事前準備
GKE 叢集需求
建議使用專為 Kf 打造的叢集,但這並非必要條件。建議您只安裝 Kf 和其依附元件,確保相容性矩陣維持不變。
至少四個節點。如要新增節點,請參閱調整叢集大小。
至少有四個 vCPU 的最低機器類型,例如
e2-standard-4。如果叢集的機型沒有至少四個 vCPU,請按照「將工作負載遷移至其他機型」一文的說明變更機型。建議您在發布管道中註冊叢集 (選用)。如果使用靜態 GKE 版本,請按照「在發布版本中註冊現有叢集」一文中的操作說明進行。
已啟用 Workload Identity。
Kf 需求
在「Kf 依附元件和架構」頁面中,查看並瞭解 Kf 元件的存取權。
供 Kf 使用的 Tekton,這項服務不對使用者開放
專屬的 Google 服務帳戶
啟用 Compute Engine 支援
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
- 啟用 Compute Engine API。
- 啟用 Artifact Registry API。
- 啟用 Google Kubernetes Engine API。 啟用 Google Kubernetes Engine API
- 如要使用 Google Cloud CLI 執行這項工作,請安裝並初始化 gcloud CLI。如果您先前已安裝 gcloud CLI,請執行
gcloud components update,取得最新版本。 建立 Kf 將使用的服務帳戶。
gcloud iam service-accounts create ${CLUSTER_NAME}-sa \ --project=${CLUSTER_PROJECT_ID} \ --description="GSA for Kf ${CLUSTER_NAME}" \ --display-name="${CLUSTER_NAME}"建立新的自訂 IAM 角色。
gcloud iam roles create serviceAccountUpdater \ --project=${CLUSTER_PROJECT_ID} \ --title "Service Account Updater" \ --description "This role only updates members on a GSA" \ --permissions iam.serviceAccounts.get,iam.serviceAccounts.getIamPolicy,iam.serviceAccounts.list,iam.serviceAccounts.setIamPolicy允許服務帳戶修改自己的政策。Kf 控制器會使用這個項目,在政策中新增 (名稱) 空間,以便重複使用 Workload Identity。
gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="projects/${CLUSTER_PROJECT_ID}/roles/serviceAccountUpdater"授予監控指標角色,取得 Cloud Monitoring 的寫入存取權。
gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/monitoring.metricWriter"授予記錄角色,取得 Cloud Logging 的寫入權限。
gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/logging.logWriter"建立 Artifact Registry 存放區,用於儲存容器映像檔。
gcloud artifacts repositories create ${CLUSTER_NAME} \ --project=${CLUSTER_PROJECT_ID} \ --repository-format=docker \ --location=${COMPUTE_REGION}授予服務帳戶 Artifact Registry 存放區的權限。
gcloud artifacts repositories add-iam-policy-binding ${CLUSTER_NAME} \ --project=${CLUSTER_PROJECT_ID} \ --location=${COMPUTE_REGION} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role='roles/artifactregistry.writer'安裝 Cloud Service Mesh v1.23.3-asm.1+config1。
- 請按照 Cloud Service Mesh 安裝指南操作,包括建立 Ingress 閘道的步驟。
安裝 Config Connector。
下載所需的 Config Connector Operator tar 檔案。
解壓縮 tar 檔案。
tar zxvf release-bundle.tar.gz在叢集上安裝 Config Connector 運算子。
kubectl apply -f operator-system/configconnector-operator.yaml設定 Config Connector 運算子。
將下列 YAML 複製到名為
完整解析的服務帳戶configconnector.yaml的檔案中:# configconnector.yaml apiVersion: core.cnrm.cloud.google.com/v1beta1 kind: ConfigConnector metadata: # the name is restricted to ensure that there is only one # ConfigConnector resource installed in your cluster name: configconnector.core.cnrm.cloud.google.com spec: mode: cluster googleServiceAccount: "KF_SERVICE_ACCOUNT_NAME" # Replace with the full service account resolved from ${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com
將設定套用至叢集。
kubectl apply -f configconnector.yaml
請先確認 Config Connector 已完整安裝,再繼續操作。
Config Connector 會在名為
cnrm-system的命名空間中執行所有元件。執行下列指令,確認 Pod 已準備就緒:kubectl wait -n cnrm-system --for=condition=Ready pod --all
如果 Config Connector 安裝正確,您應該會看到類似以下的輸出內容:
pod/cnrm-controller-manager-0 condition met pod/cnrm-deletiondefender-0 condition met pod/cnrm-resource-stats-recorder-86858dcdc5-6lqzb condition met pod/cnrm-webhook-manager-58c799b8fb-kcznq condition met pod/cnrm-webhook-manager-58c799b8fb-n2zpx condition met
設定 Workload Identity。
kubectl annotate serviceaccount \ --namespace cnrm-system \ --overwrite \ cnrm-controller-manager \ iam.gke.io/gcp-service-account=${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com
安裝 Tekton:
kubectl apply -f "https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.68.0/release.yaml"
安裝 Kf CLI:
Linux
這項指令會為系統上的所有使用者安裝 Kf CLI。按照「Cloud Shell」分頁中的操作說明,為自己安裝。
gcloud storage cp gs://kf-releases/v2.11.28/kf-linux /tmp/kfchmod a+x /tmp/kfsudo mv /tmp/kf /usr/local/bin/kfMac
這項指令會為系統上的所有使用者安裝
kf。gcloud storage cp gs://kf-releases/v2.11.28/kf-darwin /tmp/kfchmod a+x /tmp/kfsudo mv /tmp/kf /usr/local/bin/kfCloud Shell
如果您使用
