Tutorial: Connect Amazon EKS and Azure AKS Clusters with Google Anthos
In the second part of the series, we will register three Kubernetes clusters deployed in Google Kubernetes Engine, Amazon Web Services’ Elastic Kubernetes Service, and Azure Kubernetes Service, all using Google Anthos.
This tutorial starts by launching the clusters and ends with enumerating them as Anthos clusters.
Prerequisites
Launching Kubernetes Clusters in GCP, AWS, and Azure
Assuming you have active accounts with the cloud platforms and the CLIs configured, get started by launching three-node clusters in each cloud.
|
1 |
mkdir ~/anthos && cd ~/anthos |
Since it takes the longest time to launch, let’s start with the EKS cluster.
|
1 2 3 4 5 6 7 8 9 10 11 12 |
export KUBECONFIG=eks-config eksctl create cluster \ --name tns-demo-eks \ --version 1.16 \ --nodegroup-name ng-workers \ --node-type t3.medium \ --nodes 3 \ --nodes-min 3 \ --nodes-max 6 \ --node-ami auto \ --node-ami-family Ubuntu1804 \ --set-kubeconfig-context=true |
The second cluster is an Azure AKS cluster.
|
1 2 3 4 5 6 7 8 9 10 11 |
export KUBECONFIG=aks-config az group create --name tns --location southindia az aks create \ --resource-group tns \ --name tns-demo-aks \ --node-count 3 az aks get-credentials \ --resource-group tns \ --name tns-demo-aks \ --file aks-config |
Finally, we will launch a GKE cluster.
|
1 2 3 4 5 6 7 8 |
export KUBECONFIG=gke-config gcloud container clusters create tns-demo-gke \ --zone asia-south1-a \ --disk-type=pd-ssd \ --disk-size=50GB \ --machine-type=n1-standard-1 \ --num-nodes=3 \ --image-type ubuntu |
|
1 2 3 |
kubectl create clusterrolebinding cluster-admin-binding \ --clusterrole cluster-admin \ --user $(gcloud config get-value account) |
Since we will have to change the context often from one cluster to another, we will merge all the contexts into one configuration and rename them.
The kubectx CLI comes handy in managing the contexts.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
cp *-config ~/.kube KUBECONFIG=$HOME/.kube/eks-config:$HOME/.kube/aks-config:$HOME/.kube/gke-config kubectl config view --merge --flatten > $HOME/.kube/config export KUBECONFIG= kubectx gke_janakiramm-sandbox_asia-south1-a_tns-demo-gke kubectx gke=. kubectx jani@tns-demo-eks.ap-south-1.eksctl.io kubectx eks=. kubectx tns-demo-aks kubectx aks=. |
Now, we have three contexts – aks, eks, and gke – representing the three clusters. You can use kubectx to easily switch between them.
Preparing and Configuring the GCP Account for Anthos
Before using Anthos, we need to enable a set of APIs by running the below command:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
gcloud services enable \ cloudresourcemanager.googleapis.com \ anthos.googleapis.com \ container.googleapis.com \ gkeconnect.googleapis.com \ gkehub.googleapis.com \ iamcredentials.googleapis.com \ meshca.googleapis.com \ meshconfig.googleapis.com \ meshtelemetry.googleapis.com \ monitoring.googleapis.com \ runtimeconfig.googleapis.com |
Next, we need to create a service account and a JSON token for external clusters to connect to Anthos.
Run the below commands after setting the project environment variable:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
PROJECT="" gcloud iam service-accounts create anthos-hub \ --project=${PROJECT} gcloud iam service-accounts list \ --project=${PROJECT} gcloud projects add-iam-policy-binding jani-sandbox \ --member="serviceAccount:anthos-hub@${PROJECT}.iam.gserviceaccount.com" \ --role="roles/gkehub.connect" gcloud iam service-accounts keys create ./anthos-hub-svc.json \ --iam-account="anthos-hub@${PROJECT}.iam.gserviceaccount.com" \ --project=${PROJECT} |
The above command creates a file named anthos-hub-svc.json in the current directory. We will need this file to register the clusters with Anthos.
Registering Clusters with Anthos
Don’t forget to set the PROJECT environment variable.
|
1 |
PROJECT=”” |
Let’s start with the GKE Cluster.
|
1 2 3 4 |
gcloud container hub memberships register tns-demo-gke \ --project=${PROJECT} \ --gke-cluster=asia-south1-a/tns-demo-gke \ --service-account-key-file=./anthos-hub-svc.json |
Next, it’s the turn of the AKS cluster.
|
1 2 3 4 5 |
gcloud container hub memberships register tns-demo-aks \ --project=${PROJECT} \ --context=aks \ --kubeconfig=~/.kube/config \ --service-account-key-file=./anthos-hub-svc.json |
Finally, let’s register the EKS cluster with Anthos
|
1 2 3 4 5 |
gcloud container hub memberships register tns-demo-eks \ --project=${PROJECT} \ --context=eks \ --kubeconfig=~/.kube/config \ --service-account-key-file=./anthos-hub-svc.json |
Let’s check if all the three clusters are registered with Anthos.
|
1 |
gcloud container hub memberships list |
If you access the Anthos dashboard in the GCP Console, you can see all the three clusters.
When we register a cluster with Anthos, there is a new namespace called the gke-connect that gets created. It runs an agent that maintains the connection between the cluster and the Anthos control plane.
Accessing the Cluster Information through Anthos
When you click on the GKE cluster in the GCP Console, you will see the configuration details such as the version of Kubernetes, number of nodes, and more.
This is not available for the other two clusters. In order to enable Anthos to access the cluster information, we need to create a role and role binding. The secret associated with the service account will be passed onto Anthos to gain access to the cluster.
Run the below commands to create the service account, role, and the role binding.
Create a file called node-reader.yaml and apply to the EKS cluster.
|
1 |
kubectx eks |
|
1 2 3 4 5 6 7 8 |
kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: node-reader rules: - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch"] |
|
1 |
kubectl apply -f node-reader.yaml |
The below commands create the service account, role, and role binding.
|
1 |
kubectl create serviceaccount anthos-user |
|
1 2 3 |
kubectl create clusterrolebinding anthos-view-binding \ --clusterrole view \ --serviceaccount default:anthos-user |
|
1 2 3 |
kubectl create clusterrolebinding anthos-node-reader-binding \ --clusterrole node-reader \ --serviceaccount default:anthos-user |
|
1 2 3 |
kubectl create clusterrolebinding anthos-cluster-admin \ --clusterrole cluster-admin \ --serviceaccount default:anthos-user |
Now, let’s retrieve the secret associated with the anthos-user service account.
|
1 2 |
SECRET_NAME=$(kubectl get serviceaccount anthos-user -o jsonpath='{$.secrets[0].name}') kubectl get secret ${SECRET_NAME} -o jsonpath='{$.data.token}' | base64 -d |
You will see a long string that’s decoded from a base64 encoded secret. Copy this string and keep it safe.
Access the Anthos dashboard and click on the EKS cluster and click on the login button.
Under the Token, paste the string copied in the previous step and click the Login button.
Now, you can access the EKS cluster information from Anthos.
Repeat the above steps with the aks context to enable access to it.
Congratulations! You have successfully registered three clusters with Anthos.
In the next part of the tutorial, we will use Anthos Config Management to deploy workloads on all the clusters via GitOps. Stay tuned.
Janakiram MSV’s Webinar series, “Machine Intelligence and Modern Infrastructure (MI2)” offers informative and insightful sessions covering cutting-edge technologies. Sign up for the upcoming MI2 webinar at http://mi2.live.