MSR
and later deploy that image to your cluster.
To create an MSR image repository:
Log in to the MKE web UI.
From the left-side navigation panel, navigate to
<user name> > Admin Settings > Mirantis Secure Registry.
In the Installed MSRs section, capture the MSR URL for your
cluster.
In a new browser tab, navigate to the MSR URL captured in the previous step.
From the left-side navigation panel, click Repositories.
Click New repository.
In the namespace field under New Repository, select
the required namespace. The default namespace is your user name.
In the name field under New Repository, enter the
name wordpress.
To create the repository, click Save.
To push an image to MSR:
In this example, you will pull the official WordPress image from Docker Hub,
tag it, and push it to MSR. Once pushed to MSR, only authorized users will
be able to make changes to the image. Pushing to MSR requires CLI access to
a licensed MSR installation.
Pull the public WordPress image from Docker Hub:
dockerpullwordpress
Tag the image, using the IP address or DNS name of your MSR instance. For
example:
The Deployment object YAML specifies your MSR image in the Pod
template spec: image:<msr-url>:<port>/admin/wordpress:latest. Also,
the YAML file defines a NodePort service that exposes the WordPress
application so that it is accessible from outside the cluster.
Click Create. Creating the new Kubernetes objects will open the
Controllers page.
After a few seconds, verify that wordpress-deployment has a
green status icon and is thus successfully deployed.
When you add a node to your cluster, by default its workloads are managed
by Swarm. Changing the default orchestrator does not affect existing nodes
in the cluster. You can also change the orchestrator type for individual
nodes in the cluster.
The workloads on your cluster can be scheduled by Kubernetes, Swarm, or a
combination of the two. If you choose to run a mixed cluster, be aware that
different orchestrators are not aware of each other, and thus there is no
coordination between them.
Mirantis recommends that you decide which orchestrator you will use when
initially setting up your cluster. Once you start deploying workloads, avoid
changing the orchestrator setting. If you do change the node orchestrator,
your workloads will be evicted and you will need to deploy them again using the
new orchestrator.
Caution
When you promote a worker node to be a manager, its orchestrator type
automatically changes to Mixed. If you later demote that node to be
a worker, its orchestrator type remains as Mixed.
Note
The default behavior for Mirantis Secure Registry (MSR) nodes is to run in
the Mixed orchestration mode. If you change the MSR orchestrator type to
Swarm or Kubernetes only, reconciliation will revert the node back to the
Mixed mode.
When you change the node orchestrator, existing workloads are
evicted and they are not automatically migrated to the new orchestrator.
You must manually migrate them to the new orchestrator. For example, if you
deploy WordPress on Swarm, and you change the node orchestrator to
Kubernetes, MKE does not migrate the workload, and WordPress continues
running on Swarm. You must manually migrate your WordPress deployment to
Kubernetes.
The following table summarizes the results of changing a node
orchestrator.
Workload
Orchestrator-related change
Containers
Containers continue running on the node.
Docker service
The node is drained and tasks are rescheduled to another node.
Pods and other imperative resources
Imperative resources continue running on the node.
Deployments and other declarative resources
New declarative resources will not be scheduled on the node and
existing ones will be rescheduled at a time that can vary based on
resource details.
If a node is running containers and you change the node to Kubernetes,
the containers will continue running and Kubernetes will not be aware of
them. This is functionally the same as running the node in the Mixed mode.
Warning
The Mixed mode is not intended for production use and it may impact
the existing workloads on the node.
This is because the two orchestrator types have different views of
the node resources and they are not aware of the other orchestrator
resources. One orchestrator can schedule a workload without knowing
that the node resources are already committed to another workload
that was scheduled by the other orchestrator. When this happens, the
node can run out of memory or other resources.
Mirantis strongly recommends against using the Mixed mode in production
environments.
To change the node orchestrator using the MKE web UI:
Log in to the MKE web UI as an administrator.
From the left-side navigation panel, navigate to
Shared Resources > Nodes.
Click the node that you want to assign to a different orchestrator.
In the upper right, click the Edit Node icon.
In the Details pane, in the Role section under
ORCHESTRATOR TYPE, select either Swarm,
Kubernetes, or Mixed.
Warning
Mirantis strongly recommends against using the Mixed mode in
production environments.
Click Save to assign the node to the selected orchestrator.
To change the node orchestrator using the CLI:
Set the orchestrator on a node by assigning the orchestrator labels,
com.docker.ucp.orchestrator.swarm or
com.docker.ucp.orchestrator.kubernetes to true.
Change the node orchestrator. Select from the following options:
You must first add the target orchestrator label and then remove
the old orchestrator label. Doing this in the reverse order can
fail to change the orchestrator.
