Google Cloud service account notes
Most of these notes were created from configuring the kube-cert-manager.
setting up Google Cloud SDK (gcloud config)
This first section touches upon configuring Google Cloud, the Google Cloud SDK, and the GKE cluster.
- Create an example project in Google Cloud, then configure your gcloud CLI:
gcloud config configurations create EXAMPLE
gcloud config set project EXAMPLE-123456
gcloud config set account youremail@example.org
creating the GKE cluster
- With the Google Cloud account setup and the Google Cloud SDK installed and configured, Create a Kubernetes cluster. This can be done through the GUI or CLI. Example:
gcloud beta container --project "EXAMPLE-123456" clusters create "CLUSTER" --zone "us-east1-b" --username="admin" --cluster-version "1.8.4-gke.1" --machine-type "n1-standard-1" --image-type "COS" --disk-size "100" --scopes "https://www.googleapis.com/auth/compute","https://www.googleapis.com/auth/devstorage.read_only","https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/monitoring","https://www.googleapis.com/auth/servicecontrol","https://www.googleapis.com/auth/service.management.readonly","https://www.googleapis.com/auth/trace.append" --num-nodes "3" --network "default" --enable-cloud-logging --enable-cloud-monitoring --subnetwork "default" --enable-autoupgrade
Note the project name, cluster name, machine-type, and num-nodes. Modify accordingly.
- Create and wait a few minutes…
- Once finished, you’ll want to configure
kubectl:
gcloud container clusters get-credentials CLUSTER --zone us-east1-b --project EXAMPLE-123456
If all goes well, you should see a few default pods that Google runs like so:
➜ kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system event-exporter-v0.1.7-7cb7c5d4bf-l5b8p 2/2 Running 0 17m
kube-system fluentd-gcp-v2.0.9-gp2l8 2/2 Running 0 17m
kube-system fluentd-gcp-v2.0.9-skh4j 2/2 Running 0 17m
kube-system fluentd-gcp-v2.0.9-wlqxs 2/2 Running 0 17m
kube-system heapster-v1.4.3-6d67c7bb7b-v6rgh 3/3 Running 0 16m
kube-system kube-dns-778977457c-7q79z 3/3 Running 0 17m
kube-system kube-dns-778977457c-h2jst 3/3 Running 0 16m
kube-system kube-dns-autoscaler-7db47cb9b7-zgcrx 1/1 Running 0 17m
kube-system kube-proxy-gke-littlefluffyclouds-default-pool-e0870748-57dh 1/1 Running 0 17m
kube-system kube-proxy-gke-littlefluffyclouds-default-pool-e0870748-jdrs 1/1 Running 0 17m
kube-system kube-proxy-gke-littlefluffyclouds-default-pool-e0870748-x5cf 1/1 Running 0 17m
kube-system kubernetes-dashboard-76c679977c-l7k45 1/1 Running 0 17m
kube-system l7-default-backend-6497bcdb4d-qtthn 1/1 Running 0 17m
- If you want full control over the cluster you can add cluster admin to it (this shouldn’t be necessary for this demo, but useful for other things such as Prometheus):
kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=youremail@example.org
configuring a service account for kube-cert-manager
The kube-cert-manager will need DNS admin access to the Google Cloud DNS API. This allows it to respond to the LetsEncrypt DNS challenge.
- Create an IAM service account:
gcloud --project EXAMPLE-123456 iam service-accounts create kube-cert-manager --display-name "kube-cert-manager"
gcloud --project EXAMPLE-123456 iam service-accounts keys create ~/.config/kube-cert-manager.json --iam-account kube-cert-manager@EXAMPLE-123456.iam.gserviceaccount.com
gcloud --project EXAMPLE-123456 projects add-iam-policy-binding EXAMPLE-123456 --member serviceAccount:kube-cert-manager@EXAMPLE-123456.iam.gserviceaccount.com --role roles/dns.admin
