►
From YouTube: Episode 20: Playing with TKG on Azure
Description
This week we'll explore TKG on Azure. We've previously done episodes on the CAPA networking model, and several on VSphere, NSX, and AVI, so , lets show our azure friends some love and look at how TKG (and antrea) is installed on Azure !
A
A
B
So,
let's
get
started,
starting
with
the
news.
We
don't
have
news,
so
the
only
news
we
have
is
entry.
151
is
out
so
it's
like
eight
days
ago,
and
we
have
some
a
batch
release
with
a
few
bugs
fix,
fixes
and
check
check
it
out.
B
One
five
one
today
on
today's
episode:
the
idea
is
to
hack
around
azure
and
aks
and
explored
how
enter
integrates
with
aks.
B
I
think
this
will
be
a
good
one
for
folks
interested
on
cap
z
and
how
the
possibility
center
can
integrate
with
azure
technology.
First,
we
are
going
to
take
a
look
on
the
azure
k-z
capabilities.
This
is
created
by
cluster
api
azure
provider,
so
we
are
using
tkg
for
this.
We
are
going
to
do
some
changes
in
the
internal
network
policy
and
see
how
it
behaves.
B
This
is
an
old
installation
of
fks
and
we
are
going
to
replace
only
the
network
policies.
Capabilities
of
of
the
cluster,
while
azure
cni
will
be
able
to
handle
the
ip
management
and
all
the
other
parts
of
the
cni.
A
B
A
A
B
That
let
me
just
log
in
the
portal
before
please
get
started,
so
you
can
like
take
a
look
in
the
all
right,
so
you
can
take
a
look
in
what
we
have
inside
inside
the
azure
platform
and
see
like
how
these
things
are
created
and
and
why
we
do
these
operations.
In
the
middle
of
this
oh
cool,
okay,.
A
So
what
did
you
do
so
you
you
so
you
you
already
created
the
sorry.
B
A
B
B
Using
capzi,
so
this
cluster
is
already
running.
We
have
like
the
workload
closer
here
in
the
other
place.
What
we
can
do
with
this
closer
like
the
deal
is
that
for
this
for
tkg,
we
have
entry
by
default,
install
it
and
everything
is
supposed
to
be
working.
So
the
first
thing
you
can
demo
is
like
internal
network
policies.
You
can
create
like
two
pods
and
see
how
the
network
policy
will
work,
and
then
we
do
go
in
the
configuration
and
disable
it
to
see
the
out
effect
of
this,
like
no
effect.
B
This
is
only
a
net
shoot
pod
that
has
some
curl
and
double
get
a
couple
billions
inside
of
it,
and
then
you
can
like
heat
one
pot
from
one
body
and
another
right,
so
net
shoot.
B
We
can
grow
engine
x
from
it
cool,
so
this
knight
should
put
these
parts
communicating
with
the
other
engine
expod
on
port
80.,
that's
cool!
Now
we
have
an
internet
workforce
created
here
so
this
year,
different
network
policy
on
entry
will
block
all
the
traffic
from
going
to
the
engine
x
label
that
matches
this
label.
A
B
Yeah,
okay,
so
at
this
point
I
have
disabled,
I
have
already
disabled.
I
have
already
disabled
the
network
police
capability
enter,
so
I
can
configure
enter
through
a
configure
map.
So
if
I
go
here,
configma
all
the
other,
when
you
have
the
spots
running,
you
have
like
the
configuration
map
that
is
read
by
the
deployment.
So
the
configuration
map
is
automatically
mounted
in
the
deployment
of
the
agent
and
it
parses
this
information,
and,
and
has
this
configuration
inside
of
it.
So
one
way
to
change
the
configuration
of
entry
is
editing
this
file
directly.
B
So
if
you
go
to
internet
work,
police
and
say
equals
true,
so
now
and
say
enter
asian.conf.
I'm
setting
enter
network
pulse
equals
through
internetwork
policy
goes
through
for
the
entry
controller,
and
then
I
can.
I
need
to
restart
the
pods
on
the
cluster
to
take
effect
on
this
change.
I
did
in
the
configuration
map.
A
B
Okay,
it's
a
it
already
exists.
So
at
this
point,
if
I
go
to
the
net
shoot
pod
do
a
crow
in
the
engine
x.
I
should
have
a
time
out.
I
should
I
should
not
be
able
to
access
this
pod,
because
I
have
a
network
policy
in
place.
That's
blocking
this
traffic.
