Create a managed bare metal cluster

This section instructs you on how to configure and deploy a managed cluster that is based on the baremetal-based management cluster through the Mirantis Container Cloud web UI.

Note

Due to the known issue 50181, creation of a compact managed cluster or addition of any labels to the control plane nodes is not available through the Container Cloud web UI.

To create a managed cluster on bare metal:

1. Available since the Cluster release 16.1.0 on the management cluster. If you plan to deploy a large managed cluster, enable dynamic IP allocation to increase the amount of baremetal hosts to be provisioned in parallel. For details, see Enable dynamic IP allocation.

2. Available since Container Cloud 2.24.0 (Cluster release 14.0.0). Optional. Technology Preview. Enable custom host names for cluster machines. When enabled, any machine host name in a particular region matches the related Machine object name. For example, instead of the default kaas-node-<UID>, a machine host name will be master-0. The custom naming format is more convenient and easier to operate with.

   For details, see Configure host names for cluster machines.

   Skip this step if you enabled this feature during management cluster bootstrap, because custom host names will be automatically enabled on the related managed cluster as well.

3. Log in to the Container Cloud web UI with the writer permissions.

4. Switch to the required non-default project using the Switch Project action icon located on top of the main left-side navigation panel.

   Caution

   Do not create a MOSK cluster in the default project (Kubernetes namespace), which is dedicated for the management cluster only. If no projects are defined, first create a new mosk project as described in Create a project for MOSK clusters.

5. In the SSH keys tab, click Add SSH Key to upload the public SSH key that will be used for the SSH access to VMs.

6. Optional. In the Proxies tab, enable proxy access to the managed cluster:

   1. Click Add Proxy.

   2. In the Add New Proxy wizard, fill out the form with the following parameters:

      Proxy configuration

      Parameter	Description
      Proxy Name	Name of the proxy server to use during a managed cluster creation.
      Region Removed in MOSK 24.1	From the drop-down list, select the required region.
      HTTP Proxy	Add the HTTP proxy server domain name in the following format: http://proxy.example.com:port - for anonymous access http://user:password@proxy.example.com:port - for restricted access
      HTTPS Proxy	Add the HTTPS proxy server domain name in the same format as for HTTP Proxy.
      No Proxy	Comma-separated list of IP addresses or domain names.

   Note

   The possibility to use a MITM proxy with a CA certificate is available since MOSK 23.1.

   For the list of Mirantis resources and IP addresses to be accessible from the Container Cloud clusters, see Reference Architecture: Requirements.