bash,這個指令會在 Cloud Shell 執行個體上安裝kf。如果是其他殼層,可能需要修改指令。mkdir -p ~/bingcloud storage cp gs://kf-releases/v2.11.28/kf-linux ~/bin/kfchmod a+x ~/bin/kfecho "export PATH=$HOME/bin:$PATH" >> ~/.bashrcsource ~/.bashrcWindows
這項指令會將
kf下載至目前目錄。如要從目前目錄以外的任何位置呼叫,請將其新增至路徑。gcloud storage cp gs://kf-releases/v2.11.28/kf-windows.exe kf.exe安裝運算子:
kubectl apply -f "https://storage.googleapis.com/kf-releases/v2.11.28/operator.yaml"
設定 Kf 的運算子:
kubectl apply -f "https://storage.googleapis.com/kf-releases/v2.11.28/kfsystem.yaml"
設定密鑰和預設值:
export CONTAINER_REGISTRY=${COMPUTE_REGION}-docker.pkg.dev/${CLUSTER_PROJECT_ID}/${CLUSTER_NAME} kubectl patch \ kfsystem kfsystem \ --type='json' \ -p="[{'op': 'replace', 'path': '/spec/kf', 'value': {'enabled': true, 'config': {'spaceContainerRegistry': '${CONTAINER_REGISTRY}', 'secrets':{'workloadidentity':{'googleserviceaccount':'${CLUSTER_NAME}-sa', 'googleprojectid':'${CLUSTER_PROJECT_ID}'}}}}}]"刪除 Google 服務帳戶:
gcloud iam service-accounts delete ${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com刪除 IAM 政策繫結:
gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/iam.serviceAccountAdmin"gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/monitoring.metricWriter"刪除容器映像檔存放區:
gcloud artifacts repositories delete ${CLUSTER_NAME} \ --location=${COMPUTE_REGION}解除安裝 Kf:
kubectl patch kfsystem kfsystem \ --type='json' \ -p="[{'op': 'replace', 'path': '/spec/kf', 'value': {'enabled': false, }}]"(選用) 刪除 GKE 叢集:
gcloud container clusters delete ${CLUSTER_NAME} --zone ${CLUSTER_LOCATION}
啟用 Artifact Registry 支援
啟用及設定 GKE
開始之前,請確認你已完成下列工作:
準備新的 GKE 叢集和相關服務
設定環境變數
Linux 與 Mac
export PROJECT_ID=YOUR_PROJECT_ID
export CLUSTER_PROJECT_ID=YOUR_PROJECT_ID
export CLUSTER_NAME=kf-cluster
export COMPUTE_ZONE=us-central1-a
export COMPUTE_REGION=us-central1
export CLUSTER_LOCATION=${COMPUTE_ZONE} # Replace ZONE with REGION to switch
export NODE_COUNT=4
export MACHINE_TYPE=e2-standard-4
export NETWORK=default
Windows PowerShell
Set-Variable -Name PROJECT_ID -Value YOUR_PROJECT_ID Set-Variable -Name CLUSTER_PROJECT_ID -Value YOUR_PROJECT_ID Set-Variable -Name CLUSTER_NAME -Value kf-cluster Set-Variable -Name COMPUTE_ZONE -Value us-central1-a Set-Variable -Name COMPUTE_REGION -Value us-central1 Set-Variable -Name CLUSTER_LOCATION -Value $COMPUTE_ZONE # Replace ZONE with REGION to switch Set-Variable -Name NODE_COUNT -Value 4 Set-Variable -Name MACHINE_TYPE -Value e2-standard-4 Set-Variable -Name NETWORK -Value default
設定服務帳戶
建立 Google Cloud 服務帳戶,該帳戶會透過 Workload Identity 與 Kubernetes 服務帳戶建立關聯。這樣就不必建立及插入服務帳戶金鑰。
建立 GKE 叢集
gcloud container clusters create ${CLUSTER_NAME} \
--project=${CLUSTER_PROJECT_ID} \
--zone=${CLUSTER_LOCATION} \
--num-nodes=${NODE_COUNT} \
--machine-type=${MACHINE_TYPE} \
--disk-size "122" \
--network=${NETWORK} \
--addons HorizontalPodAutoscaling,HttpLoadBalancing,GcePersistentDiskCsiDriver \
--enable-dataplane-v2 \
--enable-stackdriver-kubernetes \
--enable-ip-alias \
--enable-autorepair \
--enable-autoupgrade \
--scopes cloud-platform \
--release-channel=regular \
--workload-pool="${CLUSTER_PROJECT_ID}.svc.id.goog" \
--service-account="${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com"設定防火牆規則
Kf 需要開啟部分防火牆通訊埠。主節點必須能透過通訊埠 80、443、8080、8443 和 6443 與 Pod 通訊。
啟用 Workload Identity
現在您已擁有服務帳戶和 GKE 叢集,請將叢集的 ID 命名空間與叢集建立關聯。
gcloud iam service-accounts add-iam-policy-binding \
--project=${CLUSTER_PROJECT_ID} \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:${CLUSTER_PROJECT_ID}.svc.id.goog[kf/controller]" \
"${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com"
gcloud iam service-accounts add-iam-policy-binding \
--project=${CLUSTER_PROJECT_ID} \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:${CLUSTER_PROJECT_ID}.svc.id.goog[cnrm-system/cnrm-controller-manager]" \
"${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com"目標 GKE 叢集
執行下列指令,設定 kubectl 指令列存取權。
gcloud container clusters get-credentials ${CLUSTER_NAME} \
--project=${CLUSTER_PROJECT_ID} \
--zone=${CLUSTER_LOCATION}建立 Artifact Registry 存放區
在叢集上安裝軟體依附元件
安裝 Kf
驗證安裝
kf doctor --retries=20
清除所用資源
這些步驟應會移除「建立及準備新的 GKE 叢集」一節中建立的所有元件。