...
Post upgrade steps to configure Kubernetes on GCP
| Anchor | ||||
|---|---|---|---|---|
|
Having a Dataproc with metastore is a prerequisite for configuring To configure Kubernetes on GCP, perform the following steps.
If using existing Service Account, execute Execute the following commands using the gcloud CLI to link the Kubernetes Service account to the IAM Service account.
Code Block gcloud iam service-accounts add-iam-policy-binding IAM_SA_NAME@IAM_SA_PROJECT_ID.iam.gserviceaccount.com --role roles/iam.workloadIdentityUser --member "serviceAccount:PROJECT_ID.svc.id.goog[kyvos-monitoring/default]" gcloud iam service-accounts add-iam-policy-binding IAM_SA_NAME@IAM_SA_PROJECT_ID.iam.gserviceaccount.com --role roles/iam.workloadIdentityUser --member "serviceAccount:PROJECT_ID.svc.id.goog[kyvos-compute/default]"
In the above-mentioned commands, replace the following:
IAM_SA_NAME: a name for your new IAM service account.
IAM_SA_PROJECT_ID: the project ID for your IAM service account.
PROJECT_ID: your Google Cloud project ID.
Additionally, if using a shared Virtual Network, below roles and permissions are required on by Default service account of Kubernetes (service-PROJECT_NUMBER@container-engine-robot.iam.gserviceaccount.com) on project of Shared Virtual Network
Compute Network User
kubernetes_role (create a custom role)
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.list
compute.firewalls.update
compute.networks.updatePolicy
compute.subnetworks.get
container.hostServiceAgent.use
ยท Add the following roles to the existing IAM service account:
roles/iam.serviceAccountTokenCreator (Service Account Token Creator)
roles/container.developer (Kubernetes Engine Developer)
roles/container.clusterAdmin (Kubernetes Engine Cluster Admin)
Add the below permissions to Kyvos role
compute.instanceGroupManagers.update
compute.instanceGroupManagers.get
SSH on All Instances one by one and run the below commands-
sudo apt-get update
sudo apt-get install apt-transport-https ca-certificates gnupg curl -y
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg
echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
sudo apt-get update && sudo apt-get install google-cloud-cli -y
sudo apt-get install google-cloud-cli-gke-gcloud-auth-plugin
sudo apt-get install kubectl
To install the Google Cloud CLI on all Kyvos nodes, refer to Google documentation.
Create Kubernetes cluster using Deployment scripts.
Open Kyvos Manager, go to compute cluster, Click Kyvos Native.
Fill in the required inputs. Value provided to Worker Nodes Maximum Count should be same as you configured in templates. Click on Save.
On Kyvos Manager > Kyvos Properties screen, ensure that KYVOS_PROCESS_COMPUTE_SUBTYPE is K8S_COMPUTE_CLUSTER
...