B
Yeah,
this
is
very
straightforward
right,
so
the
example
here
is
like
we
can
disable
this
entrant
policy
configuration
through
the
through
the
config
maps
again,
and
then
we
restart
the
pod.
B
B
B
So,
even
if
you
have
a
network
policy
in
place,
let's
create
we
not
even
create
a
network
policy.
I
think
when
you
disable,
the
network
policy
objects
not
listed
anymore,
even
if
exist
in
the
system.
This
is
a
little
bit
odd,
but
I
didn't
delete
the
network
policy
and
I
can
I
I
just
disabled
the
feature
and
I
can
still
access
the
engine
x
even
with
the
network
policy
in
place.
B
So
this
is
one
way
to
configure
this.
This
feature
gates
on
nitro
inside
and
the
inside.
A
Okay
cool,
so
you
turned
on
the
okay,
so
you
turned
on
the
policy
feature
gate
that
seems
to
work
and
then
let's
look
at
your
azure
cluster
or
or
do
you
have
something
else
planned
chinchi's
here?
Why.
A
B
Yeah,
so
we
move
we
move
to
this,
so
what
you
can
do,
what
you
can
still
do-
and
it's
pretty
cool
like
is
take
a
look
on
the
objects
of
cap
z
right
we
have
the
cluster
here.
B
A
Yeah
and
that's
yang
was
just
mentioning
so
things
like
the
andrea
custom
policies
and
the
entry
of
proxy
and
all
those
things
those
are
feature
gates,
but
network
disable
the
entry
and
network
policy,
but
you
can't
disable
andrea's
implementation
of
the
kubernetes
network
policy.
Api.
To
my
knowledge,
at
least.
A
B
B
Yeah
this
is
this
is
like
it
is
a
bunch
of
famous.
We
could
have
a
diagram
for
this,
but
just
to
give
an
overview.
This
is
the
azure
cluster.
Here
we
have
the
control
plane
endpoint.
For
this
we
have
the
definitions
of
the
subnet
that
are
being
used.
Cidrs
v-nets.
B
This
is
azure
cluster
on
infrastructure
closer.
This
is
the
cafe.
B
Because
that's
correct
yeah.
A
Points
the
note
ips,
okay
and
just
in
case
there,
anybody
new
here
to
how
cluster
api
works.
So,
okay
and
then
you
get
a
cider
blocks.
So
that's
the
cider
for
the
nodes
or
for
the
pods.
A
A
C
B
Subnets
on
this
isolated
virtual
private
network
stuff,
so.
B
A
B
B
Objects
inside
here
that
represents
your
machines
and
represent
your
azure
stuff
on
the
on
the
like,
restrict
instructor
inside
the
the
asia
right.
So
you
can
take
a
look
like
in
the
machines.
Maybe
the
azure
machines
like
it's
not
much
to
see,
but
this
closer
is
a
workload
closer.
This
is
the
management
cluster,
but
this
and
on
management
cluster
we
have
another
workload
cluster,
where
we
have
like
the
control
plane
and
the
node
that
has
your
loads
inside
of
it.
B
So
this
definition
here
like
this
is
your
model
of
the
machine
of
the
vm
inside
your
insider
azure.
So
you
have
this
azure
machine.
That's
managed
by
cap,
z
and
cap
z
controller
will
create
this
machine
and
we
will
be
responsible
to
bind
all
this.
This
stack
all.
A
A
I
think
that's
a
tanzer-specific
annotation
that
we
add
you
know
if
scott
was
here,
he
could
tell
us.
So
I
think
that
node
pool
is
added
by
tanzu
framework.
Okay,
so
then
you
look
in
the
specs,
so
an
azure
machine
has
the
option
of
accelerated
networking
availability
zones
and
identity
and
image,
and
the
image
for
the
azure
machine
has
a
marketplace
associated
with
it.
So
that's
very
different
than
when
we
do
cap
v
clusters,
because
cap
v
clusters
don't
have
any
of
that
marketplace
metadata
stuff.
A
So
so
this
thing
is
like
saying,
like
it's
gonna
use
an
image.
That's
already
been
published
to
the
azure
cloud
somewhere
and
then
I'm
gonna
leave
a
note
in
the
show
notes,
azure
yeah.
B
So
this
is
a
good
thing
like
how
we
need
we
need
capacity
people,
but
how
we
can
create,
like
image
builder
and
publish
on
marketplace
through
image
builder
right
or
we
don't
need.
A
A
Yeah
so
like,
if
james
was
here,
I
thought
james
was
going
to
come
today,
but
I
guess
he
but
I
mean
yeah,
I'm
kind
of
wondering
like
when
you
test
a
custom
image.
