►
From YouTube: Episode 20: Playing with TKG on Azure
Description
This week we'll explore TKG on Azure. We've previously done episodes on the CAPA networking model, and several on VSphere, NSX, and AVI, so , lets show our azure friends some love and look at how TKG (and antrea) is installed on Azure !
A
B
B
I
think
this
will
be
a
good
one
for
folks
interested
on
cap
z
and
how
the
possibility
center
can
integrate
with
azure
technology.
First,
we
are
going
to
take
a
look
on
the
azure
k-z
capabilities.
This
is
created
by
cluster
api
azure
provider,
so
we
are
using
tkg
for
this.
We
are
going
to
do
some
changes
in
the
internal
network
policy
and
see
how
it
behaves.
B
A
B
A
A
B
B
A
B
B
Using
capzi,
so
this
cluster
is
already
running.
We
have
like
the
workload
closer
here
in
the
other
place.
What
we
can
do
with
this
closer
like
the
deal
is
that
for
this
for
tkg,
we
have
entry
by
default,
install
it
and
everything
is
supposed
to
be
working.
So
the
first
thing
you
can
demo
is
like
internal
network
policies.
You
can
create
like
two
pods
and
see
how
the
network
policy
will
work,
and
then
we
do
go
in
the
configuration
and
disable
it
to
see
the
out
effect
of
this,
like
no
effect.
A
B
We
can
grow
engine
x
from
it
cool,
so
this
knight
should
put
these
parts
communicating
with
the
other
engine
expod
on
port
80.,
that's
cool!
Now
we
have
an
internet
workforce
created
here
so
this
year,
different
network
policy
on
entry
will
block
all
the
traffic
from
going
to
the
engine
x
label
that
matches
this
label.
A
B
Yeah,
okay,
so
at
this
point
I
have
disabled,
I
have
already
disabled.
I
have
already
disabled
the
network
police
capability
enter,
so
I
can
configure
enter
through
a
configure
map.
So
if
I
go
here,
configma
all
the
other,
when
you
have
the
spots
running,
you
have
like
the
configuration
map
that
is
read
by
the
deployment.
So
the
configuration
map
is
automatically
mounted
in
the
deployment
of
the
agent
and
it
parses
this
information,
and,
and
has
this
configuration
inside
of
it.
So
one
way
to
change
the
configuration
of
entry
is
editing
this
file
directly.
B
So
if
you
go
to
internet
work,
police
and
say
equals
true,
so
now
and
say
enter
asian.conf.
I'm
setting
enter
network
pulse
equals
through
internetwork
policy
goes
through
for
the
entry
controller,
and
then
I
can.
I
need
to
restart
the
pods
on
the
cluster
to
take
effect
on
this
change.
I
did
in
the
configuration
map.
A
B
B
B
B
So,
even
if
you
have
a
network
policy
in
place,
let's
create
we
not
even
create
a
network
policy.
I
think
when
you
disable,
the
network
policy
objects
not
listed
anymore,
even
if
exist
in
the
system.
This
is
a
little
bit
odd,
but
I
didn't
delete
the
network
policy
and
I
can
I
I
just
disabled
the
feature
and
I
can
still
access
the
engine
x
even
with
the
network
policy
in
place.
A
A
B
B
A
Yeah
and
that's
yang
was
just
mentioning
so
things
like
the
andrea
custom
policies
and
the
entry
of
proxy
and
all
those
things
those
are
feature
gates,
but
network
disable
the
entry
and
network
policy,
but
you
can't
disable
andrea's
implementation
of
the
kubernetes
network
policy.
Api.
To
my
knowledge,
at
least.
A
B
B
A
A
A
C
A
B
B
Objects
inside
here
that
represents
your
machines
and
represent
your
azure
stuff
on
the
on
the
like,
restrict
instructor
inside
the
the
asia
right.
So
you
can
take
a
look
like
in
the
machines.
Maybe
the
azure
machines
like
it's
not
much
to
see,
but
this
closer
is
a
workload
closer.
This
is
the
management
cluster,
but
this
and
on
management
cluster
we
have
another
workload
cluster,
where
we
have
like
the
control
plane
and
the
node
that
has
your
loads
inside
of
it.
B
A
A
I
think
that's
a
tanzer-specific
annotation
that
we
add
you
know
if
scott
was
here,
he
could
tell
us.
So
I
think
that
node
pool
is
added
by
tanzu
framework.
Okay,
so
then
you
look
in
the
specs,
so
an
azure
machine
has
the
option
of
accelerated
networking
availability
zones
and
identity
and
image,
and
the
image
for
the
azure
machine
has
a
marketplace
associated
with
it.
