事前準備
總覽
GKE 叢集需求。
- 建議使用專為 Kf 打造的叢集,但這並非必要條件。建議您只安裝 Kf 和其依附元件,確保相容性矩陣維持不變。 
- 至少四個節點。如要新增節點,請參閱調整叢集大小。 
- 至少有四個 vCPU 的最低機器類型,例如 - e2-standard-4。如果叢集的機器類型沒有至少四個 vCPU,請按照「將工作負載遷移至其他機器類型」一文的說明變更機器類型。
- 建議您在發布管道中註冊叢集 (選用)。如果使用靜態 GKE 版本,請按照「在發布版本中註冊現有叢集」一文中的操作說明進行。 
- 已啟用 Workload Identity。 
- 供 Kf 使用的 Tekton。這項服務不會對使用者顯示。 
- 專用的 Google 服務帳戶。 
啟用 Compute Engine 支援
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
- 
    
    
      In the Google Cloud console, on the project selector page, select or create a Google Cloud project. Roles required to select or create a project - Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
- 
      Create a project: To create a project, you need the Project Creator
      (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
 
- 
  
    Verify that billing is enabled for your Google Cloud project. 
- 
    
    
      In the Google Cloud console, on the project selector page, select or create a Google Cloud project. Roles required to select or create a project - Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
- 
      Create a project: To create a project, you need the Project Creator
      (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
 
- 
  
    Verify that billing is enabled for your Google Cloud project. 
- 啟用 Compute Engine API。
- 啟用 Artifact Registry API。
- 啟用 Google Kubernetes Engine API。 啟用 Google Kubernetes Engine API
- 如要使用 Google Cloud CLI 執行這項工作,請安裝並初始化 gcloud CLI。如果您先前已安裝 gcloud CLI,請執行 gcloud components update指令,取得最新版本。較舊的 gcloud CLI 版本可能不支援執行本文件中的指令。
- 建立 Kf 將使用的服務帳戶。 - gcloud iam service-accounts create ${CLUSTER_NAME}-sa \ --project=${CLUSTER_PROJECT_ID} \ --description="GSA for Kf ${CLUSTER_NAME}" \ --display-name="${CLUSTER_NAME}"
- 建立新的自訂 IAM 角色。 - gcloud iam roles create serviceAccountUpdater \ --project=${CLUSTER_PROJECT_ID} \ --title "Service Account Updater" \ --description "This role only updates members on a GSA" \ --permissions iam.serviceAccounts.get,iam.serviceAccounts.getIamPolicy,iam.serviceAccounts.list,iam.serviceAccounts.setIamPolicy
- 允許服務帳戶修改自己的政策。Kf 控制器會使用這項資訊,在政策中新增 (名稱) 空間,以便重複使用 Workload Identity。 - gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="projects/${CLUSTER_PROJECT_ID}/roles/serviceAccountUpdater"
- 授予監控指標角色,取得 Cloud Monitoring 的寫入存取權。 - gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/monitoring.metricWriter"
- 授予記錄角色,取得 Cloud Logging 的寫入權限。 - gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/logging.logWriter"
- 建立 Artifact Registry 存放區,用於儲存容器映像檔。 - gcloud artifacts repositories create ${CLUSTER_NAME} \ --project=${CLUSTER_PROJECT_ID} \ --repository-format=docker \ --location=${COMPUTE_REGION}
- 授予服務帳戶 Artifact Registry 存放區的權限。 - gcloud artifacts repositories add-iam-policy-binding ${CLUSTER_NAME} \ --project=${CLUSTER_PROJECT_ID} \ --location=${COMPUTE_REGION} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role='roles/artifactregistry.writer'
- 安裝 Cloud Service Mesh。 - 按照 Cloud Service Mesh 安裝指南操作。
 