Well,
it
says
image
marketplace,
so
there
might
be
some
other.
I'm
going
to
look
while
you're
there,
I'm
going
to
open
up
the
capsi
cluster
api
provider.
A
A
Oh
okay,
I
see
here
we
go
yeah,
so
there's
a
there's,
a
okay,
there's
a
marketplace
and
that
has
a
publisher
an
offer
and
then
there's
an
azure
shared
gallery
image
and
I
guess
those
are
different,
and
maybe
you
have
to
pick
one
or
the
other.
I
don't
know
I'm
trying
to
see
where
this
azure
marketplace
image
is
referenced,
oh
yeah,
so
the
image
has
a
shared
gallery
or
a
marketplace
and
they're
both
as
optional
fields
right
and
I'm
looking
in
the
code
types.go.
A
B
A
Oh,
here's
james
he's
that
he's
coming
he's
on
the
stream
now:
okay,
cool,
all
right,
okay,
james!
So
what
do
you
do?
What
hi?
So
what
is
the
difference
between
a
shared
gallery
and
a
marketplace
image.
C
So
marketplace
is
used
for
our
like
partners,
so
you
can
publish
an
image
and
it
becomes
available
in
this
marketplace
for
anybody
to
use
and
it
gets
replicated
across
the
globe
to
all
the
different
locations,
and
it's
really
meant
for
you
to
publish
an
image
so
that
any
any
old
person
can
come
along
and
use
it,
whereas
the
shared
image
gallery
is
really
used
for
your
internal
use
and
so
shared
image
gallery.
C
Yeah,
so
image
builder
can
do
either
one
of
those
it
can
build
a
vhd
which
you
can
then
eventually
publish
to
the
marketplace.
C
Otherwise
you
can
we
have
us.
When
you
run
like
make
image
shared
image
gallery
version,
it
will
create
a
shared
image
gallery,
resource
and
azure
for
you
and
then
upload
those
images
to
it,
and
so
so
then,.
C
Yeah
what
I
typically
do
for,
like
my
dev
test
scenario,
is
I
use
image
builder
to
create
the
vhd
and
then
you
can
do
like
a
z,
vm,
az
image
create
or
something,
and
it
will
just
create
a
via
like
a
disk
image
for
you
and
then
you
can
just.
I
think
I
put
the
link
in
there,
but
you
can
use
the
image
id
and
but
it.
A
C
A
A
C
C
C
Yeah
and
then
that
one
you
just
scrolled
past
go
up,
it
says,
use
image
id
this
one.
You
can
take
a
vhd
and
turn
it
into
a
image
without
having
to
go
into
a
sig
or
a
marketplace.
C
And
if
you
do
that,
then
it
ends
up
in
one
of
your
resource
groups
here,
and
you
can
just
reference
it
for
your
c
for
your
vms
and
it
will
just
work-
and
this
is
good
for
like
dev
scenarios,
but
it's
not
good
for
like
full
scale,
because
there's
it
has
some
limitations
on
how
those
images
are
used.
C
B
C
Yeah,
it's
a
little
bit
more
involved
in
a
couple
different
options:
there's
some
pretty
good
documentation
on
what
you
choose
there.
B
A
look
on
azure
machine
template
like
we
are
in
the
objects
of
asia
and
kept
z.
C
Yeah,
so
capsi
is
our
kind
of
next
generation
way
of
building
self-managed
clusters
for
for
azure.
So
if
previous
to
that,
we
had
this
thing
called
aks
engine
and
aks
engine
generated
arm
templates
for
you.
That
would
create
the
management
cluster
and
the
workload
clusters
and
and
all
of
those
things
there
are
some
limitations
to
that.
C
It
was
hard
to
like
do,
updates
and
things,
and
so,
when
the
ecosystem
kind
of
moved
towards
cluster
api,
we
decided
to
put
our
efforts
into
cluster
api,
and
so
you
now
you
can
now
do
that
for
all
your
management
clusters.
Sorry
for
all
your
self-managed
clusters,
but
then
aks
is,
is
a
managed
service
which
is
separate
from
both
of
those.
A
C
Yeah,
well,
it
used
to
be
the
d
I
y
now.
Cap
c
is
the
do
it
your
own.
A
B
A
A
B
Yeah
I
just
created
here
fill
these
things
and
just
have
this
running.
A
B
A
B
Node
pools,
oh,
they
have
node
pools
as
well,
so
not
sure
if
they
label
this,
but
there
is
a
concept
of
node
pools.
Maybe
you
can
scale.