7. In the Clusters tab, click Create Cluster.

8. Configure the new cluster in the Create New Cluster wizard that opens:

   1. Define general and Kubernetes parameters:

      Create new cluster: General, Provider, and Kubernetes

      Section	Parameter name	Description
      General settings	Cluster name	The cluster name.
      	Provider	Select Baremetal.
      	Region Removed since MOSK 24.1	From the drop-down list, select Baremetal.
      	Release version	Select a Container Cloud version with the OpenStack label tag. Otherwise, you will not be able to deploy MOSK on this managed cluster.
      	Proxy	Optional. From the drop-down list, select the proxy server name that you have previously created.
      	SSH keys	From the drop-down list, select the SSH key name that you have previously added for SSH access to the bare metal hosts.
      	Container Registry	From the drop-down list, select the Docker registry name that you have previously added using the Container Registries tab. For details, see Define a custom CA certificate for a private Docker registry.
      	Enable WireGuard	Optional. Technology Preview. Deprecated since Container Cloud 2.29.0 (Cluster releases 17.4.0 and 16.4.0). Available since Container Cloud 2.24.0 (Cluster release 14.0.0). Enable WireGuard for traffic encryption on the Kubernetes workloads network. WireGuard configuration Ensure that the Calico MTU size is at least 60 bytes smaller than the interface MTU size of the workload network. IPv4 WireGuard uses a 60-byte header. For details, see Set the MTU size for Calico. Enable WireGuard by selecting the Enable WireGuard check box. Caution Changing this parameter on a running cluster causes a downtime that can vary depending on the cluster size. Note This parameter was renamed from Enable Secure Overlay to Enable WireGuard in Container Cloud 2.25.0 (Cluster releases 17.0.0 and 16.0.0). For more details about WireGuard, see Calico documentation: Encrypt in-cluster pod traffic.
      	Parallel Upgrade Of Worker Machines	Optional. Available since Container Cloud 2.25.0 (Cluster releases 17.0.0 and 16.0.0). The maximum number of the worker nodes to update simultaneously. It serves as an upper limit on the number of machines that are drained at a given moment of time. Defaults to 1. You can also configure this option after deployment before the cluster update.
      	Parallel Preparation For Upgrade Of Worker Machines	Optional. Available since Container Cloud 2.25.0 (Cluster releases 17.0.0 and 16.0.0) The maximum number of worker nodes being prepared at a given moment of time, which includes downloading of new artifacts. It serves as a limit for the network load that can occur when downloading the files to the nodes. Defaults to 50. You can also configure this option after deployment before the cluster update.
      Provider	LB host IP	The IP address of the load balancer endpoint that will be used to access the Kubernetes API of the new cluster. This IP address must be in the LCM network if a separate LCM network is in use and if L2 (ARP) announcement of cluster API load balancer IP is in use.
      	LB address range Removed in 24.3	The range of IP addresses that can be assigned to load balancers for Kubernetes Services by MetalLB. For a more flexible MetalLB configuration, refer to Configure and verify MetalLB. Note Since MOSK 24.3, MetalLB configuration must be added after cluster creation.
      Kubernetes	Services CIDR blocks	The Kubernetes Services CIDR blocks. For example, 10.233.0.0/18.
      	Pods CIDR blocks	The Kubernetes pods CIDR blocks. For example, 10.233.64.0/18. Note The network subnet size of Kubernetes pods influences the number of nodes that can be deployed in the cluster. The default subnet size /18 is enough to create a cluster with up to 256 nodes. Each node uses the /26 address blocks (64 addresses), at least one address block is allocated per node. These addresses are used by the Kubernetes pods with hostNetwork: false. The cluster size may be limited further when some nodes use more than one address block.

   2. Configure StackLight:

      Note

      If StackLight is enabled in non-HA mode but Ceph is not deployed yet, StackLight will not be installed and will be stuck in the Yellow state waiting for a successful Ceph installation. Once the Ceph cluster is deployed, the StackLight installation resumes. To deploy a Ceph cluster, refer to Add a Ceph cluster.

