Example: Granting Mesh access to MetalLB
Before you configure external client access in Mesh, you must first enable Mesh to manage MetalLB resources such as address pools. This example configuration shows how to create and assign the necessary role.
MetalLB provides load-balancer services for bare metal and on-premises environments such as VMs running MicroK8s.
In this example configuration, MetalLB is installed in a MicroK8s cluster, in the
metallb-system namespace. To enable Mesh to
manage MetalLB resources, complete the following steps. Use these example commands as a guide:
- Create a Kubernetes role in the
metallb-systemnamespace to grant permission for managing specific MetalLB resources:kubectl apply -f - <<EOF apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: metallb-manager namespace: metallb-system rules: - apiGroups: - metallb.io # MetalLB custom resources resources: - addresspools # manage address pools - ipaddresspools # manage IP address pools - bgpconfigs # manage BGP configurations - l2configs # manage L2 configurations - l2advertisements # manage L2 advertisements verbs: - get - list - create - update - delete - patch - apiGroups: - apps # manage MetalLB controller and speaker deployments resources: - deployments # manage deployment resources for MetalLB - daemonsets # manage daemonset resources for MetalLB verbs: - get - list - create - update - delete - patch - apiGroups: - networking.k8s.io # for services and related resources resources: - services # manage services that MetalLB operate verbs: - get - list - create - update - delete - patch EOF - Bind the role to a service account in the namespace on the MicroK8s cluster where you install
the Mesh
gateway:
kubectl apply -f - <<EOF kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: mesh-metallb-manager namespace: metallb-system roleRef: kind: Role name: metallb-manager subjects: - kind: ServiceAccount name: mesh-rhsi-agent namespace: <mesh-ns-4-gw1> # MicroK8s namespace where gateway is installed EOF