A
B
So
there
is
one
machine
lonely.
This
is
9044,
that's
this
machine
here,
this
node
right
now
we
are
not
using
entry.
So
one
thing
that
I
learned
with
azure
cni
is
that
there
is
no
grpcs
entry.
It
does
like.
There
is
no
ancient
node
running.
That
is
only
the
plugin
installed
in
your
node.
B
A
So
there's
no
yeah,
there's
no
node
agent,
so
okay,
so
if
you
ssh
in
there
you'll
see
an
azure
cni,
cni
plug-in.
Oh
you
made
a
script
for
this.
Yeah
you've
been
busy
yo,
I
mean
you
were
ready
today,
okay,
opt
so
now.
You're
gonna
go
into
you're
inside
of
a
node
inside
of
a
node,
and
now
we're
going
to
look
at
the
option
I
bin
directory.
Okay,
I
see
what
you're
doing
yeah
okay.
B
B
A
B
A
B
That
we
are
going
to
see
this
in
the
end,
that
is
the
aks
engine.
They
have
an
add-on
that
installs
entry,
but
otherwise
no,
you
need
to
recognize
like
running
the
scripts.
A
B
B
So
basically,
this
convert
this
azure
from
bridge
to
transparent
mode
and
enter
you
start
to
handle
the
the
request
for
the
egg
ban
and
etc.
A
B
A
Yeah,
okay,
so
you're
just
manually
installing
the
akscml
and
the
akscml
is
set
up
differently.
It
doesn't
try
to
create
a
node
agent
or
it
does
try
to
create
a
node
agent.
It's
just
that
the
node
agent
doesn't
do
anything
other
than
write
ovs
network
rules
for
network
policies.
It
doesn't
do
any.
It
doesn't
install
opt-pin,
cni
entry,
a
plug-in.
A
B
B
A
A
B
A
A
Why
is
that
june
jen?
Why
is
it
that
you
need
to
be
integrated
with
the
cni?
Why
can't
I
just
have
azure
give
or
yang
ding
is
here.
I
think
right
I
mean
do
either
one
of
you
can
it
can
somebody
answer
like.
Why
is
it
that?
Why
is
it
that
andrea
needs
to
be
installed?
A
A
A
A
There's
I
see
a
bunch
of
stuff,
I
don't
see
any
azure
specific
stuff
in
the
code
which
is
kind
of
weird
so
well,
I
guess
it's
not
weird
makes
sense.
A
A
A
Yeah,
I
wonder
if
there's
a
way
we
could
figure
that
out.
Okay,
wait!
Here's
so
yeah,
okay
cool!
So
so
as
soon
as
this
happens,
andrea
steals
the
dick
or
whatever
and
puts
it
in
its
own
data
path.
Azure
cni's
handling
ipam
might
be
forwarding
routing,
okay,
so
we're
still
using
azure
cni,
okay
cool.
So
that's
great!
That
means
we
get
all
the
benefits
of
azure
cni,
but
we
need
traffic
goes
to
ovs
first,
so
so,
okay,
azure
cni,
does
all
the
routing
you're.
A
A
Okay,
so
I
guess
no
end
cap,
you
can
you
check
if
there's
ncap
enabled
on
the
andrea?
Can
you
look
in
the
configuration
yeah?
I
do
believe
there
is
no
no
end
cap.
So
can
we
look
in
the
okay
yeah?
A
Okay,
so
that's
a
special
mode,
so
there's
four
modes
end
cap,
no
end
cap,
hybrid
and
network
policy.
Only
so
andrea
enforces
network
policy
only
and
utilizes
the
cni
chaining
and
delegates
pod
ipam
connectivity
to
the
primary
cni
which-
and
I
guess
you
might
say-
which
may
or
may
not
encapsulate
traffic
depending
on
how
the
primary
cni
is
configured
so,
okay,
that
makes
sense.
Okay
cool,
so
I
didn't
know
that.
B
A
A
A
B
A
A
A
A
B
That's
the
link
to
the
container
ap
right.
That's
not.
A
A
A
A
A
Yeah
you're
not
gonna,
be
able
to
get
anything
else,
but
I
think
they're
slash,
I'm
curious.
Why
mike
asked
that
question?
I
wonder
if
he's
going
to
tell
us
why
he
asked
us
that
okay,
I
was
curious
about
the
routes
in
the
root
network.
Namespace.
Oh
okay,
all
right!
So
let's
go
back
to
those
routes
again.