- 安裝 Config Connector。 - 下載所需的 Config Connector Operator tar 檔案。 
- 解壓縮 tar 檔案。 - tar zxvf release-bundle.tar.gz
- 在叢集上安裝 Config Connector 運算子。 - kubectl apply -f operator-system/configconnector-operator.yaml
- 設定 Config Connector 運算子。 - 將下列 YAML 複製到名為 完整解析的服務帳戶- configconnector.yaml的檔案中:- # configconnector.yaml apiVersion: core.cnrm.cloud.google.com/v1beta1 kind: ConfigConnector metadata: # the name is restricted to ensure that there is only one # ConfigConnector resource installed in your cluster name: configconnector.core.cnrm.cloud.google.com spec: mode: cluster googleServiceAccount: "KF_SERVICE_ACCOUNT_NAME" # Replace with the full service account resolved from ${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com 
- 將設定套用到叢集。 - kubectl apply -f configconnector.yaml 
 
- 請先確認 Config Connector 已完整安裝,再繼續操作。 - Config Connector 會在名為 - cnrm-system的命名空間中執行所有元件。執行下列指令,確認 Pod 已準備就緒:- kubectl wait -n cnrm-system --for=condition=Ready pod --all 
- 如果 Config Connector 安裝正確,您應該會看到類似以下的輸出內容: - pod/cnrm-controller-manager-0 condition met pod/cnrm-deletiondefender-0 condition met pod/cnrm-resource-stats-recorder-86858dcdc5-6lqzb condition met pod/cnrm-webhook-manager-58c799b8fb-kcznq condition met pod/cnrm-webhook-manager-58c799b8fb-n2zpx condition met 
 
- 設定 Workload Identity。 - kubectl annotate serviceaccount \ --namespace cnrm-system \ --overwrite \ cnrm-controller-manager \ iam.gke.io/gcp-service-account=${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com
 
