Create a Private Cluster
Last updated
Last updated
Previously, public clusters on VKS were using Public IP addresses to communicate between nodes and the control plane. To improve the security of your cluster, we have launched the private cluster model. The Private Cluster feature helps your K8S cluster to be as secure as possible, all connections are completely private from the connection between nodes to the control plane, the connection from the client to the control plane, or the connection from nodes to other products and services in VNG Cloud such as: vStorage, vCR, vMonitor, VNGCloud APIs,... Private Cluster is the ideal choice for services that require strict access control, ensuring compliance with regulations on security and data privacy.
In which:
Control plane : Managed by VNG Cloud, responsible for coordinating and managing the entire cluster.
Private Load Balancer : Managed by VNG Cloud, responsible for helping Private Nodes communicate with Control Plane.
Private Service Endpoint : When you create a private cluster, the system automatically creates 4 endpoints to help connect to other services on VNG Cloud including:
Endpoint to connect to the IAM service (Endpoint Name: vks-iam-endpoint-...)
Endpoint to connect to vCR service (Endpoint Name: vks-vcr-endpoint-...)
Endpoint to connect to vServer service (Endpoint Name: vks-vserver-endpoint-...)
Endpoint to connect to vStorage service (Endpoint Name: vks-vstorage-endpoint-...)
To be able to initialize a Cluster and Deploy a Workload , you need:
A cluster in Kubernetes is a collection of one or more virtual machines (VMs) connected together to run containerized applications. Cluster provides a unified environment to deploy, manage, and operate containers at scale.
To initialize a Cluster, follow the steps below:
Step 2: At the Overview screen , select Activate.
Step 3: Wait until we successfully create your VKS account. After Activate successfully, select Create a Cluster
Step 4: At the Cluster initialization screen, we have set up information for the Cluster and a Default Node Group for you. You can keep these default values or adjust the desired parameters for the Cluster and Node Group at Cluster Configuration, Default Node Group Configuration, Plugin.
Step 5: Select Create Kubernetes cluster. Please wait a few minutes for us to initialize your Cluster, the Cluster's status is now Creating .
Step 6: When the Cluster status is Active , you can view Cluster information and Node Group information by selecting Cluster Name in the Name column .
After the Cluster is successfully initialized, you can connect and check the newly created Cluster information by following these steps:
Step 2: The Cluster list is displayed, select the Download icon and select Download config file to download the kubeconfig file. This file will give you full access to your Cluster.
Step 3 : Rename this file to config and save it to the ~/.kube/config folder
Step 4: Because your Cluster is initialized in Private mode, to be able to access kube-api, you need to be in the VPC you have chosen to use for your Cluster. For example, when you are not in the VPC and execute get nodes, the results will display as follows:
For example, I am using a linux server to perform get nodes, I can install kubectl via command:
Then I tested kubectl via command:
Create folder . kube
via command:
Then, enter the kubeconfig file via the command:
Then, enter :wq to save the kubeconfig file and exit vim.
Run the following command to test the cluster
You should see a return similar to the following:
Run the following command to test node
If the results are returned as below, it means your Cluster was successfully initialized with 1 node as below.
Because Private Cluster can only connect privately to the vContainer Registry (vCR) system and cannot connect to other Container Registry outside the internet, you need to pull/push the image to vCR to use according to the following instructions:
Step 1: Install Docker
Step 2: Initialize Public Repository and Repository User on vContainer Registry Portal:
Step 3: Pull the nginx image according to the command:
Step 4: Log in to vCR via command:
For example, the command below I use to login to the demo repo:
Step 5: Assign tags to the nginx image
For example, the command below I use to assign tags to the nginx image:
Step 6: Push the image to the repo via command:
For example, the command below I use to push images to demo_repo:
The following are instructions for you to deploy the nginx service and expose this service via Network Load Balancer
Step 1: Create the nginx-service-lb4.yaml file via the command:
Then, enter the content for this file as follows: you need to replace the image with the image path saved on the vCR that you pushed in the step above:
Enter :wq to save this file.
Deploy This deployment equals:
Step 2: Check Deployment and Service information before exposing it to the Internet.
Run the following command to test Deployment
If the results are returned as below, it means you have successfully deployed the nginx service.
Step 3: To access the just exported nginx app, you can use the Endpoint of Load Balancer URL with the format:
Nodes : When created, Nodes in the Cluster will only have internal IPs and cannot go to the public internet. If you want the node to access the internet, you need to use a NAT Gateway. For more details, refer .
You can view information about the 4 private service endpoints through the vServer portal by following the link .
There is at least 1 VPC and 1 Subnet in ACTIVE state . If you do not have a VPC or Subnet yet, please create a VPC and Subnet according to the instructions here
There is at least 1 SSH key in ACTIVE state . If you do not have any SSH key, please create an SSH key according to the instructions here
Installed and configured kubectl on your device. Please refer here you are not sure how to install and use kuberctl. In addition, you should not use a kubectl version that is too old, we recommend that you use a kubectl version that is no more than one version different from the cluster version.
Step 1: Visit
Step 1: Visit
In the example below I will stand at a server with a VPC along with the VPC used for the Cluster. You can perform SSH to the server according to instructions . After SSH into the server, install kubectl according to the instructions .
Perform docker installation according to instructions .
Log in to the vCR portal at the link:
Perform Repository and Repository initialization according to instructions . For example in the image below, I have initialized demo_repo with demo_user who can pull/push images:
If you want to create a Private Reposity, to pull an image from the Private Reposity, you need to create a secret key according to the instructions .
At this time, the vLB system will initialize a Network Load Balancer, you can view this LB information through the vLB portal .
You can get Load Balancer Public Endpoint information at the vLB interface. Specifically, access at
For example, below I have successfully accessed the nginx app with the address:
Above is an example showing you how to expose a service through vLB Layer 4. You can expose a service through vLB Layer 7 according to the instructions .
To ensure the private cluster works effectively, we have automatically added the Subnet you choose to use for the Cluster to the cluster's Whitelist. You can use the Whitelist feature to limit the Subnets in the VPC that have access to kube-api. Details on how to use the Whitelist feature please refer .