vSphere Cloud Provider

The vSphere Cloud Provider interacts with VMware infrastructure (vCenter or standalone ESXi server) to provision and manage storage for persistent volumes in a Kubernetes cluster.

When provisioning Kubernetes using RKE CLI or using RKE clusters in Rancher, the vSphere Cloud Provider can be enabled by configuring the cloud_provider directive in the cluster YAML file.

Prerequisites

  • You’ll need to have credentials of a vCenter/ESXi user account with privileges allowing the cloud provider to interact with the vSphere infrastructure to provision storage. Refer to this document to create and assign a role with the required permissions in vCenter.
  • VMware Tools must be running in the Guest OS for all nodes in the cluster.
  • All nodes must be configured with disk UUIDs. This is required so that attached VMDKs present a consistent UUID to the VM, allowing the disk to be mounted properly. See Enabling Disk UUIDs.

Clusters provisioned with RKE CLI

To enable the vSphere Cloud Provider in the cluster, you must add the top-level cloud_provider directive to the cluster configuration file, set the name property to vsphere and add the vsphereCloudProvider directive containing the configuration matching your infrastructure. See the configuration reference for the gory details.

Clusters provisioned with Rancher

When provisioning clusters in Rancher using the vSphere node driver or on pre-created custom nodes the cluster YAML file must be modified in order to enable the cloud provider.

  • Log in to the Rancher UI as admin user.
  • Navigate to Clusters in the Global view.
  • Click Add Cluster and select the vSphere infrastructure provider.
  • Assign a Cluster Name.
  • Assign Member Roles as required.
  • Expand Cluster Options and configure as required.
  • Set Cloud Provider option to Custom.

vsphere-node-driver-cloudprovider

  • Click on Edit as YAML

  • Insert the following top-level structure to the pre-populated cluster YAML. Note that the name must be set to vsphere. Refer to the configuration reference to learn about the properties of the vsphereCloudProvider directive.

  1. cloud_provider:
  2.     name: vsphere
  3.     vsphereCloudProvider:
  4.         [Insert provider configuration]

  • Configure the Node Pools per your requirements while ensuring to use a node template that enables disk UUIDs for the VMs (See [Annex - Enable disk UUIDs for vSphere VMs]).

  • Click on Create to start provisioning the VMs and Kubernetes services.

Configuration Reference

Note: This documentation reflects the new vSphere Cloud Provider configuration schema introduced in Kubernetes v1.9 which differs from previous versions.

The vSphere configuration options are divided into 5 groups:

  • global
  • virtual_center
  • workspace
  • disk
  • network

global

The main purpose of global options is to be able to define a common set of configuration parameters that will be inherited by all vCenters defined under the virtual_center directive unless explicitly defined there.

Accordingly, the global directive accepts the same configuration options that are available under the virtual_center directive. Additionally it accepts a single parameter that can only be specified here:

global OptionsTypeRequiredDescription
insecure-flagbooleanSet to true if the vCenter/ESXi uses a self-signed certificate.

Example:

  1. (...)
  2.     global:
  3.       insecure-flag: true

virtual_center

This configuration directive specifies the vCenters that are managing the nodes in the cluster. You must define at least one vCenter/ESXi server. If the nodes span multiple vCenters then all must be defined.

Each vCenter is defined by adding a new entry under the virtual_center directive with the vCenter IP or FQDN as the name. All required parameters must be provided for each vCenter unless they are already defined under the global directive.

virtual_center OptionsTypeRequiredDescription
userstringvCenter/ESXi user used to authenticate with this server.
passwordstringUser’s password.
portstringPort to use to connect to this server. Defaults to 443.
datacentersstring*Comma-separated list of all datacenters in which cluster nodes are running in.
soap-roundtrip-countuintRound tripper count for API requests to the vCenter (num retries = value - 1).

The following additional options (introduced in Kubernetes v1.11) are not yet supported in RKE.

virtual_center OptionsTypeRequiredDescription
secret-namestringName of secret resource containing credential key/value pairs. Can be specified in lieu of user/password parameters.
secret-namespacestringNamespace in which the secret resource was created in.
ca-filestringPath to CA cert file used to verify the vCenter certificate.

