Before you begin
GKE cluster requirements
-
Optional, but recommended, the cluster should be dedicated to Kf. We recommend that you only install Kf and its dependencies to ensure that the compatibility matrix is maintained.
-
At least four nodes. If you need to add nodes, see Resizing a cluster .
-
The minimum machine type that has at least four vCPUs, such as
e2-standard-4. If the machine type for your cluster doesn't have at least four vCPUs, change the machine type as described in Migrating workloads to different machine types . -
Optional, but recommended, enroll the cluster in a release channel . Follow the instructions in Enrolling an existing cluster in a release channel if you have a static GKE version.
-
Workload Identity enabled.
Kf requirements
Review and understand the access permissions of components in Kf in the Kf dependencies and architecture page .
The Dependency matrix lists the specific versions.
-
Tekton for use by Kf; this is not a user facing service
-
A dedicated Google Service Account
Enable support for Compute Engine
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Verify that billing is enabled for your Google Cloud project .
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Verify that billing is enabled for your Google Cloud project .
- Enable the Compute Engine API.
Enable support for Artifact Registry
- Enable the Artifact Registry API.
Enable and configure GKE
Before you start, make sure that you have performed the following tasks:
- Enable the Google Kubernetes Engine API. Enable Google Kubernetes Engine API
- If you want to use the Google Cloud CLI for this task, install
and then initialize
the
gcloud CLI. If you previously installed the gcloud CLI, get the latest
version by running
gcloud components update.
Prepare a new GKE cluster and related services
Set up environment variables
Linux and Mac
export PROJECT_ID= YOUR_PROJECT_ID export CLUSTER_PROJECT_ID= YOUR_PROJECT_ID export CLUSTER_NAME= kf-cluster export COMPUTE_ZONE= us-central1-a export COMPUTE_REGION= us-central1 export CLUSTER_LOCATION=${COMPUTE_ ZONE } # Replace ZONE with REGION to switch export NODE_COUNT= 4 export MACHINE_TYPE= e2-standard-4 export NETWORK= default
Windows PowerShell
Set-Variable -Name PROJECT_ID -Value YOUR_PROJECT_ID Set-Variable -Name CLUSTER_PROJECT_ID -Value YOUR_PROJECT_ID Set-Variable -Name CLUSTER_NAME -Value kf-cluster Set-Variable -Name COMPUTE_ZONE -Value us-central1-a Set-Variable -Name COMPUTE_REGION -Value us-central1 Set-Variable -Name CLUSTER_LOCATION -Value $COMPUTE_ ZONE # Replace ZONE with REGION to switch Set-Variable -Name NODE_COUNT -Value 4 Set-Variable -Name MACHINE_TYPE -Value e2-standard-4 Set-Variable -Name NETWORK -Value default
Set up service account
Create a Google Cloud service account that will be associated with a Kubernetes Service Account via Workload Identity . This prevents the need to create and inject a service account key.
-
Create the service account that Kf will use.
gcloud iam service-accounts create ${CLUSTER_NAME}-sa \ --project=${CLUSTER_PROJECT_ID} \ --description="GSA for Kf ${CLUSTER_NAME}" \ --display-name="${CLUSTER_NAME}" -
Create a new custom IAM role.
gcloud iam roles create serviceAccountUpdater \ --project=${CLUSTER_PROJECT_ID} \ --title "Service Account Updater" \ --description "This role only updates members on a GSA" \ --permissions iam.serviceAccounts.get,iam.serviceAccounts.getIamPolicy,iam.serviceAccounts.list,iam.serviceAccounts.setIamPolicy -
Allow the service account to modify its own policy. The Kf controller will use this to add new (name)spaces to the policy, allowing reuse for Workload Identity.
gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="projects/${CLUSTER_PROJECT_ID}/roles/serviceAccountUpdater" -
Give monitoring metrics role for write access to Cloud Monitoring.
gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/monitoring.metricWriter" -
Give logging role for write access to Cloud Logging.
gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/logging.logWriter"
Create GKE cluster
gcloud container clusters create ${CLUSTER_NAME} \
--project=${CLUSTER_PROJECT_ID} \
--zone=${CLUSTER_LOCATION} \
--num-nodes=${NODE_COUNT} \
--machine-type=${MACHINE_TYPE} \
--disk-size "122" \
--network=${NETWORK} \
--addons HorizontalPodAutoscaling,HttpLoadBalancing,GcePersistentDiskCsiDriver \
--enable-dataplane-v2 \
--enable-stackdriver-kubernetes \
--enable-ip-alias \
--enable-autorepair \
--enable-autoupgrade \
--scopes cloud-platform \
--release-channel=regular \
--workload-pool="${CLUSTER_PROJECT_ID}.svc.id.goog" \
--service-account="${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com"
Set firewall rules
Kf requires some firewall ports to be open. The master node needs to be able to communicate with pods on ports 80, 443, 8080, 8443 and 6443.
Enable Workload Identity
Now that you have a service account and GKE cluster, associate the cluster's identity namespace with the cluster.
gcloud iam service-accounts add-iam-policy-binding \
--project=${CLUSTER_PROJECT_ID} \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:${CLUSTER_PROJECT_ID}.svc.id.goog[kf/controller]" \
"${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com"
gcloud iam service-accounts add-iam-policy-binding \
--project=${CLUSTER_PROJECT_ID} \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:${CLUSTER_PROJECT_ID}.svc.id.goog[cnrm-system/cnrm-controller-manager]" \
"${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com"
Target GKE cluster
Configure kubectl command line access by running the following command.
gcloud container clusters get-credentials ${CLUSTER_NAME} \
--project=${CLUSTER_PROJECT_ID} \
--zone=${CLUSTER_LOCATION}
Create an Artifact Registry repository
-
Create an Artifact Registry for container images to be stored.
gcloud artifacts repositories create ${CLUSTER_NAME} \ --project=${CLUSTER_PROJECT_ID} \ --repository-format=docker \ --location=${COMPUTE_REGION} -
Grant the service account permission on the Artifact Registry repository.
gcloud artifacts repositories add-iam-policy-binding ${CLUSTER_NAME} \ --project=${CLUSTER_PROJECT_ID} \ --location=${COMPUTE_REGION} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role='roles/artifactregistry.writer'
Install software dependencies on a cluster
-
Install Cloud Service Mesh v1.23.3-asm.1+config1.
- Follow the Cloud Service Mesh install guide , including steps to create an ingress gateway.
-
Install Config Connector.
-
Download the required Config Connector Operator tar file.
-
Extract the tar file.
tar zxvf release-bundle.tar.gz -
Install the Config Connector operator on your cluster.
kubectl apply -f operator-system/configconnector-operator.yaml -
Configure the Config Connector operator.
-
Copy the following YAML into a file named
configconnector.yaml:# configconnector.yaml apiVersion : core.cnrm.cloud.google.com/v1beta1 kind : ConfigConnector metadata : # the name is restricted to ensure that there is only one # ConfigConnector resource installed in your cluster name : configconnector.core.cnrm.cloud.google.com spec : mode : cluster googleServiceAccount : " KF_SERVICE_ACCOUNT_NAME " # Replace with the full service account resolved from ${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}. iam.gserviceaccount.com
-
Apply the configuration to your cluster.
kubectl apply -f configconnector.yaml
-
-
Verify Config Connector is fully installed before continuing.
-
Config Connector runs all of its components in a namespace named
cnrm-system. Verify the Pods are ready by running the following command:kubectl wait -n cnrm-system --for=condition=Ready pod --all
-
If Config Connector is installed correctly, expect to see output similar to the following:
pod/cnrm-controller-manager-0 condition met pod/cnrm-deletiondefender-0 condition met pod/cnrm-resource-stats-recorder-86858dcdc5-6lqzb condition met pod/cnrm-webhook-manager-58c799b8fb-kcznq condition met pod/cnrm-webhook-manager-58c799b8fb-n2zpx condition met
-
-
Setup Workload Identity.
kubectl annotate serviceaccount \ --namespace cnrm-system \ --overwrite \ cnrm-controller-manager \ iam.gke.io/gcp-service-account=${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com
-
-
Install Tekton:
kubectl apply -f "https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.68.0/release.yaml"
Install Kf
-
Install the Kf CLI:
Linux
This command installs the Kf CLI for all users on the system. Follow the instructions in the Cloud Shell tab to install it just for yourself.
gcloud storage cp gs://kf-releases/v2.11.28/kf-linux /tmp/kfchmod a+x /tmp/kfsudo mv /tmp/kf /usr/local/bin/kfMac
This command installs
kffor all users on the system.gcloud storage cp gs://kf-releases/v2.11.28/kf-darwin /tmp/kfchmod a+x /tmp/kfsudo mv /tmp/kf /usr/local/bin/kfCloud Shell
This command installs
kfon your Cloud Shell instance if you usebash, the instructions may need to be modified for other shells.mkdir -p ~/bingcloud storage cp gs://kf-releases/v2.11.28/kf-linux ~/bin/kfchmod a+x ~/bin/kfecho "export PATH= $HOME /bin: $PATH " >> ~/.bashrcsource ~/.bashrcWindows
This command downloads
kfto current directory. Add it to the path if you want to call if from anywhere other than the current directory.gcloud storage cp gs://kf-releases/v2.11.28/kf-windows.exe kf.exe -
Install the operator:
kubectl apply -f "https://storage.googleapis.com/kf-releases/v2.11.28/operator.yaml"
-
Configure the operator for Kf:
kubectl apply -f "https://storage.googleapis.com/kf-releases/v2.11.28/kfsystem.yaml"
-
Setup secrets and defaults:
export CONTAINER_REGISTRY=${COMPUTE_REGION}-docker.pkg.dev/${CLUSTER_PROJECT_ID}/${CLUSTER_NAME} kubectl patch \ kfsystem kfsystem \ --type='json' \ -p="[{'op': 'replace', 'path': '/spec/kf', 'value': {'enabled': true, 'config': {'spaceContainerRegistry': '${CONTAINER_REGISTRY}', 'secrets':{'workloadidentity':{'googleserviceaccount':'${CLUSTER_NAME}-sa', 'googleprojectid':'${CLUSTER_PROJECT_ID}'}}}}}]"
Validate installation
kf doctor --retries=20
Clean up
These steps should remove all the components created in the Create and prepare a new GKE cluster section.
-
Delete Google Service Account:
gcloud iam service-accounts delete ${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com -
Delete IAM policy bindings:
gcloud projects remove-iam-policy-binding ${ CLUSTER_PROJECT_ID } \ --member = "serviceAccount: ${ CLUSTER_NAME } -sa@ ${ CLUSTER_PROJECT_ID } .iam.gserviceaccount.com" \ --role = "roles/iam.serviceAccountAdmin"gcloud projects remove-iam-policy-binding ${ CLUSTER_PROJECT_ID } \ --member = "serviceAccount: ${ CLUSTER_NAME } -sa@ ${ CLUSTER_PROJECT_ID } .iam.gserviceaccount.com" \ --role = "roles/monitoring.metricWriter" -
Delete container image repository:
gcloud artifacts repositories delete ${CLUSTER_NAME} \ --location=${COMPUTE_REGION} -
Uninstall Kf:
kubectl patch kfsystem kfsystem \ --type = 'json' \ -p = "[{'op': 'replace', 'path': '/spec/kf', 'value': {'enabled': false, }}]" -
(Optional) Delete GKE cluster:
gcloud container clusters delete ${CLUSTER_NAME} --zone ${CLUSTER_LOCATION}