Verify the value of the orchestrator label by inspecting the node:
dockernodeinspect<node-id>|grep-iorchestrator
Example output:
"com.docker.ucp.orchestrator.kubernetes":"true"
Important
The com.docker.ucp.orchestrator label is not displayed in the MKE web UI
Labels list, which presents in the Overview pane for
each node.
MKE administrators can filter the view of Kubernetes objects by the
namespace that the objects are assigned to, specifying a single namespace
or all available namespaces. This topic describes how to deploy services to two
newly created namespaces and then view those services, filtered by namespace.
To create two namespaces:
Log in to the MKE web UI as an administrator.
From the left-side navigation panel, click Kubernetes.
Click Create to open the Create Kubernetes Object
page.
Leave the Namespace drop-down blank.
In the Object YAML editor, paste the following YAML code:
Click Create to deploy the service in the green
namespace.
To view the newly created services:
In the left-side navigation panel, click Namespaces.
In the upper-right corner, click the Set context for all
namespaces toggle. The indicator in the left-side navigation panel under
Namespaces changes to All Namespaces.
Click Services to view your services.
Filter the view by namespace:
In the left-side navigation panel, click Namespaces.
Hover over the blue namespace and click Set Context.
The indicator in the left-side navigation panel under
Namespaces changes to blue.
Click Services to view the app-service-blue service.
Note that the app-service-green service does not display.
Perform the forgoing steps on the green namespace to view only the
services deployed in the green namespace.
MKE is designed to facilitate high availability (HA). You can join multiple
manager nodes to the cluster, so that if one manager node fails, another one
can automatically take its place without impacting the cluster.
Including multiple manager nodes in your cluster allows you to handle manager
node failures and load-balance user requests across all manager nodes.
The following table exhibits the relationship between the number of manager
nodes used and the number of faults that your cluster can tolerate:
Manager nodes
Failures tolerated
1
0
3
1
5
2
For deployment into product environments, follow these best practices:
For HA with minimal network overhead, Mirantis recommends using three manager
nodes and a maximum of five. Adding more manager nodes than this can lead to
performance degradation, as configuration changes must be replicated across
all manager nodes.
You should bring failed manager nodes back online as soon as possible, as
each failed manager node decreases the number of failures that your cluster
can tolerate.
You should distribute your manager nodes across different availability
zones. This way your cluster can continue working even if an entire
availability zone goes down.
MKE allows you to add or remove nodes from your cluster as your needs change
over time.
Because MKE leverages the clustering functionality provided by
Mirantis Container Runtime (MCR), you use the docker swarm join
command to add more nodes to your cluster. When you join a new node, MCR
services start running on the node automatically.
You can add both Linux manager and
worker nodes to your cluster.
Prior to adding a node that was previously a part of the same MKE cluster or
a different one, you must run the following command to remove any stale MKE
volumes:
You can promote worker nodes to managers to make MKE fault tolerant. You can
also demote a manager node into a worker node.
Log in to the MKE web UI.
In the left-side navigation panel, navigate to
Shared Resources > Nodes and select the required node.
In the upper right, select the Edit Node icon.
In the Role section, click Manager or
Worker.
Click Save and wait until the operation completes.
Navigate to Shared Resources > Nodes and verify the new node
role.
Note
If you are load balancing user requests to MKE across multiple manager
nodes, you must remove these nodes from the load-balancing pool when
demoting them to workers.
MKE allows you to add or remove nodes from your cluster as your needs change
over time.
Because MKE leverages the clustering functionality provided by
Mirantis Container Runtime (MCR), you use the docker swarm join
command to add more nodes to your cluster. When you join a new node, MCR
services start running on the node automatically.
The following features are not yet supported using Windows Server:
Category
Feature
Networking
Encrypted networks are not supported. If you have upgraded from a
previous version of MKE, you will need to recreate an unencrypted
version of the ucp-hrm network.
Secrets
When using secrets with Windows services, Windows stores temporary
secret files on your disk. You can use BitLocker on the volume
containing the Docker root directory to encrypt the secret data at
rest.
When creating a service that uses Windows containers, the options
to specify UID, GID, and mode are not supported for secrets.
Secrets are only accessible by administrators and users with system
access within the container.
Mounts
On Windows, Docker cannot listen on a Unix socket. Use TCP or a
named pipe instead.
If the cluster is deployed in a site that is offline, sideload MKE images
onto the Windows Server nodes. For more information, refer to
Install MKE offline.
On a manager node, list the images that are required on Windows nodes:
After joining multiple manager nodes for high availability (HA), you can
configure your own load balancer to balance user requests across all
manager nodes.
Use of a load balancer allows users to access MKE using a centralized domain
name. The load balancer can detect when a manager node fails and stop
forwarding requests to that node, so that users are unaffected by the failure.
