准备工作
概览
GKE 集群要求。
(可选,但建议执行)将该集群专用于 Kf。我们建议您只安装 Kf 及其依赖项,以确保兼容性矩阵得以维持。
至少具有四个节点。如果需要添加节点,请参阅调整集群大小。
具有至少四个 vCPU 的最小机器类型,例如
e2-standard-4
。如果集群的机器类型没有至少四个 vCPU,请按照将工作负载迁移到不同的机器类型中所述更改机器类型。(可选,但建议执行)在发布版本中注册集群。 如果您拥有静态 GKE 版本,请按照在发布版本中注册现有集群中的说明操作。
已启用 Workload Identity。
Kf 要求。依赖项矩阵列出了具体版本。
Tekton:供 Kf 使用。这不是面向用户的服务。
专用 Google 服务账号。
启用对 Compute Engine 的支持
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
- 启用 Compute Engine API。
启用对 Artifact Registry 的支持
- 启用 Artifact Registry API。
启用并配置 GKE
在开始之前,请确保您已执行以下任务:
- 启用 Google Kubernetes Engine API。 启用 Google Kubernetes Engine API
- 如果您要使用 Google Cloud CLI 执行此任务,请安装并初始化 gcloud CLI。 如果您之前安装了 gcloud CLI,请运行
gcloud components update
以获取最新版本。
准备新的 GKE 集群和相关服务
设置环境变量
Linux 和 Mac
export PROJECT_ID=YOUR_PROJECT_ID export CLUSTER_PROJECT_ID=YOUR_PROJECT_ID export CLUSTER_NAME=kf-cluster export COMPUTE_ZONE=us-central1-a export COMPUTE_REGION=us-central1 export CLUSTER_LOCATION=${COMPUTE_ZONE} # Replace ZONE with REGION to switch export NODE_COUNT=4 export MACHINE_TYPE=e2-standard-4 export NETWORK=default
Windows Powershell
Set-Variable -Name PROJECT_ID -Value YOUR_PROJECT_ID Set-Variable -Name CLUSTER_PROJECT_ID -Value YOUR_PROJECT_ID Set-Variable -Name CLUSTER_NAME -Value kf-cluster Set-Variable -Name COMPUTE_ZONE -Value us-central1-a Set-Variable -Name COMPUTE_REGION -Value us-central1 Set-Variable -Name CLUSTER_LOCATION -Value $COMPUTE_ZONE # Replace ZONE with REGION to switch Set-Variable -Name NODE_COUNT -Value 4 Set-Variable -Name MACHINE_TYPE -Value e2-standard-4 Set-Variable -Name NETWORK -Value default
服务账号设置
创建通过 Workload Identity 与 Kubernetes 服务账号关联的 GCP 服务账号 (GSA)。这样可以避免创建和注入服务账号密钥。
创建 Kf 将使用的服务账号。
gcloud iam service-accounts create ${CLUSTER_NAME}-sa \ --project=${CLUSTER_PROJECT_ID} \ --description="GSA for Kf ${CLUSTER_NAME}" \ --display-name="${CLUSTER_NAME}"
创建新的自定义 IAM 角色。
gcloud iam roles create serviceAccountUpdater \ --project=${CLUSTER_PROJECT_ID} \ --title "Service Account Updater" \ --description "This role only updates members on a GSA" \ --permissions iam.serviceAccounts.get,iam.serviceAccounts.getIamPolicy,iam.serviceAccounts.list,iam.serviceAccounts.setIamPolicy
允许服务账号修改自己的政策。Kf 控制器将使用它来向政策添加新(名称)空间,从而重复使用 Workload Identity。
gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="projects/${CLUSTER_PROJECT_ID}/roles/serviceAccountUpdater"
为监控指标授予角色,以便对 Cloud Monitoring 进行写入访问。
gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/monitoring.metricWriter"
授予日志记录角色以提供 Cloud Logging 的写入权限。
gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/logging.logWriter"
创建 GKE 集群
gcloud container clusters create ${CLUSTER_NAME} \ --project=${CLUSTER_PROJECT_ID} \ --zone=${CLUSTER_LOCATION} \ --num-nodes=${NODE_COUNT} \ --machine-type=${MACHINE_TYPE} \ --disk-size "122" \ --network=${NETWORK} \ --addons HorizontalPodAutoscaling,HttpLoadBalancing,GcePersistentDiskCsiDriver \ --enable-dataplane-v2 \ --enable-stackdriver-kubernetes \ --enable-ip-alias \ --enable-autorepair \ --enable-autoupgrade \ --scopes cloud-platform \ --release-channel=regular \ --workload-pool="${CLUSTER_PROJECT_ID}.svc.id.goog" \ --service-account="${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com"
设置防火墙规则
Kf 需要打开一些防火墙端口。主节点需要能够在端口 80、443、8080、8443 和 6443 上与 pod 通信。
启用 Workload Identity
现在您已经拥有服务账号和 GKE 集群,接下来将集群的身份命名空间与集群关联。
gcloud iam service-accounts add-iam-policy-binding \ --project=${CLUSTER_PROJECT_ID} \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:${CLUSTER_PROJECT_ID}.svc.id.goog[kf/controller]" \ "${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" gcloud iam service-accounts add-iam-policy-binding \ --project=${CLUSTER_PROJECT_ID} \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:${CLUSTER_PROJECT_ID}.svc.id.goog[cnrm-system/cnrm-controller-manager]" \ "${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com"
目标 GKE 集群
运行以下命令来配置 kubectl 命令行访问权限:
gcloud container clusters get-credentials ${CLUSTER_NAME} \ --project=${CLUSTER_PROJECT_ID} \ --zone=${CLUSTER_LOCATION}
