You must configure IP address range assignments before the steps included in this guide can work.
Configuring AWS network peering allows Kore to manage automatic peering of team cluster networks with defined external AWS VPCs, such as the VPC in which Kore itself is running, to allow for private clusters, on-premise network connectivity, etc. To enable this, we tell Kore about an external VPC to peer using an ExternalVPC structure and ensure that Kore has appropriate credentials to accept the peering connection on this external VPC.
Create a cloud account (Configure > Cloud > Amazon Web Services > Shared Accounts on the UI or
kore create cloudaccount aws-kore-management -c aws --type shared
from the CLI).
This cloud account must reference the AWS account in which the external VPC you wish to peer with is located, and have the NetworkManager role enabled. It should not be allocated to any teams.
The ExternalVPC resource provides a means to represent an externally managed VPC network in Kore (or one not yet imported into Kore).
One of the primary use cases (assuming Kore is deployed into AWS) is to represent the VPC network which the Kore management cluster itself lives in, allowing for private clusters to be created and peered into this network.
It is vital to give this resource the special name
kore if it represents the Kore management
network. This enables Kore to manage the automatic peering process required for private clusters.
At the moment, this must be prepared and applied using
kore apply -f.
The ExternalVPC resource provides Kore with the following details:
- The AWS region the external network exists in.
- The AWS account ID in which the external network resides.
- The routes which, when connected to, will be added to the requestor network.
- A selector which allows Kore to find the routing table(s) in AWS we should add routes to.
- An optional reference to a cloud account which allows Kore to accept and add routing on the ExternalVPC end. Note, if the reference is missing, Kore will request peering but cannot accept it, so manual intervention would be required to accept the peering for every cluster built.