事前準備
GKE 叢集需求
建議使用專為 Kf 打造的叢集,但這並非必要條件。建議您只安裝 Kf 和其依附元件,確保相容性矩陣維持不變。
至少四個節點。如要新增節點,請參閱調整叢集大小。
至少有四個 vCPU 的最低機型,例如
e2-standard-4。如果叢集的機型沒有至少四個 vCPU,請按照「將工作負載遷移至其他機型」一文的說明變更機型。建議您在發布管道中註冊叢集 (選用)。如果使用靜態 GKE 版本,請按照「在發布管道中註冊現有叢集」一文中的操作說明進行。
已啟用 Workload Identity。
Kf 需求
在「Kf 依附元件和架構」頁面中,查看並瞭解 Kf 元件的存取權。
供 Kf 使用的 Tekton,這項服務不對使用者開放
專屬 Google 服務帳戶
啟用 Compute Engine 支援
- 登入 Google Cloud 帳戶。如果您是 Google Cloud新手,歡迎 建立帳戶,親自評估產品在實際工作環境中的成效。新客戶還能獲得價值 $300 美元的免費抵免額,可用於執行、測試及部署工作負載。
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator role
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Verify that billing is enabled for your Google Cloud project.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator role
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Verify that billing is enabled for your Google Cloud project.
- 啟用 Compute Engine API。
啟用 Artifact Registry 支援
- 啟用 Artifact Registry API。
啟用及設定 GKE
開始之前,請確認您已完成下列工作:
- 啟用 Google Kubernetes Engine API。 啟用 Google Kubernetes Engine API
- 如要使用 Google Cloud CLI 執行這項工作,請安裝並初始化 gcloud CLI。如果您先前已安裝 gcloud CLI,請執行
gcloud components update指令,取得最新版本。較舊的 gcloud CLI 版本可能不支援執行本文件中的指令。
準備新的 GKE 叢集和相關服務
設定環境變數
Linux 與 Mac
export PROJECT_ID=YOUR_PROJECT_ID
export CLUSTER_PROJECT_ID=YOUR_PROJECT_ID
export CLUSTER_NAME=kf-cluster
export COMPUTE_ZONE=us-central1-a
export COMPUTE_REGION=us-central1
export CLUSTER_LOCATION=${COMPUTE_ZONE} # Replace ZONE with REGION to switch
export NODE_COUNT=4
export MACHINE_TYPE=e2-standard-4
export NETWORK=default
Windows PowerShell
Set-Variable -Name PROJECT_ID -Value YOUR_PROJECT_ID Set-Variable -Name CLUSTER_PROJECT_ID -Value YOUR_PROJECT_ID Set-Variable -Name CLUSTER_NAME -Value kf-cluster Set-Variable -Name COMPUTE_ZONE -Value us-central1-a Set-Variable -Name COMPUTE_REGION -Value us-central1 Set-Variable -Name CLUSTER_LOCATION -Value $COMPUTE_ZONE # Replace ZONE with REGION to switch Set-Variable -Name NODE_COUNT -Value 4 Set-Variable -Name MACHINE_TYPE -Value e2-standard-4 Set-Variable -Name NETWORK -Value default
設定服務帳戶
建立 Google Cloud 服務帳戶,該帳戶會透過 Workload Identity 與 Kubernetes 服務帳戶建立關聯。這樣就不需要建立及插入服務帳戶金鑰。
建立 Kf 將使用的服務帳戶。
gcloud iam service-accounts create ${CLUSTER_NAME}-sa \ --project=${CLUSTER_PROJECT_ID} \ --description="GSA for Kf ${CLUSTER_NAME}" \ --display-name="${CLUSTER_NAME}"建立新的自訂 IAM 角色。
gcloud iam roles create serviceAccountUpdater \ --project=${CLUSTER_PROJECT_ID} \ --title "Service Account Updater" \ --description "This role only updates members on a GSA" \ --permissions iam.serviceAccounts.get,iam.serviceAccounts.getIamPolicy,iam.serviceAccounts.list,iam.serviceAccounts.setIamPolicy允許服務帳戶修改自己的政策。Kf 控制器會使用這項資訊,在政策中新增 (名稱) 空間,以便重複使用 Workload Identity。
gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="projects/${CLUSTER_PROJECT_ID}/roles/serviceAccountUpdater"授予監控指標角色,取得 Cloud Monitoring 的寫入存取權。
gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/monitoring.metricWriter"授予記錄角色,取得 Cloud Logging 的寫入權限。
gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/logging.logWriter"
建立 GKE 叢集
gcloud container clusters create ${CLUSTER_NAME} \
--project=${CLUSTER_PROJECT_ID} \
--zone=${CLUSTER_LOCATION} \
--num-nodes=${NODE_COUNT} \
--machine-type=${MACHINE_TYPE} \
--disk-size "122" \
--network=${NETWORK} \
--addons HorizontalPodAutoscaling,HttpLoadBalancing,GcePersistentDiskCsiDriver \
--enable-dataplane-v2 \
--enable-stackdriver-kubernetes \
--enable-ip-alias \
--enable-autorepair \
--enable-autoupgrade \
--scopes cloud-platform \
--release-channel=regular \
--workload-pool="${CLUSTER_PROJECT_ID}.svc.id.goog" \
--service-account="${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com"設定防火牆規則
Kf 需要開啟部分防火牆通訊埠。主節點必須能透過通訊埠 80、443、8080、8443 和 6443 與 Pod 通訊。
啟用 Workload Identity
現在您已擁有服務帳戶和 GKE 叢集,請將叢集的 ID 命名空間與叢集建立關聯。
gcloud iam service-accounts add-iam-policy-binding \
--project=${CLUSTER_PROJECT_ID} \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:${CLUSTER_PROJECT_ID}.svc.id.goog[kf/controller]" \
"${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com"
gcloud iam service-accounts add-iam-policy-binding \
--project=${CLUSTER_PROJECT_ID} \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:${CLUSTER_PROJECT_ID}.svc.id.goog[cnrm-system/cnrm-controller-manager]" \
"${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com"目標 GKE 叢集
執行下列指令,設定 kubectl 指令列存取權。
gcloud container clusters get-credentials ${CLUSTER_NAME} \
--project=${CLUSTER_PROJECT_ID} \
--zone=${CLUSTER_LOCATION}建立 Artifact Registry 存放區
建立 Artifact Registry,用於儲存容器映像檔。
gcloud artifacts repositories create ${CLUSTER_NAME} \ --project=${CLUSTER_PROJECT_ID} \ --repository-format=docker \ --location=${COMPUTE_REGION}授予服務帳戶 Artifact Registry 存放區的權限。
gcloud artifacts repositories add-iam-policy-binding ${CLUSTER_NAME} \ --project=${CLUSTER_PROJECT_ID} \ --location=${COMPUTE_REGION} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role='roles/artifactregistry.writer'
在叢集上安裝軟體依附元件
安裝 Cloud Service Mesh。
按照 Cloud Service Mesh 安裝指南操作。
安裝 Cloud Service Mesh 後,您必須使用閘道安裝指南建立 Ingress 閘道。
安裝 Config Connector。
下載所需的 Config Connector Operator tar 檔案。
解壓縮 tar 檔案。
tar zxvf release-bundle.tar.gz在叢集上安裝 Config Connector 運算子。
kubectl apply -f operator-system/configconnector-operator.yaml設定 Config Connector 運算子。
將下列 YAML 複製到名為
完整解析的服務帳戶。configconnector.yaml的檔案:# configconnector.yaml apiVersion: core.cnrm.cloud.google.com/v1beta1 kind: ConfigConnector metadata: # the name is restricted to ensure that there is only one # ConfigConnector resource installed in your cluster name: configconnector.core.cnrm.cloud.google.com spec: mode: cluster googleServiceAccount: "KF_SERVICE_ACCOUNT_NAME" # Replace with the full service account resolved from ${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com
