Skip to content

Commit

Permalink
feat: deploy vCluster on GKE
Browse files Browse the repository at this point in the history 
Signed-off-by: Piotr Zaniewski <[email protected]>
  • Loading branch information
@Piotr1215
Piotr1215 committed Nov 21, 2024
1 parent 934ee36 commit 34a5bb3
Showing 1 changed file with 158 additions and 0 deletions.
158 changes: 158 additions & 0 deletions vcluster/deploy/environment/gke.mdx
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,158 @@
---
title: Deploy on GKE
sidebar_label: GKE
sidebar_position: 8
id: gke
description: Learn how to deploy vCluster on Google Kubernetes Engine (GKE), including storage provisioning and Workload Identity configuration.
---

import BasePrerequisites from '../../../platform/_partials/install/base-prerequisites.mdx';
import Mark from "@site/src/components/Mark";
import ProAdmonition from '../../_partials/admonitions/pro-admonition.mdx';
import InstallCli from '../../_partials/deploy/install-cli.mdx';
import KubeconfigUpdate from '../../../docs/_partials/kubeconfig_update.mdx';
import ManagedK8sInstallVcluster from '../../../docs/_partials/managed_k8s_install_vcluster.mdx';

<!-- vale off -->
# Deploy vCluster on GKE
<!-- vale on -->

This guide provides step-by-step instructions for deploying `vCluster` on [Google Kubernetes Engine (GKE)](https://cloud.google.com/kubernetes-engine).

## Prerequisites

Before starting, ensure you have the following tools installed:

- `kubectl`: Kubernetes command-line tool for interacting with the cluster. See [Install and Set Up kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl) for installation instructions.
- vCluster CLI <InstallCli />
- [Google Cloud SDK (`gcloud` CLI)](https://cloud.google.com/sdk/docs/install)
:::note
Ensure you have the necessary IAM permissions to create clusters and manage cloud services.
:::

## Create GKE cluster

Start by creating a zonal GKE cluster using the `gcloud` CLI. First, set up your environment variables:

:::tip
Project ID can be found in the Google Cloud Console under the project name.
Alternatively use `gcloud project list` to list all projects and their IDs.
To check which project is active, use `gcloud config get-value project`.
:::

```bash title="Set environment variables"
export PROJECT_ID=development
export CLUSTER_NAME=vcluster-demo
export ZONE=europe-west1-b
export MACHINE_TYPE=e2-standard-4
```


Configure `gcloud` and enable the required APIs and set default project:

```bash title="Configure gcloud"
gcloud config set project $PROJECT_ID
gcloud services enable container.googleapis.com
```

Create the cluster:

```bash title="Create GKE cluster"
gcloud container clusters create $CLUSTER_NAME \
--zone $ZONE \
--machine-type $MACHINE_TYPE \
--num-nodes 2 \
--workload-pool=$PROJECT_ID.svc.id.goog
```

:::info
This process typically takes about 15-20 minutes.
:::

This command creates a GKE cluster named vcluster-demo in the europe-west1-b
zone with two nodes of type e2-standard-4. The `--workload-pool` flag enables
Workload Identity, which allows Kubernetes service accounts to access GCP resources. Refer to the optional [Workload
Identity](#configure-workload-identity) section for more details.

<KubeconfigUpdate />

### Verify the cluster creation

Verify the cluster by listing the nodes:

```bash title="List cluster nodes"
kubectl get nodes
```

You should see output similar to:
```
NAME LOCATION MASTER_VERSION MASTER_IP MACHINE_TYPE NODE_VERSION NUM_NODES STATUS
vcluster-demo europe-west1-b 1.30.5-gke.1443001 35.187.66.218 e2-standard-4 1.30.5-gke.1443001 2 RUNNING
```

<ManagedK8sInstallVcluster />

### [Optional] configure workload identity

Workload Identity allows Kubernetes service accounts to access Google Cloud services. To use Workload Identity with vCluster:

First, create a Google service account:

```bash title="Create Google service account"
GSA_NAME=vcluster-workload-gsa
gcloud iam service-accounts create $GSA_NAME --display-name "vCluster Workload Identity"
```

Grant necessary roles to the Google service account:

```bash title="Grant roles to Google service account"
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member="serviceAccount:$GSA_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/storage.admin"
```

:::info
The storage.admin role is being granted to allow the service account to manage storage resources, which may be necessary for vCluster operations involving persistent volumes and other storage-related tasks.
:::

Create a Kubernetes service account and annotate it to link with the Google service account:

```bash title="Create Kubernetes service account"
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
name: vcluster-workload-sa
namespace: default
annotations:
iam.gke.io/gcp-service-account: $GSA_NAME@$PROJECT_ID.iam.gserviceaccount.com
EOF
```

#### Create a virtual cluster with workload identity

```bash title="Create virtual cluster with workload identity"
vcluster create my-vcluster-managed --namespace team-y \
--set sync.toHost.serviceAccounts.enabled=true
```

<KubeconfigUpdate />

This configuration ensures that:
- Service accounts are properly synced between virtual and host clusters

## Next steps

Now that you have vCluster running on GKE, consider exploring:

### Platform UI

- Setup the [platform UI](/platform/install/quick-start-guide) to mange your virtual clusters.

## Cleanup

Remember to clean up resources when you're done experimenting:

```bash title="Clean up resources"
gcloud container clusters delete $CLUSTER_NAME --zone $ZONE --quiet
```

0 comments on commit 34a5bb3

Please sign in to comment.