Example:

  1. (...)
  2.     virtual_center:
  3.       172.158.111.1: {}  # This vCenter inherits all it's properties from global options
  4.       172.158.110.2:     # All required options are set explicitly
  5.         user: vc-user
  6.         password: othersecret
  7.         datacenters: eu-west-2

workspace

This configuration group specifies how storage for volumes is created in vSphere.The following configuration options are available:

workspace OptionsTypeRequiredDescription
serverstringIP or FQDN of the vCenter/ESXi that should be used for creating the volumes. Must match one of the vCenters defined under the virtual_center directive.
datacenterstringName of the datacenter that should be used for creating volumes. For ESXi enter ha-datacenter.
folderstring*Path of folder in which to create dummy VMs used for volume provisioning (relative from the root of the datastore), e.g. “kubernetes”.
default-datastorestringName of default datastore to place VMDKs if neither datastore or storage policy are specified in the volume options of a PVC. If datastore is located in a storage folder or is a member of a datastore cluster, specify the full path.
resourcepool-pathstringAbsolute or relative path to the resource pool where the dummy VMs for Storage policy based provisioning should be created. If a relative path is specified, it is resolved with respect to the datacenter’s host folder. Examples: /<dataCenter>/host/<hostOrClusterName>/Resources/<poolName>, Resources/<poolName>. For standalone ESXi specify Resources.

Example:

  1. (...)
  2.     workspace:
  3.       server: 172.158.111.1 # matches IP of vCenter defined in the virtual_center block
  4.       datacenter: eu-west-1
  5.       folder: k8s-dummy
  6.       default-datastore: ds-1

disk

The following configuration options are available under the disk directive:

disk OptionsTypeRequiredDescription
scsicontrollertypestringSCSI controller type to use when attaching block storage to VMs. Must be one of: lsilogic-sas or pvscsi. Default: pvscsi.

network

The following configuration options are available under the network directive:

network OptionsTypeRequiredDescription
public-networkstringName of public VM Network to which the VMs in the cluster are connected. Used to determine public IP addresses of VMs.

Configuration Example

Given the following:

  • VMs in the cluster are running in the same datacenter eu-west-1 managed by the vCenter vc.example.com.
  • The vCenter has a user provisioner with password secret with the required roles assigned, see Prerequisites.
  • The vCenter has a datastore named ds-1 which should be used to store the VMDKs for volumes.
  • A k8s-dummy folder exists in the root of the datastore.The corresponding configuration for the provider would then be as follows:
  1. (...)
  2. cloud_provider:
  3.   name: vsphere
  4.   vsphereCloudProvider:
  5.     virtual_center:
  6.       vc.example.com:
  7.         user: provisioner
  8.         password: secret
  9.         datacenters: eu-west-1
  10.     workspace:
  11.       server: vc.example.com
  12.       folder: k8s-dummy
  13.       default-datastore: ds-1
  14.       datacenter: eu-west-1

Annex

Enabling disk UUIDs for vSphere VMs

Depending on whether you are provisioning the VMs using the vSphere node driver in Rancher or using your own scripts or third-party tools, there are different methods available to enable disk UUIDs for VMs.

Using the Vsphere Console

The required property can be set while creating or modifying VMs in the vSphere Console:

  • For each VM navigate to the tab VM Options and click on Edit Configuration.
  • Add the parameter disk.EnableUUID with a value of TRUE.

vsphere-advanced-parameters

Using the GOVC CLI tool

You can also modify properties of VMs with the govc command-line tool to enable disk UUIDs:

  1. $ govc vm.change -vm <vm-path> -e disk.enableUUID=TRUE

Using Rancher node template

When creating new clusters in Rancher using vSphere node templates, you can configure the template to automatically enable disk UUIDs for all VMs created for a cluster:

  • Navigate to the Node Templates in the Rancher UI while logged in as admin user.

  • Add or edit an existing vSphere node template.

  • Under Instance Options click on Add Parameter.

  • Enter disk.enableUUID as key with a value of TRUE.

vsphere-nodedriver-enable-uuid

  • Click Create or Save.

Troubleshooting

If you are experiencing issues while provisioning a cluster with enabled vSphere Cloud Provider or while creating vSphere volumes for your workloads, you should inspect the logs of the following K8s services:

  • controller-manager (Manages volumes in vCenter)
  • kubelet: (Mounts vSphere volumes to pods)If your cluster is not configured with external Cluster Logging, you will need to SSH into nodes to get the logs of the kube-controller-manager (running on one of the control plane nodes) and the kubelet (pertaining to the node where the stateful pod has been scheduled).

The easiest way to create a SSH session with a node is the Rancher CLI tool.

  1. $ rancher ssh <nodeName>
  • Inspect the logs of the controller-manager and kubelet containers looking for errors related to the vSphere cloud provider:
  1. $ docker logs --since 15m kube-controller-manager
  2. $ docker logs --since 15m kubelet