So
that's
very
different
than
when
we
do
cap
v
clusters,
because
cap
v
clusters
don't
have
any
of
that
marketplace
metadata
stuff.
A
A
A
Yeah
so
like,
if
james
was
here,
I
thought
james
was
going
to
come
today,
but
I
guess
he
but
I
mean
yeah,
I'm
kind
of
wondering
like
when
you
test
a
custom
image.
Well,
it
says
image
marketplace,
so
there
might
be
some
other.
I'm
going
to
look
while
you're
there,
I'm
going
to
open
up
the
capsi
cluster
api
provider.
A
A
Oh
okay,
I
see
here
we
go
yeah,
so
there's
a
there's,
a
okay,
there's
a
marketplace
and
that
has
a
publisher
an
offer
and
then
there's
an
azure
shared
gallery
image
and
I
guess
those
are
different,
and
maybe
you
have
to
pick
one
or
the
other.
I
don't
know
I'm
trying
to
see
where
this
azure
marketplace
image
is
referenced,
oh
yeah,
so
the
image
has
a
shared
gallery
or
a
marketplace
and
they're
both
as
optional
fields
right
and
I'm
looking
in
the
code
types.go.
A
B
A
C
C
Yeah
what
I
typically
do
for,
like
my
dev
test
scenario,
is
I
use
image
builder
to
create
the
vhd
and
then
you
can
do
like
a
z,
vm,
az
image
create
or
something,
and
it
will
just
create
a
via
like
a
disk
image
for
you
and
then
you
can
just.
I
think
I
put
the
link
in
there,
but
you
can
use
the
image
id
and
but
it.
A
C
A
A
C
C
C
C
B
C
Yeah,
so
capsi
is
our
kind
of
next
generation
way
of
building
self-managed
clusters
for
for
azure.
So
if
previous
to
that,
we
had
this
thing
called
aks
engine
and
aks
engine
generated
arm
templates
for
you.
That
would
create
the
management
cluster
and
the
workload
clusters
and
and
all
of
those
things
there
are
some
limitations
to
that.
C
It
was
hard
to
like
do,
updates
and
things,
and
so,
when
the
ecosystem
kind
of
moved
towards
cluster
api,
we
decided
to
put
our
efforts
into
cluster
api,
and
so
you
now
you
can
now
do
that
for
all
your
management
clusters.
Sorry
for
all
your
self-managed
clusters,
but
then
aks
is,
is
a
managed
service
which
is
separate
from
both
of
those.
A
A
B
A
A
A
B
A
B
A
B
B
A
So
there's
no
yeah,
there's
no
node
agent,
so
okay,
so
if
you
ssh
in
there
you'll
see
an
azure
cni,
cni
plug-in.
Oh
you
made
a
script
for
this.
Yeah
you've
been
busy
yo,
I
mean
you
were
ready
today,
okay,
opt
so
now.
You're
gonna
go
into
you're
inside
of
a
node
inside
of
a
node,
and
now
we're
going
to
look
at
the
option
I
bin
directory.
Okay,
I
see
what
you're
doing
yeah
okay.
B
B
A
B
A
B
A
B
A
B
A
Yeah,
okay,
so
you're
just
manually
installing
the
akscml
and
the
akscml
is
set
up
differently.
It
doesn't
try
to
create
a
node
agent
or
it
does
try
to
create
a
node
agent.
It's
just
that
the
node
agent
doesn't
do
anything
other
than
write
ovs
network
rules
for
network
policies.
It
doesn't
do
any.
It
doesn't
install
opt-pin,
cni
entry,
a
plug-in.
A
B
B
A
A
B
A
A
A
A
A
A
A
A
Yeah,
I
wonder
if
there's
a
way
we
could
figure
that
out.
Okay,
wait!
Here's
so
yeah,
okay
cool!
So
so
as
soon
as
this
happens,
andrea
steals
the
dick
or
whatever
and
puts
it
in
its
own
data
path.
Azure
cni's
handling
ipam
might
be
forwarding
routing,
okay,
so
we're
still
using
azure
cni,
okay
cool.
So
that's
great!
That
means
we
get
all
the
benefits
of
azure
cni,
but
we
need
traffic
goes
to
ovs
first,
so
so,
okay,
azure
cni,
does
all
the
routing
you're.
A
A
A
Okay,
so
that's
a
special
mode,
so
there's
four
modes
end
cap,
no
end
cap,
hybrid
and
network
policy.