      StackLight configuration

      Section	Parameter name	Description
      StackLight	Enable Monitoring	Selected by default. Deselect to skip StackLight deployment. Note You can also enable, disable, or configure StackLight parameters after deploying a managed cluster. For details, see Change a cluster configuration and StackLight configuration procedure.
      	Enable Logging	Select to deploy the StackLight logging stack. For details about the logging components, see Deployment architecture. Note The logging mechanism performance depends on the cluster log load. In case of a high load, you may need to increase the default resource requests and limits for fluentdLogs. For details, see StackLight resource limits.
      	HA Mode	Select to enable StackLight monitoring in High Availability (HA) mode. For differences between HA and non-HA modes, see Deployment architecture. If disabled, StackLight requires a Ceph cluster. To deploy a Ceph cluster, refer to Add a Ceph cluster.
      	StackLight Default Logs Severity Level	Log severity (verbosity) level for all StackLight components. The default value for this parameter is Default component log level that respects original defaults of each StackLight component. For details about severity levels, see StackLight log verbosity.
      	StackLight Component Logs Severity Level	The severity level of logs for a specific StackLight component that overrides the value of the StackLight Default Logs Severity Level parameter. For details about severity levels, see StackLight log verbosity. Expand the drop-down menu for a specific component to display its list of available log levels.
      OpenSearch	Logstash Retention Time Removed in MOSK 24.1	Available if you select Enable Logging. Specifies the logstash-* index retention time.
      	Events Retention Time	Available if you select Enable Logging. Specifies the kubernetes_events-* index retention time.
      	Notifications Retention Time	Available if you select Enable Logging. Specifies the notification-* index retention time.
      	Persistent Volume Claim Size	Available if you select Enable Logging. The OpenSearch persistent volume claim size.
      	Collected Logs Severity Level	Available if you select Enable Logging. The minimum severity of all Container Cloud components logs collected in OpenSearch. For details about severity levels, see StackLight logging.
      Prometheus	Retention Time	The Prometheus database retention period.
      	Retention Size	The Prometheus database retention size.
      	Persistent Volume Claim Size	The Prometheus persistent volume claim size.
      	Enable Watchdog Alert	Select to enable the Watchdog alert that fires as long as the entire alerting pipeline is functional.
      	Custom Alerts	Specify alerting rules for new custom alerts or upload a YAML file in the following exemplary format: - alert: HighErrorRate expr: job:request_latency_seconds:mean5m{job="myjob"} > 0.5 for: 10m labels: severity: page annotations: summary: High request latency For details, see Official Prometheus documentation: Alerting rules. For the list of the predefined StackLight alerts, see Operations Guide: StackLight alerts.
      StackLight Email Alerts	Enable Email Alerts	Select to enable the StackLight email alerts.
      	Send Resolved	Select to enable notifications about resolved StackLight alerts.
      	Require TLS	Select to enable transmitting emails through TLS.
      	Email alerts configuration for StackLight	Fill out the following email alerts parameters as required: To - the email address to send notifications to. From - the sender address. SmartHost - the SMTP host through which the emails are sent. Authentication username - the SMTP user name. Authentication password - the SMTP password. Authentication identity - the SMTP identity. Authentication secret - the SMTP secret.
      StackLight Slack Alerts	Enable Slack alerts	Select to enable the StackLight Slack alerts.
      	Send Resolved	Select to enable notifications about resolved StackLight alerts.
      	Slack alerts configuration for StackLight	Fill out the following Slack alerts parameters as required: API URL - The Slack webhook URL. Channel - The channel to send notifications to, for example, #channel-for-alerts.

9. Click Create.

   To monitor cluster readiness, see Verify cluster status.

10. Available since Container Cloud 2.24.0 (Cluster releases 14.0.0 and 15.0.1). Optional. Technology Preview. Enable the Linux Audit daemon auditd to monitor activity of cluster processes and prevent potential malicious activity.

    Configuration for auditd

    In the Cluster object or cluster.yaml.template, add the auditd parameters:

    spec:
      providerSpec:
        value:
          audit:
            auditd:
              enabled: <bool>
              enabledAtBoot: <bool>
              backlogLimit: <int>
              maxLogFile: <int>
              maxLogFileAction: <string>
              maxLogFileKeep: <int>
              mayHaltSystem: <bool>
              presetRules: <string>
              customRules: <string>
              customRulesX32: <text>
              customRulesX64: <text>
    

    Configuration parameters for auditd:

    enabled

    Boolean, default - false. Enables the auditd role to install the auditd packages and configure rules. CIS rules: 4.1.1.1, 4.1.1.2.

    enabledAtBoot

    Boolean, default - false. Configures grub to audit processes that can be audited even if they start up prior to auditd startup. CIS rule: 4.1.1.3.

    backlogLimit

    Integer, default - none. Configures the backlog to hold records. If during boot audit=1 is configured, the backlog holds 64 records. If more than 64 records are created during boot, auditd records will be lost with a potential malicious activity being undetected. CIS rule: 4.1.1.4.

    maxLogFile

    Integer, default - none. Configures the maximum size of the audit log file. Once the log reaches the maximum size, it is rotated and a new log file is created. CIS rule: 4.1.2.1.

    maxLogFileAction

    String, default - none. Defines handling of the audit log file reaching the maximum file size. Allowed values:

    • keep_logs - rotate logs but never delete them

    • rotate - add a cron job to compress rotated log files and keep maximum 5 compressed files.

    • compress - compress log files and keep them under the /var/log/auditd/ directory. Requires auditd_max_log_file_keep to be enabled.

