Deckhouse Kubernetes Platform in Google Cloud

Before starting the installation, ensure you have the cloud provider quotas required to deploy your cluster. Ensure you have Compute Engine API enabled.

The cloud-init package must be installed on the VMs. After the virtual machine is started, the following services associated with this package must be started:

  • cloud-config.service;
  • cloud-final.service;
  • cloud-init.service.

You need to create a service account so that Deckhouse Kubernetes Platform can manage resources in the Google Cloud. The detailed instructions for creating a service account are available in the documentation. Below is a brief sequence of required actions (run them on the personal computer):

List of roles required:

  • roles/compute.admin
  • roles/iam.serviceAccountUser
  • roles/networkmanagement.admin

Export environment variables:

export PROJECT_ID=sandbox
export SERVICE_ACCOUNT_NAME=deckhouse
export PROJECT_ID=sandbox export SERVICE_ACCOUNT_NAME=deckhouse

Select a project:

gcloud config set project $PROJECT_ID
gcloud config set project $PROJECT_ID

Create a service account:

gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME
gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME

Connect roles to the service account:

for role in roles/compute.admin roles/iam.serviceAccountUser roles/networkmanagement.admin; do \
  gcloud projects add-iam-policy-binding ${PROJECT_ID} --member=serviceAccount:${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com --role=${role}; done
for role in roles/compute.admin roles/iam.serviceAccountUser roles/networkmanagement.admin; do \ gcloud projects add-iam-policy-binding ${PROJECT_ID} --member=serviceAccount:${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com --role=${role}; done

Verify service account roles:

gcloud projects get-iam-policy ${PROJECT_ID} --flatten="bindings[].members" --format='table(bindings.role)' \
    --filter="bindings.members:${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com"
gcloud projects get-iam-policy ${PROJECT_ID} --flatten="bindings[].members" --format='table(bindings.role)' \ --filter="bindings.members:${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com"

Create a service account key:

gcloud iam service-accounts keys create --iam-account ${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com \
    ~/service-account-key-${PROJECT_ID}-${SERVICE_ACCOUNT_NAME}.json
gcloud iam service-accounts keys create --iam-account ${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com \ ~/service-account-key-${PROJECT_ID}-${SERVICE_ACCOUNT_NAME}.json