Defining Network Profiles for Bootstrapping Security Groups

Page last updated:

This topic describes how to define network profiles for Kubernetes clusters provisioned with Enterprise Pivotal Container Service (Enterprise PKS) on vSphere with NSX-T.

Bootstrap Security Group

Most of the NSX-T virtual interface tags used by Enterprise PKS are added to the Kubernetes master node or nodes during the node initialization phase of cluster provisioning. To add tags to virtual interfaces, the Kubernetes master node needs to connect to the NSX-T Manager API. Network security rules provisioned prior to cluster creation time do not allow nodes to connect to NSX-T if the rules are based on a Namespace Group (NSGroup) managed by Enterprise PKS.

To address this bootstrap issue, Enterprise PKS exposes an optional configuration parameter in Network Profiles to systematically add Kubernetes master nodes to a pre-provisioned NSGroup. The BOSH vSphere cloud provider interface (CPI) has the ability to use the NSGroup to automatically manage members following the BOSH VM lifecycle for Kubernetes master nodes.

To configure a Bootstrap Security Group, complete the following steps:

  1. Create the NSGroup in NSX Manager prior to provisioning a Kubernetes cluster using Enterprise PKS. For more information, see Create an NSGroup in the NSX-T documentation.
  2. Define a network profile that references the NSGroup UUID that the BOSH CPI can use to bootstrap the master node or nodes. For example, the following network profile specifies an NSGroup for the BOSH CPI to use to dynamically update Kubernetes master node memberships:
{
    "name": "np-boot-nsgroups",
    "description": "Network Profile for Customer B",
    "parameters": {
        "master_vms_nsgroup_id": "9b8d535a-d3b6-4735-9fd0-56305c4a5293"
    }
}

Please send any feedback you have to pks-feedback@pivotal.io.