將設定套用到叢集。
kubectl apply -f configconnector.yaml
請先確認 Config Connector 已完整安裝,再繼續操作。
Config Connector 會在名為
cnrm-system的命名空間中執行所有元件。執行下列指令,確認 Pod 已準備就緒:kubectl wait -n cnrm-system --for=condition=Ready pod --all
如果 Config Connector 安裝正確,您應該會看到類似以下的輸出內容:
pod/cnrm-controller-manager-0 condition met pod/cnrm-deletiondefender-0 condition met pod/cnrm-resource-stats-recorder-86858dcdc5-6lqzb condition met pod/cnrm-webhook-manager-58c799b8fb-kcznq condition met pod/cnrm-webhook-manager-58c799b8fb-n2zpx condition met
設定 Workload Identity。
kubectl annotate serviceaccount \ --namespace cnrm-system \ --overwrite \ cnrm-controller-manager \ iam.gke.io/gcp-service-account=${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com
安裝 Tekton:
kubectl apply -f "https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.26.0/release.yaml"
安裝 Kf
安裝 Kf CLI:
Linux
這項指令會為系統上的所有使用者安裝 Kf CLI。按照「Cloud Shell」分頁中的操作說明,為自己安裝。
gcloud storage cp gs://kf-releases/v2.6.1/kf-linux /tmp/kfchmod a+x /tmp/kfsudo mv /tmp/kf /usr/local/bin/kfMac
這項指令會為系統上的所有使用者安裝
kf。gcloud storage cp gs://kf-releases/v2.6.1/kf-darwin /tmp/kfchmod a+x /tmp/kfsudo mv /tmp/kf /usr/local/bin/kfCloud Shell
如果您使用
bash,這個指令會在 Cloud Shell 執行個體上安裝kf。如果是其他殼層,可能需要修改指令。mkdir -p ~/bingcloud storage cp gs://kf-releases/v2.6.1/kf-linux ~/bin/kfchmod a+x ~/bin/kfecho "export PATH=$HOME/bin:$PATH" >> ~/.bashrcsource ~/.bashrcWindows
這項指令會將
kf下載至目前目錄。如要從目前目錄以外的任何位置呼叫,請將其新增至路徑。gcloud storage cp gs://kf-releases/v2.6.1/kf-windows.exe kf.exe安裝運算子:
kubectl apply -f "https://storage.googleapis.com/kf-releases/v2.6.1/operator.yaml"
設定 Kf 的運算子:
kubectl apply -f "https://storage.googleapis.com/kf-releases/v2.6.1/kfsystem.yaml"
設定密鑰和預設值:
export CONTAINER_REGISTRY=${COMPUTE_REGION}-docker.pkg.dev/${CLUSTER_PROJECT_ID}/${CLUSTER_NAME} kubectl patch \ kfsystem kfsystem \ --type='json' \ -p="[{'op': 'replace', 'path': '/spec/kf', 'value': {'enabled': true, 'config': {'spaceContainerRegistry': '${CONTAINER_REGISTRY}', 'secrets':{'workloadidentity':{'googleserviceaccount':'${CLUSTER_NAME}-sa', 'googleprojectid':'${CLUSTER_PROJECT_ID}'}}}}}]"
驗證安裝
kf doctor --retries=20
清除所用資源
這些步驟應會移除「建立及準備新的 GKE 叢集」一節中建立的所有元件。
刪除 Google 服務帳戶:
gcloud iam service-accounts delete ${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com刪除 IAM 政策繫結:
gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/storage.admin" gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/iam.serviceAccountAdmin" gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/monitoring.metricWriter"刪除容器映像檔存放區:
gcloud artifacts repositories delete ${CLUSTER_NAME} \ --location=${COMPUTE_REGION}刪除 GKE 叢集:
gcloud container clusters delete ${CLUSTER_NAME} --zone ${CLUSTER_LOCATION}