Only
so
andrea
enforces
network
policy
only
and
utilizes
the
cni
chaining
and
delegates
pod
ipam
connectivity
to
the
primary
cni
which-
and
I
guess
you
might
say-
which
may
or
may
not
encapsulate
traffic
depending
on
how
the
primary
cni
is
configured
so,
okay,
that
makes
sense.
Okay
cool,
so
I
didn't
know
that.
B
A
A
A
B
A
A
A
A
A
A
A
A
A
Yeah
you're
not
gonna,
be
able
to
get
anything
else,
but
I
think
they're
slash,
I'm
curious.
Why
mike
asked
that
question?
I
wonder
if
he's
going
to
tell
us
why
he
asked
us
that
okay,
I
was
curious
about
the
routes
in
the
root
network.
Namespace.
Oh
okay,
all
right!
So
let's
go
back
to
those
routes
again.
A
So
they're
monotonically
increasing
so
your
pod
cider,
your
node
has
a
cider
and
the
node
cider
is
10
2
4
4,
oh
dot,
whatever
every
node
maybe
has
32
or
64
maximum
pods
or
whatever
so
they've
carved
that
up.
There's
some
math
that
the
api
server
does
or
whatever,
because
we're
using
node
ipm.
I
think
oh
wait,
we're
not
using
node
ipm
hold
on
what
did
you
engine
say?
Entry
azure
cni
is
handling
ipam
yeah,
so
actually
the
api
we're
not
using
node
ipm.
So
the
ip
addresses
for
those
for
those
pods
are
coming
from.
A
B
A
C
A
B
A
B
B
A
Okay,
awesome:
this
is
a
great
okay
thanks,
I
mean
so.
This
is
great.
So
now
today,
like
I
guess
I
learned
a
lot,
so
I
never
really
knew
that
andrea
in
network
policy
mode
was
still
in
the
cni
data
path.
So
that's
one
thing
and
then
I
also
didn't
really
understand
that
difference
between
the
gallery
and
the
shared
marketplace.
Images
and
the
gallery
is
the
one
you
use
for
local
development
shared
market
place
so
like
when
we
published
vmware
tanza,
we
probably
put
stuff
in
the
shared
marketplace:
okay
cool.
A
A
I
I
still
suspect
it's
not
working
yet
there's
a
bug
in
it.
But
oh
I
want
another
update
for
folks.
I
want
to
start
a
windows,
networking
sub
project
in
kubernetes,
and
I
would
like
for
folks
to
sort
of
sign
up
to
come
and
hang
out
with
us
once
a
week
and
go
over
that
windows,
networking,
internals
and
so
looking
for
critical
mass
there
before
we
really
start
a
sub
project
around
it,
and
so,
if
folks
want
to
come,
join
us
join
us
in
sig
windows
in
upstream
slack.
A
Oh
okay,
so
that's
like
a
little
metadata,
and
so
you
query
that
and
you
can
automatically
without
any
authentication
access
that.
So,
where
is
that?
That's
in
azure?
Oh,
so
they
hard
code
that
url
in
the
azure
cni
and
then
azure
cni
uses
that
url
to
talk
back
and
find
the
amount
of
the.
So
then
it
has
its
own
ipam
logic
to
allocate
the
next
one
from
there.
B
A
A
Well,
because,
well
because
in
the
regular
cni
right
you
have
like
one
node
and
another
node
and
the
nodes
each
have
their
own
sider,
that
they
allocate
the
the
things
from
and
that's
how
the
ipam
plug-in.
I
think
cni
plug-in
works
right.
So
then
what
are
you
doing
in
azure
if
you're
not
doing
that?
What
are
you
doing
if
the
node
itself
isn't
locking
a
range
of
ips
from
the
outset?
A
A
A
Here's
my
here
yeah,
we
can
look
into
it
in
the
next
entry
of
life.
My
hypothesis
would
be
that
maybe
there's
some
other
api
call
where
you
can.
You
can
make
a
call
and
it'll
allocate
an
ip
and
give
it
to
you
and
that
ip
is
like
if
somebody
else
makes
the
same
call
one
microsecond
later
it'll
return
a
different
ip.
A
A
A
Cool
and
as
always
like
and
subscribe,
if
you
like
this,
so
that
we
can
keep
doing
it
as
long
as
we
are
growing
the
community,
we
can
take
time
out
of
our
days
to
keep
bringing
you
all
this
really
cool
content.
I
guarantee
you,
nobody
else
has
ever
gone
over
this
on
the
internet
before
so
huge
thanks.
I
mean
for
setting
all
this
up
and
so
that
we
could
do
this.
Look
at
all
this
stuff
today.
This
is
really
cool.