Prepare to setup the Gateway API for Cloud Service Mesh
This page describes how to install the required custom resource definitions for the gateway into your cluster.
Limitations
- Having a mix of
gatewayconfig-api andistioconfig-api clusters in the same fleet is not supported. - Multi-cluster service discovery and load balancing is not supported for
gatewayconfig-api clusters. - If a cluster is onboarded using the existing
--management automaticflag then the cluster starts using theistioconfiguration API and cannot change togatewayAPI. - Only FQDNs are supported. Short names are not supported.
Prerequisites
As a starting point, this guide assumes that you have already
created a Google Cloud project and
installed kubectl.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Verify that billing is enabled for your Google Cloud project.
-
Enable the Kubernetes Engine, GKE Hub, and Cloud Service Mesh APIs.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles. -
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Verify that billing is enabled for your Google Cloud project.
-
Enable the Kubernetes Engine, GKE Hub, and Cloud Service Mesh APIs.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.
- Generate a kubeconfig entry for your cluster:
gcloud container clusters get-credentials CLUSTER_NAME --location LOCATION --project PROJECT_ID
where:
- CLUSTER_NAME is the name of your cluster
- LOCATION is the location of your cluster
- PROJECT_ID is the project ID of your cluster
Create and register a GKE cluster
Create a GKE cluster:
gcloud container clusters create CLUSTER_NAME \ --location=LOCATION \ --enable-ip-alias \ --scopes=https://www.googleapis.com/auth/cloud-platform \ --release-channel=regular \ --project=PROJECT_ID \ --gateway-api=standardwhere:
- CLUSTER_NAME is the name of your cluster
- LOCATION is the location of your cluster
- PROJECT_ID is the project ID of your cluster
Enable Workload Identity Federation for GKE:
gcloud container clusters update CLUSTER_NAME \ --location LOCATION \ --workload-pool=PROJECT_ID.svc.id.googRun the GKE Metadata Server on your node:
gcloud container node-pools update default-pool \ --cluster=CLUSTER_NAME \ --location=LOCATION \ --workload-metadata=GKE_METADATARegister your cluster to a fleet:
gcloud container hub memberships register CLUSTER_NAME \ --gke-cluster LOCATION/CLUSTER_NAME \ --project=PROJECT_IDVerify that the cluster is registered to the fleet:
gcloud container hub memberships list --project=PROJECT_IDThe output is similar to:
NAME EXTERNAL_ID LOCATION my-cluster 91980bb9-593c-4b36-9170-96445c9edd39 us-west1
Set up permissions
Note that the following commands grant permission to all authenticated users, but you can use Workload Identity Federation for GKE to grant permission to only select accounts.
Grant the
trafficdirector.clientrole:gcloud projects add-iam-policy-binding PROJECT_ID \ --member "group:PROJECT_ID.svc.id.goog:/allAuthenticatedUsers/" \ --role "roles/trafficdirector.client"Grant the
container.developerrole:gcloud projects add-iam-policy-binding PROJECT_ID \ --member "serviceAccount:service-PROJECT_NUMBER@container-engine-robot.iam.gserviceaccount.com" \ --role "roles/container.developer"where PROJECT_NUMBER is your project number.
Grant the
compute.networkAdminrole:gcloud projects add-iam-policy-binding PROJECT_ID \ --member "serviceAccount:service-PROJECT_NUMBER@container-engine-robot.iam.gserviceaccount.com" \ --role "roles/compute.networkAdmin"where PROJECT_NUMBER is your project number.
Enable Cloud Service Mesh
Enable the mesh feature:
gcloud container hub mesh enable --project PROJECT_IDUpdate the mesh to use the Gateway API:
gcloud alpha container fleet mesh update \ --config-api gateway \ --memberships CLUSTER_NAME \ --project PROJECT_IDVerify the update by describing the status of Cloud Service Mesh resource:
gcloud alpha container fleet mesh describe
Install custom resource definitions
Install the GRPCRoute custom resource definition (CRD):
curl https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.1.0/config/crd/standard/gateway.networking.k8s.io_grpcroutes.yaml \
| kubectl apply -f -
The output is similar to:
customresourcedefinition.apiextensions.k8s.io/grpcroutes.gateway.networking.k8s.io created