- 安裝 Tekton: - kubectl apply -f "https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.23.0/release.yaml" 
- 安裝 Kf CLI: - Linux- 這項指令會為系統上的所有使用者安裝 Kf CLI。按照「Cloud Shell」分頁中的操作說明,為自己安裝。 - gcloud storage cp gs://kf-releases/v2.5.4/kf-linux /tmp/kf- chmod a+x /tmp/kf- sudo mv /tmp/kf /usr/local/bin/kf- Mac- 這項指令會為系統上的所有使用者安裝 - kf。- gcloud storage cp gs://kf-releases/v2.5.4/kf-darwin /tmp/kf- chmod a+x /tmp/kf- sudo mv /tmp/kf /usr/local/bin/kf- Cloud Shell- 如果您使用 - bash,這個指令會在 Cloud Shell 執行個體上安裝- kf。如果是其他殼層,可能需要修改指令。- mkdir -p ~/bin- gcloud storage cp gs://kf-releases/v2.5.4/kf-linux ~/bin/kf- chmod a+x ~/bin/kf- echo "export PATH=$HOME/bin:$PATH" >> ~/.bashrc- source ~/.bashrc- Windows- 這項指令會將 - kf下載至目前目錄。如要從目前目錄以外的任何位置呼叫,請將其新增至路徑。- gcloud storage cp gs://kf-releases/v2.5.4/kf-windows.exe kf.exe
- 安裝運算子: - kubectl apply -f "https://storage.googleapis.com/kf-releases/v2.5.4/operator.yaml" 
- 設定 Kf 的運算子: - kubectl apply -f "https://storage.googleapis.com/kf-releases/v2.5.4/kfsystem.yaml" 
- 設定密鑰和預設值: - export CONTAINER_REGISTRY=${COMPUTE_REGION}-docker.pkg.dev/${CLUSTER_PROJECT_ID}/${CLUSTER_NAME} kubectl patch \ kfsystem kfsystem \ --type='json' \ -p="[{'op': 'replace', 'path': '/spec/kf', 'value': {'enabled': true, 'config': {'spaceContainerRegistry': '${CONTAINER_REGISTRY}', 'secrets':{'workloadidentity':{'googleserviceaccount':'${CLUSTER_NAME}-sa', 'googleprojectid':'${CLUSTER_PROJECT_ID}'}}}}}]"
- 刪除 Google 服務帳戶: - gcloud iam service-accounts delete ${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com
- 刪除 IAM 政策繫結: - gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/storage.admin" gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/iam.serviceAccountAdmin" gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/monitoring.metricWriter"
- 刪除容器映像檔存放區: - gcloud artifacts repositories delete ${CLUSTER_NAME} \ --location=${COMPUTE_REGION}
- 刪除 GKE 叢集: - gcloud container clusters delete ${CLUSTER_NAME} --zone ${CLUSTER_LOCATION}
啟用 Artifact Registry 支援
啟用及設定 GKE
開始之前,請確認您已完成下列工作:
準備新的 GKE 叢集和相關服務
設定環境變數
Linux 與 Mac
export PROJECT_ID=YOUR_PROJECT_ID
export CLUSTER_PROJECT_ID=YOUR_PROJECT_ID
export CLUSTER_NAME=kf-cluster
export COMPUTE_ZONE=us-central1-a
export COMPUTE_REGION=us-central1
export CLUSTER_LOCATION=${COMPUTE_ZONE} # Replace ZONE with REGION to switch
export NODE_COUNT=4
export MACHINE_TYPE=e2-standard-4
export NETWORK=default
Windows Powershell
Set-Variable -Name PROJECT_ID -Value YOUR_PROJECT_ID Set-Variable -Name CLUSTER_PROJECT_ID -Value YOUR_PROJECT_ID Set-Variable -Name CLUSTER_NAME -Value kf-cluster Set-Variable -Name COMPUTE_ZONE -Value us-central1-a Set-Variable -Name COMPUTE_REGION -Value us-central1 Set-Variable -Name CLUSTER_LOCATION -Value $COMPUTE_ZONE # Replace ZONE with REGION to switch Set-Variable -Name NODE_COUNT -Value 4 Set-Variable -Name MACHINE_TYPE -Value e2-standard-4 Set-Variable -Name NETWORK -Value default
設定服務帳戶
建立 GCP 服務帳戶 (GSA),並透過 Workload Identity 與 Kubernetes 服務帳戶建立關聯。這樣就不需要建立及插入服務帳戶金鑰。
建立 GKE 叢集
gcloud container clusters create ${CLUSTER_NAME} \
  --project=${CLUSTER_PROJECT_ID} \
  --zone=${CLUSTER_LOCATION} \
  --num-nodes=${NODE_COUNT} \
  --machine-type=${MACHINE_TYPE} \
  --disk-size "122" \
  --network=${NETWORK} \
  --addons HorizontalPodAutoscaling,HttpLoadBalancing,GcePersistentDiskCsiDriver \
  --enable-dataplane-v2 \
  --enable-stackdriver-kubernetes \
  --enable-ip-alias \
  --enable-autorepair \
  --enable-autoupgrade \
  --scopes cloud-platform \
  --release-channel=regular \
  --workload-pool="${CLUSTER_PROJECT_ID}.svc.id.goog" \
  --service-account="${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com"設定防火牆規則
Kf 需要開啟部分防火牆通訊埠。主節點必須能透過通訊埠 80、443、8080、8443 和 6443 與 Pod 通訊。
啟用 Workload Identity
現在您已擁有服務帳戶和 GKE 叢集,請將叢集的 ID 命名空間與叢集建立關聯。
gcloud iam service-accounts add-iam-policy-binding \
  --project=${CLUSTER_PROJECT_ID} \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:${CLUSTER_PROJECT_ID}.svc.id.goog[kf/controller]" \
  "${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com"
gcloud iam service-accounts add-iam-policy-binding \
  --project=${CLUSTER_PROJECT_ID} \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:${CLUSTER_PROJECT_ID}.svc.id.goog[cnrm-system/cnrm-controller-manager]" \
  "${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com"目標 GKE 叢集
執行下列指令,設定 kubectl 指令列存取權。
gcloud container clusters get-credentials ${CLUSTER_NAME} \
    --project=${CLUSTER_PROJECT_ID} \
    --zone=${CLUSTER_LOCATION}建立 Artifact Registry 存放區
在叢集上安裝軟體依附元件
安裝 Kf
驗證安裝
kf doctor --retries=20
清除所用資源
這些步驟應會移除「建立及準備新的 GKE 叢集」一節中建立的所有元件。