Deckhouse Kubernetes Platform in Google Cloud

1
Selecting infrastructure
2
Installation information
3
Preparing environment
4
Installation
5
Getting access to the cluster
6
What can I do next?

Before installation, ensure the following:

  • Cloud provider quotas for cluster deployment.
  • Compute Engine API enabled.
  • The cloud-init package is installed on the VMs. After the VM starts, services cloud-config.service, cloud-final.service, cloud-init.service must be running.
  • The virtual machine template contains only one disk.

Additional requirements and notes

  • For ContainerdV2 on cluster nodes, the OS on virtual machines must meet the requirements:
    • Linux kernel version 5.8 or newer;
    • CgroupsV2 support;
    • Systemd version 244 or newer;
    • erofs kernel module support.

    For more information, see the ClusterConfiguration resource.

  • From version 1.74, Deckhouse has a module integrity control mechanism (protection against replacement and modification). It turns on automatically when the OS on the nodes supports the erofs kernel module. Without it, Deckhouse runs as before but the mechanism is off — an alert will indicate it is unavailable.

You need to create a service account so that Deckhouse Kubernetes Platform can manage resources in the Google Cloud. The detailed instructions for creating a service account are available in the documentation. Below is a brief sequence of required actions (run them on the personal computer):

List of roles required:

  • roles/compute.admin
  • roles/iam.serviceAccountUser
  • roles/networkmanagement.admin

Export environment variables:

export PROJECT_ID=sandbox
export SERVICE_ACCOUNT_NAME=deckhouse

Select a project:

gcloud config set project $PROJECT_ID

Create a service account:

gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME

Connect roles to the service account:

for role in roles/compute.admin roles/iam.serviceAccountUser roles/networkmanagement.admin; do \
  gcloud projects add-iam-policy-binding ${PROJECT_ID} --member=serviceAccount:${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com --role=${role}; done

Verify service account roles:

gcloud projects get-iam-policy ${PROJECT_ID} --flatten="bindings[].members" --format='table(bindings.role)' \
    --filter="bindings.members:${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com"

Create a service account key:

gcloud iam service-accounts keys create --iam-account ${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com \
    ~/service-account-key-${PROJECT_ID}-${SERVICE_ACCOUNT_NAME}.json
Go back Next: Installation