Illumina Innovates with Rancher and Kubernetes
Rancher is a popular open source tool used by many organizations to manage Kubernetes clusters. With the latest release of EKS in GA, Rancher is excited to announce integration with the new managed Kubernetes cluster solution by AWS. We are excited about the availability of EKS because most Rancher users run their clusters on AWS. In the past, they had to create and manage their own clusters using Rancher’s own RKE distribution or open source tools like Kops. With EKS, Rancher users will no longer need to manage their own K8s clusters on AWS.
Using EKS with Rancher combines the ease of use you have grown accustomed to in Rancher with the features, reliability, and performance that you expect out of AWS. With EKS, Amazon’s managed Kubernetes solution, you can quickly create a scalable Kuberenetes instance in the cloud. Combined with the advanced Kubernetes management features and quality of life improvements found in Rancher, the duo is a powerful combination.
Rancher helps simplify the creation of an EKS cluster by automating the Cloud Formation stack creation and providing sensible defaults for your EKS cluster.
Rancher also provides a uniform interface for accessing your clusters, and allows integration with AWS AD, allowing you to apply RBAC permissions equally across your various Kubernetes clusters.
Today I will be walking you through how to set up an EKS cluster, deploy a publicly accessible app to it, and integrate with AWS managed Microsoft AD.
This guide assumes that you already have the following:
1) A running instance of Rancher 2.0
2) An AWS account with access to the EKS preview
Once you have those items you are ready to start.
First you’ll need to create Secret credentials for your account. Do this by going to IAM > Users > (Your Username) > Security Credentials.
Then click on “Create access key” and a popup should appear.
Record the Access Key ID and the Secret Access Key, you will need these when creating your EKS cluster in Rancher.
Next, go into your instance of Rancher and click the “Add Cluster” button and select the “Amazon EKS” option. Now input the Access Key ID and Secret Access Key you recorded in the previous step and click “Next: Authenticate & select a network”; Rancher will verify that the ID and Secret you submitted are authorized.
Once the verification has completed, click the “Create” button. It will take a few minutes for the EKS cluster to create.
Once the cluster has finished provisioning you should see the status turn to “Active”.
Click on the cluster and go to the default project. Here we can deploy a workload to test out our cluster. On the workload screen click “Deploy”. Give your workload a name and specify the “nginx” Docker Image. Click “Add Port”, publish the container port “80” on target “3000” and specify a Layer-4 Load Balancer. This will allow us to access our Nginx instance over the public internet.
Click “Launch” and wait for the workload and load balancer to finish provisioning (and make sure to check both the Workloads and Load Balancing tabs).
Once the load balancer has finished provisioning a clickable link will appear beneath the workload. Note that AWS will create a DNS entry for this EKS cluster and that may take several minutes to propagate; if you get a 404 after clicking the link wait a few more minutes and try again. Clicking the link should take us to the default Nginx page.
Congratulations, you’ve successfully deployed a workload with Rancher and haven’t had to type a single character in the terminal to do it! Because your EKS cluster is managed with Rancher you get all the benefits of the Rancher platform, including authorization, which we will explore in the next section.
For this next step you’ll need to set up a Microsoft AD instance in AWS. If you already have one, you can skip this section.
Start by going to your AWS console and selecting the Directory Service console, then click Set up directory > Microsoft AD. Your directory DNS should be a domain you control. Set an admin password and write it down; we’ll need it in a later step. Now click “Create a new VPC” and you will be taken to the VPC console in a new window. Click “Create VPC”. A popup should appear: name your VPC and specify a CIDR block of “10.0.0.0/16”. Let the other options default and create the VPC.
Once your VPC has finished creating you’ll need to add an internet gateway and edit the route table. First go to the internet gateway page and create a new internet gateway. Attach the gateway to your VPC. Now go back to the VPC console and select the VPC. Click on the route table on the Summary tab. Once you are on the route table console, go to the Routes tab and click “Edit”. Add a row for 0.0.0.0/0 and let the target default to the corresponding VPC gateway. Click save.
Now, go back to the create Directory Service screen, and click “Create a new Subnet”. You will be taken to the subnet console. Click “Create subnet” and a popup should appear. Name your subnet and select the VPC you just created. Give your subnet a CIDR block of 10.0.0.0/24. Select an availability zone for your subnet and click “Yes, Create” and your subnet will be created. Repeat the previous steps but create the next subnet with a CIDR block of 10.0.1.0/24.
Now that your subnets are created navigate back to the Directory Service screen and assign your subnets to the Directory Service. Now click “next step” and you will be taken to the review screen. Make sure your information is correct and then click “Create Microsoft AD”.
Your Microsoft AD instance will begin provisioning.
While your AD instance is creating, now is a great time to set up the Network Load Balancer. Go to the EC2 console to start, then click Load Balancers > Create Load Balancer > Network Load Balancer. Name your load balancer and make sure it is internet-facing. Add 2 listeners for ports 389 and 636. Make sure to select the VPC you created previously and check both of the subnets that you created.
Click “Next: Configure routing” and you will be taken to the next screen. Name your target group and point it to port 389 with a Target type of “ip”. For the IP allowed ranges enter the values from the “DNS address” field on the Microsoft AD instance. Add a line for each address. Your screen should look something like this.
Now click “Review” to be taken to the review screen and once you have verified your information, click “Create”.
Once your load balancer has created successfully go to the “Target Groups” screen and click “Create target group”. Name your target group and give it a TCP protocol, a port of 636, and a target type of “ip”. Make sure it is assigned to the VPC you created earlier and click “Create”. Now go back to your NLB and click on the listeners tab. Select the checkbox next to the TCP: 636 listener and click “Edit”. Set the default target group to the target group you just created and click “save”.
Now your load balancer is set up to route traffic to your AD instance. Once your AD instance is finished provisioning, you can connect it with Rancher.
Now that you have your AWS Microsoft AD instance started, you can add it to Rancher. Navigate to the Security > Authentication screen and select “Microsoft Active Directory”.
Enter in the hostname, default login domain, Admin username and password that you recorded earlier. The search base is baed on the information you entered should in the format “OU=,DC=,DC=,DC=”. So a directory with a NetBIOS name of “mydirectory” and a FQDN of “alpha.beta.com” would have a search base of “OU=mydirectory,DC=alpha,DC=beta,DC=com”.
Note that for the purposes of this demo we will be using the admin account, but later on you should create a different, reduced permission account for security purposes.
Once the information is entered, click “Authenticate” to verify the information and save the configuration. Now log out of rancher and attempt to log back in with the example user you created earlier.
Congratulations, you have now integrated Rancher with AWS AD!
Try logging in with the Admin account your recorded earlier when you created the Microsoft AD instance and it should complete successfully. Now when users are added to the AD instance they will automatically be able to log into Rancher.
Thank you for reading and we hope that you enjoyed this guide. If you have any questions feel free to reach out to us on the Rancher Forums (https://forums.rancher.com) or the Rancher Slack channel (https://slack.rancher.io).
To learn more about managing Kubernetes clusters on Rancher, sign up for our free online trainings.