eks-anywhere icon indicating copy to clipboard operation
eks-anywhere copied to clipboard
verified publisher icon aws

Inquiry on Optional Use of vsphere-cloud-controller-manager in Worker Clusters

Open janre opened this issue 1 year ago • 1 comments

Please note, this inquiry is aimed at seeking clarification and understanding rather than reporting an issue.

Hello EKS Anywhere Team,

I'm currently utilizing EKS Anywhere to manage Kubernetes clusters in an on-premise environment, specifically with VMware vSphere as the underlying infrastructure.

My query revolves around the use of the vsphere-cloud-controller-manager (CCM) within the worker clusters managed by EKS Anywhere. Given the architecture of EKS-A, with a clear distinction between management and worker clusters, and considering the management cluster handles the lifecycle operations of worker clusters (including VM creation and management), I'm exploring the possibility of minimizing the footprint and permissions required in worker clusters. Specifically, I'm interested in understanding if deploying the CCM in worker clusters is mandatory for EKS-A operations, or if it's optional.

One of my primary motivations is to avoid storing vSphere credentials within each worker cluster to reduce the security surface area. This leads me to the following questions:

  • Is it possible to exclude the CCM from deployment in worker clusters when using EKS Anywhere with VMware vSphere, and if so, how?
  • If the CCM is optional, are there specific functionalities or features within the worker clusters that would be impacted or limited by its absence?

I aim to streamline the operation and security posture of my clusters while ensuring that we can still fully utilize the capabilities of EKS Anywhere in a vSphere environment. Any guidance, insights, or documentation you could provide on this matter would be greatly appreciated.

Thank you for your time and assistance.

Best regards, Jan

janre avatar Apr 05 '24 11:04 janre

Hello @janre Exluding the CCM from deployment in workload clusters is currently not supported on EKS-Anywhere.

https://github.com/kubernetes-sigs/cluster-api-provider-vsphere/issues/924 There is an upstream CAPV ticket that includes a bit more context on this specific use-case if you would like to read further.

ahreehong avatar Apr 12 '24 20:04 ahreehong