Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

How to Install Contrail Networking within an Amazon Elastic Kubernetes Service (EKS) Environment in AWS

 

The Elastic Kubernetes Service (EKS) runs Kubernetes-orchestrated environments within Amazon Web Services (AWS).

Kubernetes supports a pluggable framework—called the Container Networking Interface (CNI)—for networking. See Pod networking (CNI) from AWS for information on how the CNI framework is implemented by EKS.

Contrail Networking is supported as a custom CNI in Kubernetes-orchestrated environments. This document show you how to install Contrail Networking as the CNI when a Kubernetes environment is running in EKS on AWS.

It includes the following sections:

When to Use This Procedure

Use this procedure to enable Contrail Networking as the CNI in a Kubernetes-orchestrated environment running on AWS. Contrail Networking is used in this procedure to enable an MPLS data plane and a BGP control plane within the environment.

The procedure in this document was validated for Contrail Networking 2008 running in EKS 1.16. This procedure should work in EKS 1.16 and all later EKS releases.

Prerequisites

This procedure makes the following assumptions about your environment:

  • A Kubernetes client is installed.

  • The aws-iam-authenticator is installed to allow authentication into your EKS cluster. See Installing aws-iam-authenticator from AWS.

  • AWS CLI is installed. See Installing the AWS CLI from AWS.

  • You have obtained the login credentials to the Juniper Networks Contrail docker private secure registry at hub.juniper.net. If you need to obtain these credentials, email contrail-registry@juniper.net.

Install Contrail Networking as the CNI for EKS

This procedure installs Contrail Networking as the CNI in a Kubernetes orchestrated environment in the EKS service within AWS.

The procedure uses the following sample topology:

To install Contrail Networking as the CNI in a Kubernetes-orchestrated environment running in EKS:

  1. (Recommended) Review the video procedure of this installation. See the Deep Dive: Contrail SDN and AWS EKS channel on Youtube.
  2. Download the EKS deployer:

    We recommend running this procedure in the eu-central-1 default region during your first attempt.

    The procedure supports most AWS regions. You can run the procedure in other regions by updating the variables.sh file after familiarizing yourself with the steps.

  3. Modify the variables.sh file to fit your environment.

    The following fields must be updated:

    • CLOUDFORMATIONREGION—the AWS region that your client is configured to use. Cloudformation deploys EKS into this region using the quickstart. The default region is eu-west-1.

    • JUNIPERREPONAME—username to access the Contrail repository. You can email contrail-registry@juniper.net to obtain your username and password credentials, if needed.

    • JUNIPERREPOPASS—password to access the Contrail repository. You can email contrail-registry@juniper.net to obtain your username and password credentials, if needed.

    • RELEASE—Contrail Networking Release container tag. The container tag is used to identify images in the Contrail repository. The container tag for any Contrail Release 20xx image can be found in README Access to Contrail Registry 20XX  .

    • EC2KEYNAME—an existing keyname in your specified AWS region.

    • BASTIONSSHKEYPATH—the local path, which is usually the path on your PC, to the private key file for the AWS EC2 key.

    Example file:

  4. Deploy the cloudformation-resources.sh file:

    This step is needed to prepare the environment in some AWS regions.

  5. From the AWS CLI, deploy the EKS quickstart stack:

    This step can take 45 minutes or longer to deploy.

    Note

    You can also use the Cloudformation user interface to deploy this stack. You will have to manually complete all parameters if you use the Cloudformation user interface. See this document from AWS.

    You can monitor the status of the deployment using this command:

  6. Return to your PC.

    Install the aws-iam-authenticator and the register:

  7. From the Kubernetes CLI, verify your cluster parameters:
    Note

    Some command output fields removed for readability.

  8. Upgrade the worker nodes to the latest EKS version:

    After a few minutes, confirm that the EKS version has updated on all nodes.

    In this sample output, the EKS version was updated to 1.16.15.

    Note

    Command output slightly modified for readability.

    After confirming that the EKS version is updated on all nodes, delete the upgrade pods:

  9. Apply the OS fixes for the EC2 worker nodes for Contrail Networking:
  10. Deploy Contrail Networking as the CNI for EKS:

    This step typically takes about 5 minutes to complete.

  11. Deploy the setup bastion to provide SSH access for worker nodes:
  12. Run the Contrail setup file to provide a base Contrail Networking configuration:
  13. Check Contrail status:
    Note

    A vRouter agent timeout might appear in the output. In most cases, the vRouter is working fine and this is a cosmetic issue.

  14. Confirm that the pods are running:
  15. Setup Contrail user interface access.

    To view the Contrail user interface after performing this step:

    1. In your web browser, enter https://bastion-public-ip-address:8143 as the address.
    2. Enter your credentials.

      The default credentials use admin as the user and contrail123 as the password. We recommend changing these credentials to maximize security.

      Note

      You may get some BGP alarm messages upon login. These messages occur because sample BGP peering relationships are established with gateway devices and federated clusters. Delete the BGP peers in your environment if you want to clear the alarms.

  16. Modify the auto scaling groups so that you can stop instances that are not in use.
    Note

    If you plan on deleting stacks at a later time, you will have to reset this configuration and use the resume-processes option before deleting the primary stack:

  17. (Optional) If you have a public network that you’d like to use for ingress via a gateway, perform the following configuration steps:
    1. Enter https://bastion-public-ip-address:8143 to connect to the web user interface.
    2. Navigate to Configure > Networks > k8s-default > networks (left side of page) > Add network (+)
    3. In the Add network box, enter the following parameters:
      • Name: k8s-public

      • Subnet: Select ipv4, then enter the IP address of your public service network.

        Leave all other fields in subnet as default.

      • advanced: External=tick

      • advanced: Share-tick

      • route target: Click +. Enter a route target for your public network. For example, 64512:1000.

      Click Save.

  18. Deploy a test application on each node:
  19. Deploy a multitier test application: