GCP Configuration
GCP IAM¶
To create and manage GKE clusters, complete the following configuration in GCP console
- GCP Project
- IAM Policy
- Cloud Credentials
- Enable APIs
Step 1: GCP Project¶
Important
Skip this step if you would like to use an "existing" GCP project
- Login to the GCP Console
- Click on IAM & Admin and select IAM
- Click Create Project
- Provide a project name and select an organization
- Browse for a required location and click Create
Step 2: IAM Policy¶
Create Service Account¶
- Click on IAM & Admin and select Service Accounts
- Click Create Service Account
- Provide a Service Account Name and the Service Account ID (auto generated)
- Optionally, provide a Service account description and click Create and Continue
Add Roles to SAs¶
Add the below roles to the created Service Account
- Compute Admin
- Kubernetes Engine Admin
- Service Account User
Click Continue
Grant User Access¶
Optionally, add one or more users to this service account and click Done
On successful creation, you can view the service account listed in the table as shown below
Step 3: JSON Credential¶
Once the Service Account is created,
- Select the service account from the list and click the Keys tab
- Click Add Key and select Create new Key
By default, JSON key type is selected
- Click Create
On successful creation, the json file will be downloaded automatically. We will use this json file to create a Cloud Credential in Controller for GKE lifecycle management.
Step 4: Enable APIs¶
Enable the following APIs on your Google Cloud Platform to allow the controller to interact with GCP progammatically using GCP's APIs.
In the GCP Console,
- Click APIs & Services
-
Enable APIs And Services
-
Search for the below three (3) APIs from a list of APIs and enable
- Compute Engine API
- Cloud Resource Manager API
- Kubernetes Engine API
Below is an example showing what this looks like for the Compute Engine API
Share VPC Network¶
A Shared Virtual Private Cloud (VPC) enables to link resources across various projects to a central VPC network. In the context of Shared VPC, specify a project as the host project and connect one or more additional service projects (target projects) to it. The VPC networks within the host project are referred to as Shared VPC networks. During cluster provisioning, the Shared VPC can be utilized in the target clusters
To share the VPC Network, user must have the permission compute.networks.get
.
Below is an example of a host project, kr-test-200723, and the target project, demos
Once the VPC Network shared, users can retrieve the Pod Secondary CIDR Range (Name) and Service Secondary CIDR Range (Name) from the Subnet details page as shown below
Configuring Additional Roles for Service Accounts
When setting up clusters with shared VPCs, it's essential to ensure that the service accounts associated with the clusters have the additional roles Compute Network User, and Compute Security Admin
To add these roles to the service account, use the gcloud projects add-iam-policy-binding command with the appropriate project ID, service account, and role:
- Compute Network User
gcloud projects add-iam-policy-binding <host-project-id> --member=serviceAccount:<Service ACCOUNT in service project> --role=roles/compute.networkUser
- Compute Security Admin
gcloud projects add-iam-policy-binding <host-project-id> --member=serviceAccount:<Service ACCOUNT in service project> --role=roles/compute.securityAdmin
Reservation Affinity¶
Users can reserve Compute Engine instances in a specific zone to ensure that resources are available for their workloads when needed. Reservation ensures Compute Engine resources are readily available by securing capacity for zonal resources. With capacity reservation, VMs start in less than 120 seconds, offering quick access to resources. Each reservation guarantees capacity for one or more VMs with the same properties, and reserved resources are available immediately upon creation and persist until deletion. For more information, visit this page
Create Reservation¶
To create a reservation, perform the below steps in the Google Cloud Console.
- Select Compute Engine and the required project from the drop-down
- Select Reservation and click Create Reservation
- Provide a reservation name and optionally, a description
- Select a Region and Zone for reserving the capacity
-
Select the reservation type based on the requirement:
- Local: Local reservation can only be applied to the resources in the current project
- Shared: A shared reservation can be used for resources across multiple projects, across folders or the entire organization. To use this shared reservation during GKE cluster Node Pool configuration, users must specify the project ID to which the reservation is shared and the exact reservation name
-
Select how to utilize this reservation when creating a VM instance from the two (2) options
- Specify the Number of VM instances to reserve the capacity. Here is an example with a count of 5 to reserve capacity for five instances
- Choose VM instances configuration:
- Specify machine type: Choose from various machine types available
- Use instance template: Select the desired instance template from the drop-down menu
- Select the required Machine Type from the drop-down and click Create
Once the reservation is created, view it as depicted below:
NOTE: Upon successful creation of a reservation, the user can only edit the Number of VM instances and not any other details.
Users can utilize these VM reservations when adding the GKE Clusters Node Pool configuration via the controller. Also, these reservations can be used by multiple clusters until the capacity limit is reached.