安裝 Kf

本文說明如何設定 GKE 叢集,然後安裝 Kf 和其依附元件。

事前準備

總覽

GKE 叢集需求條件

  • 建議使用專為 Kf 打造的叢集,但這並非必要條件。建議您只安裝 Kf 和其依附元件,確保相容性矩陣維持不變。

  • 至少四個節點。如要新增節點,請參閱調整叢集大小

  • 至少有四個 vCPU 的最低機器類型,例如 e2-standard-4。如果叢集的機型沒有至少四個 vCPU,請按照「將工作負載遷移至其他機型」一文的說明變更機型。

  • 建議您在發布管道中註冊叢集 (選用)。如果使用靜態 GKE 版本,請按照「在發布版本中註冊現有叢集」一文中的操作說明進行。

  • 已啟用 Workload Identity

Kf 需求。「依附元件矩陣」會列出特定版本。

啟用 Compute Engine 支援

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Google Cloud project.

  4. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  5. Make sure that billing is enabled for your Google Cloud project.

  6. 啟用 Compute Engine API。

    啟用 API

    7. 啟用 Artifact Registry 支援

    1. 啟用 Artifact Registry API。

      啟用 Artifact Registry API

    啟用及設定 GKE

    開始之前,請確認你已完成下列工作:

    • 啟用 Google Kubernetes Engine API。
      • 啟用 Google Kubernetes Engine API
    • 如要使用 Google Cloud CLI 執行這項工作,請安裝初始化 gcloud CLI。如果您先前已安裝 gcloud CLI,請執行 gcloud components update,取得最新版本。

    設定環境變數

    Linux 與 Mac

    export PROJECT_ID=YOUR_PROJECT_ID
export CLUSTER_PROJECT_ID=YOUR_PROJECT_ID
export CLUSTER_NAME=kf-cluster
export COMPUTE_ZONE=us-central1-a
export COMPUTE_REGION=us-central1
export CLUSTER_LOCATION=${COMPUTE_ZONE} # Replace ZONE with REGION to switch
export NODE_COUNT=4
export MACHINE_TYPE=e2-standard-4
export NETWORK=default

    Windows Powershell

    Set-Variable -Name PROJECT_ID -Value YOUR_PROJECT_ID
Set-Variable -Name CLUSTER_PROJECT_ID -Value YOUR_PROJECT_ID
Set-Variable -Name CLUSTER_NAME -Value kf-cluster
Set-Variable -Name COMPUTE_ZONE -Value us-central1-a
Set-Variable -Name COMPUTE_REGION -Value us-central1
Set-Variable -Name CLUSTER_LOCATION -Value $COMPUTE_ZONE # Replace ZONE with REGION to switch
Set-Variable -Name NODE_COUNT -Value 4
Set-Variable -Name MACHINE_TYPE -Value e2-standard-4
Set-Variable -Name NETWORK -Value default

    設定服務帳戶

    建立 GCP 服務帳戶 (GSA),並透過 Workload Identity 與 Kubernetes 服務帳戶建立關聯。這樣就不必建立及插入服務帳戶金鑰。

    1. 建立 Kf 將使用的服務帳戶。

      gcloud iam service-accounts create ${CLUSTER_NAME}-sa \
--project=${CLUSTER_PROJECT_ID} \
--description="GSA for Kf ${CLUSTER_NAME}" \
--display-name="${CLUSTER_NAME}"

    2. 建立新的自訂 IAM 角色。

      gcloud iam roles create serviceAccountUpdater \
--project=${CLUSTER_PROJECT_ID} \
--title "Service Account Updater" \
--description "This role only updates members on a GSA" \
--permissions iam.serviceAccounts.get,iam.serviceAccounts.getIamPolicy,iam.serviceAccounts.list,iam.serviceAccounts.setIamPolicy

    3. 允許服務帳戶修改自己的政策。Kf 控制器會使用這個項目,在政策中新增 (名稱) 空間,以便重複使用 Workload Identity。

      gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \
  --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
  --role="projects/${CLUSTER_PROJECT_ID}/roles/serviceAccountUpdater"

