Infrastructure Providers
The Educates installation package provides pre-canned configurations for a number of infrastructure providers. These, as well as custom configurations for some other platforms are described below.
Installation to Amazon EKS
Installation is supported on Amazon Elastic Kubernetes Service. This is indicated by setting provider
to eks
.
The components which will be installed are the Educates training platform, Contour as the ingress controller, and Kyverno for cluster and workshop security policy enforcement.
Additional components will be installed. These are:
external-dns - to configure a wildcard entry in your domain’s desired
HostedZone
.cert-manager - for certificate management integration with Let’s Encrypt.
certs - creates an ACME wildcard domain
ClusterIssuer
forcert-manager
.
This installer package relies on having an EKS IAM Role for Service Account (IRSA) so you will need to create two IAM roles for both external-dns and cert-manager services. The details of the roles need to be specified in the aws.irsaRoles
section of the configuration, with a format arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>
.
Additionally, you need to specify the AWS region where your cluster is running, and if the domain you’re using is not a real HostedZone
in AWS, you may need to specify aws.route53.hostedZone
with the actual domain.
This is a sample snippet that will get Educates installed on an existing EKS cluster.
clusterInfrastructure:
provider: "eks"
aws:
region: "eu-west-1"
route53:
hostedZone: "example.com"
irsaRoles:
external-dns: "arn:aws:iam::123456789012:role/external-dns"
cert-manager: "arn:aws:iam::123456789012:role/cert-manager"
clusterIngress:
domain: "educates.example.com"
Installation to Google GKE
Installation is supported on Google Kubernetes Engine. This is indicated by setting provider
to gke
.
The components which will be installed are the Educates training platform, Contour as the ingress controller, and Kyverno for cluster and workshop security policy enforcement.
Additional components will be installed. These are:
external-dns - to configure a wildcard entry in your domain’s desired DNS Zone in Google CloudDNS.
cert-manager - for certificate management integration with Let’s Encrypt.
certs - creates an ACME wildcard domain
ClusterIssuer
forcert-manager
.
This installer package relies on having an GKE Workload Identity so you will need to create two IAM roles for both external-dns and cert-manager services. The details of the roles need to be specified in the gcp.workloadIdentity
section of the configuration, with a format <ROLE_NAME>@<PROJECT_ID>.iam.gserviceaccount.com
Additionally, you need to specify the Google project Id for your GKE cluster, and if the domain you’re using is not a real DNS Zone in Google CloudDNS, you may need to specify the gcp.cloudDNS.zone
with the actual domain.
This is a sample snippet that will get Educates installed on an existing GKE cluster.
clusterInfrastructure:
provider: "gke"
gcp:
project: "my-project"
cloudDNS:
zone: "example.com"
workloadIdentity:
external-dns: "external-dns@my-project.iam.gserviceaccount.com"
cert-manager: "cert-manager@my-project.iam.gserviceaccount.com"
clusterIngress:
domain: "educates.example.com"
Installation to local Kind
Installation is supported on a local Kubernetes cluster created using Kind (Kubernetes in Docker). This is indicated by setting provider
to kind
.
The components which will be installed are the Educates training platform, Contour as the ingress controller, and Kyverno for cluster and workshop security policy enforcement.
For this case it is required that the Kind cluster be configured to map ports 80/443 such that the Kubernetes ingress controller is accessible via the host. The wildcard ingress domain must map to the host IP.
Note that if using the educates create-cluster
command the Kind cluster will be created for you.
Installation to Minikube
Installation is supported on a local Kubernetes cluster created using Minikube. This is indicated by setting provider
to minikube
.
The components which will be installed are the Educates training platform, Contour as the ingress controller, and Kyverno for cluster and workshop security policy enforcement.
If using the docker
driver for Minikube, you will need to use the minikube tunnel
command to expose the ingress controller and the wildcard ingress domain must map to the host IP.
If using a driver for Minikube which exposes the cluster on it’s own IP address, the wildcard ingress domain must map to the IP of the Minikube cluster.
If you do not want to use Contour as the ingress controller, but use the Nginx ingress controller directly supported by Minikube, you can instead set provider
to generic
, or alternatively still use minikube
, but disable installation of Contour.
Installation to OpenShift
Installation is supported on a local Kubernetes cluster created using OpenShift. This is indicated by setting provider
to openshift
.
The components which will be installed are the Educates training platform, and Kyverno for workshop security policy enforcement.
OpenShift security context constraints (SCC) will be used for cluster security policies. For ingress, the native OpenShift ingress controller will be used.
Installation to a vCluster
Installation is supported on a Kubernetes virtual cluster using the vCluster software from Loft Labs. This is indicated by setting provider
to vcluster
.
The components which will be installed are the Educates training platform and Kyverno for cluster and workshop security policy enforcement.
For this case Kubernetes ingresses must still work within the virtual cluster. This means you need to have done one of the following:
Pre-configure the virtual cluster to synchronize ingress resources from the virtual cluster to the underlying host Kubernetes cluster, so that ingresses created in the virtual cluster are handled by the ingress controller running in the underlying host Kubernetes cluster.
Install a separate ingress controller into the virtual cluster with its own external ingress router for incoming traffic, or have the ingress controller of the underlying host Kubernetes cluster proxy to the ingress router of the virtual cluster for a suitable wildcard ingress domain.
Virtual clusters created by Educates itself as part of a workshop session satisfy this requirement for working ingresses, and as such it is possible to install Educates inside of Educates for the purposes of creating workshops to train users on Educates. In this scenario though, since security policies would be enforced by the underlying Educates installation, to reduce the amount of resources required and speed up installation of Educates inside of the virtual cluster, installation of Kyverno and enforcement of security policies can be disabled.
# Specify the infrastructure provider hosting the Kubernetes cluster.
clusterInfrastructure:
provider: vcluster
# Specify the ingress domain to be used to access the workshops hosted by
# the Educates installation.
clusterIngress:
domain: educates-local-dev.test
# Disable the cluster and security policy engines, and skip installing
# Kyverno, as policies are enforced by the Educates installation running
# this workshop session.
clusterPackages:
kyverno:
enabled: false
clusterSecurity:
policyEngine: none
workshopSecurity:
rulesEngine: none