By default, both MKE and Mirantis Secure Registry (MSR) use port 443. If you
plan to deploy MKE and MSR together, your load balancer must
distinguish traffic between the two by IP address or port number.
If you want MKE and MSR both to use port 443, then you must either use separate
load balancers for each or use two virtual IPs. Otherwise, you must configure
your load balancer to expose MKE or MSR on a port other than 443.
Two-factor authentication (2FA) adds an extra layer of security when logging
in to the MKE web UI. Once enabled, 2FA requires the user to submit an
additional authentication code generated on a separate mobile device along
with their user name and password at login.
MKE 2FA requires the use of a time-based one-time password (TOTP)
application installed on a mobile device to generate a time-based
authentication code for each login to the MKE web UI. Examples of such
applications include 1Password,
Authy, and
LastPass Authenticator.
To configure 2FA:
Install a TOTP application to your mobile device.
In the MKE web UI, navigate to My Profile > Security.
Toggle the Two-factor authentication control to
enabled.
Open the TOTP application and scan the offered QR code. The device will
display a six-digit code.
Enter the six-digit code in the offered field and click
Register. The TOTP application will save your MKE account.
Important
A set of recovery codes displays in the MKE web UI when two-factor
authentication is enabled. Save these codes in a safe location, as they
can be used to access the MKE web UI if for any reason the
configured mobile device becomes unavailable. Refer to
Recover 2FA for details.
Once 2FA is enabled, you will need to provide an authentication code each time
you log in to the MKE web UI. Typically, the TOTP application installed on your
mobile device generates the code and refreshes it every 30 seconds.
Access the MKE web UI with 2FA enabled:
In the MKE web UI, click Sign in. The Sign in page
will display.
Enter a valid user name and password.
Access the MKE code in the TOTP application on your mobile device.
Enter the current code in the 2FA Code field in the MKE web UI.
Note
Multiple authentication failures may indicate a lack of synchronization between the mobile device clock and the mobile provider.
If the mobile device with authentication codes is unavailable, you can
re-access MKE using any of the recovery codes that display in the MKE web UI
when 2FA is first enabled.
To recover 2FA:
Enter one of the recovery codes when prompted for the two-factor
authentication code upon login to the MKE web UI.
Navigate to My Profile > Security.
Disable 2FA and then re-enable it.
Open the TOTP application and scan the offered QR code. The device will
display a six-digit code.
Enter the six-digit code in the offered field and click
Register. The TOTP application will save your MKE account.
If there are no recovery codes to draw from, ask your system administrator to
disable 2FA in order to regain access to the MKE web UI. Once done, repeat the
Configure 2FA procedure to reinstate 2FA
protection.
MKE administrators are not able to re-enable 2FA for users.
You can configure MKE so that a user account is temporarily blocked from
logging in following a series of unsuccessful login attempts. The account
lockout feature only prevents log in attempts that are made using basic
authorization or LDAP. Log in attempts using either SAML or OIDC do not trigger
the account lockout feature. Admin accounts are never locked.
Account lockouts expire after a set amount of time, after which the affected
user can log in as normal. Subsequent log in attempts on a locked
account do not extend the lockout period. Log in attempts against a locked
account always cause a standard incorrect credentials error, providing no
indication to the user that the account is locked. Only MKE admins can see
account lockout status.
Set the following parameters in the auth.account_lock section of the MKE
configuration file:
Set the value of enabled to true.
Set the value of failureTriggers to the number of failed log in
attempts that can be made before an account is locked.
Set the value of durationSeconds to the desired lockout duration. A
value of 0 indicates that the account will remain locked until it is
unlocked by an administrator.
The account remains locked until the specified amount of time has elapsed.
Otherwise, you must either have an administrator unlock the account or globally
disable the account lockout feature.
To unlock a locked account:
Log in to the MKE web UI as an administrator.
In the left-side navigation panel, navigate to
Access Control > Users and select the user who is locked out of
their account.
Click the gear icon in the upper right corner.
Navigate to the Security tab.
Note
An expired account lock only resets once a new log in attempt is made.
Until such time, the account will present as locked to administrators.
Using kubelet node profiles, you can customize your kubelet settings at a
node-by-node level, rather than setting cluster-wide flags that apply to
all of your kubelet agents.
Note
MKE does not currently support kubelet node profiles on windows nodes.
Once you have added the new kubelet node profiles to the MKE configuration file and uploaded the
file to MKE, you can apply the profiles to your nodes.
Any changes you make to a kubelet node profile will instantly affect the nodes
in which the profile is in use. As such, Mirantis strongly recommends that you
first test any modifications in a limited scope, by creating a new profile with
the modifications and applying it to a small number of nodes.
