Google Cloud service account notes

Most of these notes were created from configuring the kube-cert-manager.

setting up Google Cloud SDK (gcloud config)

This first section touches upon configuring Google Cloud, the Google Cloud SDK, and the GKE cluster.

  • Create an example project in Google Cloud, then configure your gcloud CLI:
gcloud config configurations create EXAMPLE
gcloud config set project EXAMPLE-123456
gcloud config set account youremail@example.org

creating the GKE cluster

  • With the Google Cloud account setup and the Google Cloud SDK installed and configured, Create a Kubernetes cluster. This can be done through the GUI or CLI. Example:
gcloud beta container --project "EXAMPLE-123456" clusters create "CLUSTER" --zone "us-east1-b" --username="admin" --cluster-version "1.8.4-gke.1" --machine-type "n1-standard-1" --image-type "COS" --disk-size "100" --scopes "https://www.googleapis.com/auth/compute","https://www.googleapis.com/auth/devstorage.read_only","https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/monitoring","https://www.googleapis.com/auth/servicecontrol","https://www.googleapis.com/auth/service.management.readonly","https://www.googleapis.com/auth/trace.append" --num-nodes "3" --network "default" --enable-cloud-logging --enable-cloud-monitoring --subnetwork "default" --enable-autoupgrade

Note the project name, cluster name, machine-type, and num-nodes. Modify accordingly.

  • Create and wait a few minutes…
  • Once finished, you’ll want to configure kubectl:
gcloud container clusters get-credentials CLUSTER --zone us-east1-b --project EXAMPLE-123456

If all goes well, you should see a few default pods that Google runs like so:

➜ kubectl  get pods --all-namespaces
NAMESPACE     NAME                                                           READY     STATUS    RESTARTS   AGE
kube-system   event-exporter-v0.1.7-7cb7c5d4bf-l5b8p                         2/2       Running   0          17m
kube-system   fluentd-gcp-v2.0.9-gp2l8                                       2/2       Running   0          17m
kube-system   fluentd-gcp-v2.0.9-skh4j                                       2/2       Running   0          17m
kube-system   fluentd-gcp-v2.0.9-wlqxs                                       2/2       Running   0          17m
kube-system   heapster-v1.4.3-6d67c7bb7b-v6rgh                               3/3       Running   0          16m
kube-system   kube-dns-778977457c-7q79z                                      3/3       Running   0          17m
kube-system   kube-dns-778977457c-h2jst                                      3/3       Running   0          16m
kube-system   kube-dns-autoscaler-7db47cb9b7-zgcrx                           1/1       Running   0          17m
kube-system   kube-proxy-gke-littlefluffyclouds-default-pool-e0870748-57dh   1/1       Running   0          17m
kube-system   kube-proxy-gke-littlefluffyclouds-default-pool-e0870748-jdrs   1/1       Running   0          17m
kube-system   kube-proxy-gke-littlefluffyclouds-default-pool-e0870748-x5cf   1/1       Running   0          17m
kube-system   kubernetes-dashboard-76c679977c-l7k45                          1/1       Running   0          17m
kube-system   l7-default-backend-6497bcdb4d-qtthn                            1/1       Running   0          17m
  • If you want full control over the cluster you can add cluster admin to it (this shouldn’t be necessary for this demo, but useful for other things such as Prometheus):
kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=youremail@example.org

configuring a service account for kube-cert-manager

The kube-cert-manager will need DNS admin access to the Google Cloud DNS API. This allows it to respond to the LetsEncrypt DNS challenge.

  • Create an IAM service account:
gcloud --project EXAMPLE-123456 iam service-accounts create kube-cert-manager --display-name "kube-cert-manager"
gcloud --project EXAMPLE-123456 iam service-accounts keys create ~/.config/kube-cert-manager.json --iam-account kube-cert-manager@EXAMPLE-123456.iam.gserviceaccount.com
gcloud --project EXAMPLE-123456 projects add-iam-policy-binding EXAMPLE-123456 --member serviceAccount:kube-cert-manager@EXAMPLE-123456.iam.gserviceaccount.com --role roles/dns.admin