    4. 授予監控指標角色,取得 Cloud Monitoring 的寫入存取權。

      gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \
  --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
  --role="roles/monitoring.metricWriter"

    5. 授予記錄角色,取得 Cloud Logging 的寫入權限。

      gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \
  --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
  --role="roles/logging.logWriter"

    建立 GKE 叢集

    gcloud container clusters create ${CLUSTER_NAME} \
  --project=${CLUSTER_PROJECT_ID} \
  --zone=${CLUSTER_LOCATION} \
  --num-nodes=${NODE_COUNT} \
  --machine-type=${MACHINE_TYPE} \
  --disk-size "122" \
  --network=${NETWORK} \
  --addons HorizontalPodAutoscaling,HttpLoadBalancing,GcePersistentDiskCsiDriver \
  --enable-dataplane-v2 \
  --enable-stackdriver-kubernetes \
  --enable-ip-alias \
  --enable-autorepair \
  --enable-autoupgrade \
  --scopes cloud-platform \
  --release-channel=regular \
  --workload-pool="${CLUSTER_PROJECT_ID}.svc.id.goog" \
  --service-account="${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com"

    設定防火牆規則

    Kf 需要開啟部分防火牆通訊埠。主節點必須能透過通訊埠 80、443、8080、8443 和 6443 與 Pod 通訊。

    啟用 Workload Identity

    現在您已擁有服務帳戶和 GKE 叢集,請將叢集的 ID 命名空間與叢集建立關聯。

    gcloud iam service-accounts add-iam-policy-binding \
  --project=${CLUSTER_PROJECT_ID} \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:${CLUSTER_PROJECT_ID}.svc.id.goog[kf/controller]" \
  "${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com"

gcloud iam service-accounts add-iam-policy-binding \
  --project=${CLUSTER_PROJECT_ID} \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:${CLUSTER_PROJECT_ID}.svc.id.goog[cnrm-system/cnrm-controller-manager]" \
  "${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com"

    目標 GKE 叢集

    執行下列指令,設定 kubectl 指令列存取權。

    gcloud container clusters get-credentials ${CLUSTER_NAME} \
    --project=${CLUSTER_PROJECT_ID} \
    --zone=${CLUSTER_LOCATION}

    建立 Artifact Registry 存放區

    1. 建立 Artifact Registry 存放區,用於儲存容器映像檔。

      gcloud artifacts repositories create ${CLUSTER_NAME} \
  --project=${CLUSTER_PROJECT_ID} \
  --repository-format=docker \
  --location=${COMPUTE_REGION}

    2. 授予服務帳戶 Artifact Registry 存放區的權限。

      gcloud artifacts repositories add-iam-policy-binding ${CLUSTER_NAME} \
  --project=${CLUSTER_PROJECT_ID} \
  --location=${COMPUTE_REGION} \
  --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
  --role='roles/artifactregistry.writer'

    在叢集上安裝軟體依附元件

    1. 安裝 Cloud Service Mesh。

      1. 請按照 Cloud Service Mesh 安裝指南操作。

    2. 安裝 Config Connector。

      1. 下載所需的 Config Connector Operator tar 檔案。

      2. 解壓縮 tar 檔案。

        tar zxvf release-bundle.tar.gz

      3. 在叢集上安裝 Config Connector 運算子。

        kubectl apply -f operator-system/configconnector-operator.yaml

      4. 設定 Config Connector 運算子。

        1. 將下列 YAML 複製到名為 configconnector.yaml 的檔案中:

          完整解析的服務帳戶 
          # configconnector.yaml
apiVersion: core.cnrm.cloud.google.com/v1beta1
kind: ConfigConnector
metadata:
  # the name is restricted to ensure that there is only one
  # ConfigConnector resource installed in your cluster
  name: configconnector.core.cnrm.cloud.google.com
spec:
  mode: cluster
  googleServiceAccount: "KF_SERVICE_ACCOUNT_NAME" # Replace with the full service account resolved from ${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com