创建 Artifact Registry 代码库
为要存储的容器映像创建 Artifact Registry。
gcloud artifacts repositories create ${CLUSTER_NAME} \ --project=${CLUSTER_PROJECT_ID} \ --repository-format=docker \ --location=${COMPUTE_REGION}
向 Artifact Registry 代码库授予服务账号权限。
gcloud artifacts repositories add-iam-policy-binding ${CLUSTER_NAME} \ --project=${CLUSTER_PROJECT_ID} \ --location=${COMPUTE_REGION} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role='roles/artifactregistry.writer'
在集群上安装软件依赖项
安装 Cloud Service Mesh。
- 按照 Cloud Service Mesh 安装指南进行操作。
安装 Config Connector。
下载所需的 Config Connector Operator tar 文件。
解压缩 tar 文件。
tar zxvf release-bundle.tar.gz
在集群上安装 Config Connector Operator。
kubectl apply -f operator-system/configconnector-operator.yaml
配置 Config Connector Operator。
将以下 YAML 复制到名为
configconnector.yaml
的文件中:# configconnector.yaml apiVersion: core.cnrm.cloud.google.com/v1beta1 kind: ConfigConnector metadata: # the name is restricted to ensure that there is only one # ConfigConnector resource installed in your cluster name: configconnector.core.cnrm.cloud.google.com spec: mode: cluster googleServiceAccount: "KF_SERVICE_ACCOUNT_NAME" # Replace with the full service account resolved from ${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com
将配置应用到您的集群。
kubectl apply -f configconnector.yaml
验证 Config Connector 是否已完全安装,然后再继续操作。
Config Connector 在命名空间
cnrm-system
中运行其所有组件。 通过运行以下命令验证 Pod 是否已准备就绪:kubectl wait -n cnrm-system --for=condition=Ready pod --all
如果正确安装了 Config Connector,您应该会看到类似如下所示的输出:
pod/cnrm-controller-manager-0 condition met pod/cnrm-deletiondefender-0 condition met pod/cnrm-resource-stats-recorder-86858dcdc5-6lqzb condition met pod/cnrm-webhook-manager-58c799b8fb-kcznq condition met pod/cnrm-webhook-manager-58c799b8fb-n2zpx condition met
设置 Workload Identity。
kubectl annotate serviceaccount \ --namespace cnrm-system \ --overwrite \ cnrm-controller-manager \ iam.gke.io/gcp-service-account=${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com
安装 Tekton:
kubectl apply -f "https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.23.0/release.yaml"
安装 Kf
安装 Kf CLI:
Linux
此命令会为系统上的所有用户安装 Kf CLI。请按照 Cloud Shell 标签页中的说明自行安装。
gcloud storage cp gs://kf-releases/v2.5.4/kf-linux /tmp/kf
chmod a+x /tmp/kf
sudo mv /tmp/kf /usr/local/bin/kf
Mac
此命令会为系统上的所有用户安装
kf
。gcloud storage cp gs://kf-releases/v2.5.4/kf-darwin /tmp/kf
chmod a+x /tmp/kf
sudo mv /tmp/kf /usr/local/bin/kf
Cloud Shell
如果您使用
bash
,此命令会在 Cloud Shell 实例上安装kf
;您可能需要为其他 Shell 修改说明。mkdir -p ~/bin
gcloud storage cp gs://kf-releases/v2.5.4/kf-linux ~/bin/kf
chmod a+x ~/bin/kf
echo "export PATH=$HOME/bin:$PATH" >> ~/.bashrc
source ~/.bashrc
Windows
此命令会将
kf
下载到当前目录。如果要从当前目录以外的任何位置调用,请将其添加到路径中。gcloud storage cp gs://kf-releases/v2.5.4/kf-windows.exe kf.exe
安装 operator:
kubectl apply -f "https://storage.googleapis.com/kf-releases/v2.5.4/operator.yaml"
为 Kf 配置 operator:
kubectl apply -f "https://storage.googleapis.com/kf-releases/v2.5.4/kfsystem.yaml"
设置 Secret 和默认值:
export CONTAINER_REGISTRY=${COMPUTE_REGION}-docker.pkg.dev/${CLUSTER_PROJECT_ID}/${CLUSTER_NAME} kubectl patch \ kfsystem kfsystem \ --type='json' \ -p="[{'op': 'replace', 'path': '/spec/kf', 'value': {'enabled': true, 'config': {'spaceContainerRegistry': '${CONTAINER_REGISTRY}', 'secrets':{'workloadidentity':{'googleserviceaccount':'${CLUSTER_NAME}-sa', 'googleprojectid':'${CLUSTER_PROJECT_ID}'}}}}}]"
验证安装
kf doctor --retries=20
清理
这些步骤应移除在创建并准备新的 GKE 集群部分中创建的所有组件。
删除 Google 服务账号:
gcloud iam service-accounts delete ${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com
删除 IAM 政策绑定:
gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/storage.admin" gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/iam.serviceAccountAdmin" gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/monitoring.metricWriter"
删除容器映像代码库:
gcloud artifacts repositories delete ${CLUSTER_NAME} \ --location=${COMPUTE_REGION}
删除 GKE 集群:
gcloud container clusters delete ${CLUSTER_NAME} --zone ${CLUSTER_LOCATION}