A
So
they're
monotonically
increasing
so
your
pod
cider,
your
node
has
a
cider
and
the
node
cider
is
10
2
4
4,
oh
dot,
whatever
every
node
maybe
has
32
or
64
maximum
pods
or
whatever
so
they've
carved
that
up.
There's
some
math
that
the
api
server
does
or
whatever,
because
we're
using
node
ipm.
I
think
oh
wait,
we're
not
using
node
ipm
hold
on
what
did
you
engine
say?
Entry
azure
cni
is
handling
ipam
yeah,
so
actually
the
api
we're
not
using
node
ipm.
So
the
ip
addresses
for
those
for
those
pods
are
coming
from.
A
So,
okay.
A
B
Yeah,
this
will
be
first,
so
basically,
the
zks
engine
is
super
odd.
You
need
to
you
can
like
deploy
with
an
add-on.
This
was
deprecated,
but
the
idea
is
almost
the
same.
You
have
like
the
network
police
running
and
everything
else
is
managed
by
by
azure
cni.
Instead
of
this.
A
C
A
B
A
B
B
A
Okay,
awesome:
this
is
a
great
okay
thanks,
I
mean
so.
This
is
great.
So
now
today,
like
I
guess
I
learned
a
lot,
so
I
never
really
knew
that
andrea
in
network
policy
mode
was
still
in
the
cni
data
path.
So
that's
one
thing
and
then
I
also
didn't
really
understand
that
difference
between
the
gallery
and
the
shared
marketplace.
Images
and
the
gallery
is
the
one
you
use
for
local
development
shared
market
place
so
like
when
we
published
vmware
tanza,
we
probably
put
stuff
in
the
shared
marketplace:
okay
cool.
A
A
I
I
still
suspect
it's
not
working
yet
there's
a
bug
in
it.
But
oh
I
want
another
update
for
folks.
I
want
to
start
a
windows,
networking
sub
project
in
kubernetes,
and
I
would
like
for
folks
to
sort
of
sign
up
to
come
and
hang
out
with
us
once
a
week
and
go
over
that
windows,
networking,
internals
and
so
looking
for
critical
mass
there
before
we
really
start
a
sub
project
around
it,
and
so,
if
folks
want
to
come,
join
us
join
us
in
sig
windows
in
upstream
slack.
B
Query
url:
when
you
query
this,
it
gives
you
back
the
ips
of
your
subnet
that
are
being
used.
A
Oh
okay,
so
that's
like
a
little
metadata,
and
so
you
query
that
and
you
can
automatically
without
any
authentication
access
that.
So,
where
is
that?
That's
in
azure?
Oh,
so
they
hard
code
that
url
in
the
azure
cni
and
then
azure
cni
uses
that
url
to
talk
back
and
find
the
amount
of
the.
So
then
it
has
its
own
ipam
logic
to
allocate
the
next
one
from
there.
B
A
A
Well,
because,
well
because
in
the
regular
cni
right
you
have
like
one
node
and
another
node
and
the
nodes
each
have
their
own
sider,
that
they
allocate
the
the
things
from
and
that's
how
the
ipam
plug-in.
I
think
cni
plug-in
works
right.
So
then
what
are
you
doing
in
azure
if
you're
not
doing
that?
What
are
you
doing
if
the
node
itself
isn't
locking
a
range
of
ips
from
the
outset?
A
A
A
Here's
my
here
yeah,
we
can
look
into
it
in
the
next
entry
of
life.
My
hypothesis
would
be
that
maybe
there's
some
other
api
call
where
you
can.
You
can
make
a
call
and
it'll
allocate
an
ip
and
give
it
to
you
and
that
ip
is
like
if
somebody
else
makes
the
same
call
one
microsecond
later
it'll
return
a
different
ip.
A
A
A
Cool
and
as
always
like
and
subscribe,
if
you
like
this,
so
that
we
can
keep
doing
it
as
long
as
we
are
growing
the
community,
we
can
take
time
out
of
our
days
to
keep
bringing
you
all
this
really
cool
content.
I
guarantee
you,
nobody
else
has
ever
gone
over
this
on
the
internet
before
so
huge
thanks.
I
mean
for
setting
all
this
up
and
so
that
we
could
do
this.
Look
at
all
this
stuff
today.
This
is
really
cool.
A
I
learned
a
lot
and
thanks
everybody
else
for
coming,
thanks
to
the
june
jen
and
yang
and
chinchi
and
james
and
everyone
else
who
who
showed
up
and
obviously
mike
cool,
okay,
android
live
every
wednesday
four
o'clock
eastern
one
pacific
see
y'all
next
week,
chinchi's
up
all
right.
Peace.