Warning
Misconfigured modifications made to a kubelet node profile that is in use by
a large number of cluster nodes can result in those nodes becoming
nonoperational.
Example scenario:
You have defined the following kubelet node profiles in the MKE configuration
file:
Apply the new lowtest label to a
small set of test nodes.
Once the profile is verified on your
test nodes, remove lowtest from the profile definition and update
low to use the updated --kube-reserved=cpu value.
Configure Graceful Node Shutdown with kubelet node profiles¶
Available since MKE 3.7.12
To configure Graceful Node Shutdown grace periods in MKE cluster, set the
following flags in the [cluster_config.custom_kubelet_flags_profiles]
section of the MKE configuration file:
--shutdown-grace-period=0s
--shutdown-grace-period-critical-pods=0s
The GracefulNodeShutdown feature gate is enabled by default, with
shutdown grace period parameters both set to 0s.
When you add your custom kubelet profiles, insert and set the GracefulNodeShutdown
flags in the MKE configuration file. For example:
The Graceful Node Shutdown feature may present various issues.
Missing kubelet inhibitors and ucp-kubelet errors¶
A Graceful Node Shutdown configuration of --shutdown-grace-period=60s--shutdown-grace-period-critical-pods=50s can result in the following error
message:
The error message indicates missing kubelet inhibitors and ucp-kubelet errors,
due to the current default InhibitDelayMaxSec setting of 30s in
the operating system.
You can resolve the issue either by changing the InhibitDelayMaxSec
parameter setting to a larger value or by removing it.
The configuration file that contains the InhibitDelayMaxSec parameter
setting can be located in any one of a number of locations:
Graceful node drain does not occur and the pods are not terminated¶
Due to the systemdPrepareForShutdown signal not being sent to dbus, in
some operating system distributions graceful node drain does not occur and the
pods are not terminated.
Currently, in the following cases, the PrepareForShutdown signal is
triggered and the Graceful Node Shutdown feature works as intended:
If you delete from the MKE configuration file a kubelet node profile, the nodes
that are using that will enter an erroneous state. For this reason, MKE
prevents users from deleting any kubelet node profile that is in use by a
cluster node. It is a best practice, though, to verify before deleting any
profile that it is not in use.
Example scenario:
To check whether any nodes are using a previously defined low profile, run:
The result indicates that one node is using the indicated kubelet node
low profile. That node should be cleared of the profile before that profile
is deleted.
Any time there is an issue with your cluster, OpsCare routes notifications from
your MKE deployment to Mirantis support engineers. These company personnel will
then either directly resolve the problem or arrange to troubleshoot the matter
with you.
To configure OpsCare you must first obtain a Salesforce username, password, and
environment ID from your Mirantis Customer Success Manager. You then store
these credentials as Swarm secrets using the following naming convention:
User name: sfdc_opscare_api_username
Password: sfdc_opscare_api_password
Environment ID: sfdc_environment_id
Note
Every cluster that uses OpsCare must have its own unique
sfdc_environment_id.
OpsCare requires that MKE has access to mirantis.my.salesforce.com
on port 443.
Any custom certificates in use must contain all of the manager node
private IP addresses.
The provided Salesforce credentials are not associated with the Mirantis
support portal login, but are for Opscare alerting only.
OpsCare uses a predefined group of MKE alerts
to notify your Customer Success Manager of problems with your deployment. This
alerts group is identical to those seen in any MKE cluster that is provisioned
by Mirantis Container Cloud. A single watchdog alert serves to verify the
proper function of the OpsCare alert pipeline as a whole.
To verify that the OpsCare alerts are functioning properly:
You must disable OpsCare before you can delete the three secrets in use.
To disable OpsCare:
Log in to the MKE web UI.
Using the left-side navigation panel, navigate to
<username> > Admin Settings > Usage.
Toggle the Enable Ops Care slider to the left.
Alternatively, you can disable OpsCare by changing the ops_care entry in
the MKE configuration file to false.
Configure cluster and service networking in an existing cluster¶
On systems that use the managed CNI, you can switch existing clusters to either
kube-proxy with ipvs proxier or eBPF mode.
MKE does not support switching kube-proxy in an existing cluster from ipvs
proxier to iptables proxier, nor does it support disabling eBPF mode after it
has been enabled. Using a CNI that supports both cluster and service networking
requires that you disable kube-proxy.
Refer to Cluster and service networking options in the MKE Installation
Guide for information on how to configure cluster and service networking at
install time.
Caution
The configuration changes described here cannot be reversed. As such,
Mirantis recommends that you make a cluster backup, drain your workloads,
and take your cluster offline prior to performing any of these changes.