Skip to main content

On-Premises Kubernetes

Importing an on-premises Kubernetes engine connects a self-managed cluster to AIchor. AIchor schedules workloads on the cluster using the provided credentials, while infrastructure management remains entirely with the cluster administrator.

Prerequisites

  • The Kubernetes cluster must already exist.

  • The Kubernetes API server endpoint is required. Run the following command to retrieve it:

    kubectl cluster-info

and look for the Kubernetes control plane endpoint.

  • The external IP address of the ingress controller deployed must be known.

  • Either a bearer token or basic authentication credentials must be available (see Authentication below).

  • To populate the CA Data field, run the following command:

    kubectl config view --minify --raw --output 'jsonpath={..cluster.certificate-authority-data}' | base64 -d

Steps

  1. In the AIchor UI, open Engines and click Add Engine.

  2. Select On Premise.

    On-Premise engine selection On-Premise engine selection

  3. Fill in the form fields described below.

    On-Premise form fields On-Premise form fields

  4. Fill in the authentication fields and submit.

    On-Premise auth section On-Premise auth section

Form fields

FieldRequiredDescription
Engine NameYesLowercase alphanumeric characters and hyphens. Must start with a letter.
EcosystemNoTag passed to infrastructure-as-code tooling. Required only for specific organisations on InstaDeep recommendation.
API HostnameYesKubernetes API server endpoint. Obtained by running kubectl cluster-info.
Load Balancer IPYesExternal IP address of the Nginx ingress controller. Provided by the networking team.

Certificates

FieldRequiredDescription
CA DataNoCertificate Authority certificate in PEM format. See the retrieval command in the Before starting section above.

Authentication

One of the following two authentication methods must be provided.

Option A: Static Bearer token

A service account token (bearer token) is the recommended approach. The token is found in the kubeconfig under users[0].user.token, or generated from a dedicated service account (see Generating a service token below).

FieldRequiredDescription
Bearer TokenYes (if using this option)Service account token used to authenticate with the Kubernetes API.

Option B: Basic authentication

Username and password credentials can be used as an alternative to a bearer token.

FieldRequiredDescription
Basic UsernameYes (if using this option)Username for basic authentication.
Basic PasswordYes (if using this option)Password for basic authentication.

Generating a service token

A dedicated Kubernetes service account can be created to generate a bearer token with the minimum required permissions. The following manifests create the necessary resources.

ServiceAccount (serviceaccount.yaml):

apiVersion: v1
kind: ServiceAccount
metadata:
name: dp-cluster-service-account
namespace: aichor

ClusterRole (clusterrole.yaml):

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: dp-sa-cluster-role
rules:
- apiGroups:
- ""
resources:
- pods
- pods/status
- pods/exec
- serviceaccounts
- configmaps
- namespaces
- secrets
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- create
- get
- delete
- apiGroups:
- cert-manager.io
resources:
- certificates
verbs:
- create
- apiGroups:
- apps
resources:
- deployments
verbs:
- create
- get
- delete
- list
- apiGroups:
- ""
resources:
- events
verbs:
- create
- apiGroups:
- ""
resources:
- services
verbs:
- create
- get
- delete
- apiGroups:
- ray.instadeep.io
resources:
- rayclusters
verbs:
- list
- create
- get
- delete
- apiGroups:
- argoproj.io
resources:
- workflows
verbs:
- get
- patch

ClusterRoleBinding (clusterrolebinding.yaml):

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dp-sa-cluster-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dp-sa-cluster-role
subjects:
- kind: ServiceAccount
name: dp-cluster-service-account
namespace: aichor

Secret to trigger token generation (secret.yaml):

apiVersion: v1
kind: Secret
metadata:
annotations:
kubernetes.io/service-account.name: dp-cluster-service-account
name: dp-cluster-service-account-token
namespace: aichor
type: kubernetes.io/service-account-token

Apply all four manifests, then retrieve the token with:

kubectl get secret dp-cluster-service-account-token \
-o=jsonpath='{.data.token}' | base64 -d

The output is the bearer token to enter in the Bearer Token field.