    CIS rule: 4.1.2.2.

    maxLogFileKeep

    Integer, default - 5. Defines the number of compressed log files to keep under the /var/log/auditd/ directory. Requires auditd_max_log_file_action=compress. CIS rules - none.

    mayHaltSystem

    Boolean, default - false. Halts the system when the audit logs are full. Applies the following configuration:

    • space_left_action = email

    • action_mail_acct = root

    • admin_space_left_action = halt

    CIS rule: 4.1.2.3.

    customRules

    String, default - none. Base64-encoded content of the 60-custom.rules file for any architecture. CIS rules - none.

    customRulesX32

    String, default - none. Base64-encoded content of the 60-custom.rules file for the i386 architecture. CIS rules - none.

    customRulesX64

    String, default - none. Base64-encoded content of the 60-custom.rules file for the x86_64 architecture. CIS rules - none.

    presetRules

    String, default - none. Comma-separated list of the following built-in preset rules:

    access actions delete docker

    identity immutable logins mac-policy

    modules mounts perm-mod privileged

    scope session system-locale time-change

    Since Container Cloud 2.28.0 (Cluster releases 17.3.0 and 16.3.0) in the Technology Preview scope, you can collect some of the preset rules indicated above as groups and use them in presetRules:

    • ubuntu-cis-rules - this group contains rules to comply with the Ubuntu CIS Benchmark recommendations, including the following CIS Ubuntu 20.04 v2.0.1 rules:

      scope - 5.2.3.1 actions - same as 5.2.3.2 time-change - 5.2.3.4 system-locale - 5.2.3.5 privileged - 5.2.3.6 access - 5.2.3.7 identity - 5.2.3.8

      perm-mod - 5.2.3.9 mounts - 5.2.3.10 session - 5.2.3.11 logins - 5.2.3.12 delete - 5.2.3.13 mac-policy - 5.2.3.14 modules - 5.2.3.19

    • docker-cis-rules - this group contains rules to comply with Docker CIS Benchmark recommendations, including the docker Docker CIS v1.6.0 rules 1.1.3 - 1.1.18.

    You can also use two additional keywords inside presetRules:

    • none - select no built-in rules.

    • all - select all built-in rules. When using this keyword, you can add the ! prefix to a rule name to exclude some rules. You can use the ! prefix for rules only if you add the all keyword as the first rule. Place a rule with the ! prefix only after the all keyword.

    Example configurations:

    • presetRules: none - disable all preset rules

    • presetRules: docker - enable only the docker rules

    • presetRules: access,actions,logins - enable only the access, actions, and logins rules

    • presetRules: ubuntu-cis-rules - enable all rules from the ubuntu-cis-rules group

    • presetRules: docker-cis-rules,actions - enable all rules from the docker-cis-rules group and the actions rule

    • presetRules: all - enable all preset rules

    • presetRules: all,!immutable,!sessions - enable all preset rules except immutable and sessions

    
    

    CIS controls

    4.1.3 (time-change)

    4.1.4 (identity)

    4.1.5 (system-locale)

    4.1.6 (mac-policy)

    4.1.7 (logins)

    4.1.8 (session)

    4.1.9 (perm-mod)

    4.1.10 (access)

    4.1.11 (privileged)

    4.1.12 (mounts)

    4.1.13 (delete)

    4.1.14 (scope)

    4.1.15 (actions)

    4.1.16 (modules)

    4.1.17 (immutable)

    Docker CIS controls

    1.1.4

    1.1.8

    1.1.10

    1.1.12

    1.1.13

    1.1.15

    1.1.16

    1.1.17

    1.1.18

    1.2.3

    1.2.4

    1.2.5

    1.2.6

    1.2.7

    1.2.10

    1.2.11

11. Optional. Colocate the OpenStack control plane with the managed cluster Kubernetes manager nodes by adding the following field to the Cluster object spec:

    spec:
      providerSpec:
        value:
          dedicatedControlPlane: false
    

    Note

    This feature is available as technical preview. Use such configuration for testing and evaluation purposes only.

12. Optional. Customize MetalLB speakers that are deployed on all Kubernetes nodes except master nodes by default. For details, see Configure node selectors for MetalLB speakers.

13. Configure the MetalLB parameters related to IP address allocation and announcement for load-balanced cluster services. For details, see Configure and verify MetalLB.

14. Proceed to Obtain and use details about network interfaces.

Note

Once you have created a MOSK cluster, some StackLight alerts may raise as false-positive until you deploy the Mirantis OpenStack environment.