        2. 將設定套用至叢集。

          kubectl apply -f configconnector.yaml

      5. 請先確認 Config Connector 已完整安裝,再繼續操作。

        • Config Connector 會在名為 cnrm-system 的命名空間中執行所有元件。執行下列指令,確認 Pod 已準備就緒:

          kubectl wait -n cnrm-system --for=condition=Ready pod --all

        • 如果 Config Connector 安裝正確,您應該會看到類似以下的輸出內容:

          pod/cnrm-controller-manager-0 condition met
pod/cnrm-deletiondefender-0 condition met
pod/cnrm-resource-stats-recorder-86858dcdc5-6lqzb condition met
pod/cnrm-webhook-manager-58c799b8fb-kcznq condition met
pod/cnrm-webhook-manager-58c799b8fb-n2zpx condition met

      6. 設定 Workload Identity。

        kubectl annotate serviceaccount \
--namespace cnrm-system \
--overwrite \
cnrm-controller-manager \
iam.gke.io/gcp-service-account=${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com

    3. 安裝 Tekton:

      kubectl apply -f "https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.23.0/release.yaml"

    安裝 Kf

    1. 安裝 Kf CLI:

      Linux

      這項指令會為系統上的所有使用者安裝 Kf CLI。按照「Cloud Shell」分頁中的操作說明,為自己安裝。

      gcloud storage cp gs://kf-releases/v2.5.4/kf-linux /tmp/kf
chmod a+x /tmp/kf
sudo mv /tmp/kf /usr/local/bin/kf

      Mac

      這項指令會為系統上的所有使用者安裝 kf

      gcloud storage cp gs://kf-releases/v2.5.4/kf-darwin /tmp/kf
chmod a+x /tmp/kf
sudo mv /tmp/kf /usr/local/bin/kf

      Cloud Shell

      如果您使用 bash,這個指令會在 Cloud Shell 執行個體上安裝 kf。如果是其他殼層,可能需要修改指令。

      mkdir -p ~/bin
gcloud storage cp gs://kf-releases/v2.5.4/kf-linux ~/bin/kf
chmod a+x ~/bin/kf
echo "export PATH=$HOME/bin:$PATH" >> ~/.bashrc
source ~/.bashrc

      Windows

      這項指令會將 kf 下載至目前目錄。如要從目前目錄以外的任何位置呼叫,請將其新增至路徑。

      gcloud storage cp gs://kf-releases/v2.5.4/kf-windows.exe kf.exe

    2. 安裝運算子:

      kubectl apply -f "https://storage.googleapis.com/kf-releases/v2.5.4/operator.yaml"

    3. 設定 Kf 的運算子:

      kubectl apply -f "https://storage.googleapis.com/kf-releases/v2.5.4/kfsystem.yaml"

    4. 設定密鑰和預設值:

      export CONTAINER_REGISTRY=${COMPUTE_REGION}-docker.pkg.dev/${CLUSTER_PROJECT_ID}/${CLUSTER_NAME}

kubectl patch \
kfsystem kfsystem \
--type='json' \
-p="[{'op': 'replace', 'path': '/spec/kf', 'value': {'enabled': true, 'config': {'spaceContainerRegistry': '${CONTAINER_REGISTRY}', 'secrets':{'workloadidentity':{'googleserviceaccount':'${CLUSTER_NAME}-sa', 'googleprojectid':'${CLUSTER_PROJECT_ID}'}}}}}]"

    驗證安裝

      kf doctor --retries=20

    清除所用資源

    這些步驟應會移除「建立及準備新的 GKE 叢集」一節中建立的所有元件。

    1. 刪除 Google 服務帳戶:

      gcloud iam service-accounts delete ${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com

    2. 刪除 IAM 政策繫結:

      gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \
  --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
  --role="roles/storage.admin"

gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \
  --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
  --role="roles/iam.serviceAccountAdmin"

gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \
  --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
  --role="roles/monitoring.metricWriter"

    3. 刪除容器映像檔存放區:

      gcloud artifacts repositories delete ${CLUSTER_NAME} \
  --location=${COMPUTE_REGION}

    4. 刪除 GKE 叢集:

      gcloud container clusters delete ${CLUSTER_NAME} --zone ${CLUSTER_LOCATION}