Skip to content

GCP Configuration

GCP IAM

To create and manage GKE clusters, complete the following configuration in GCP console

  • GCP Project
  • IAM Policy
  • Cloud Credentials
  • Enable APIs

Step 1: GCP Project

Important

Skip this step if you would like to use an "existing" GCP project

  • Login to the GCP Console
  • Click on IAM & Admin and select IAM
  • Click Create Project
  • Provide a project name and select an organization
  • Browse for a required location and click Create

Subscription ID


Step 2: IAM Policy

Create Service Account

  • Click on IAM & Admin and select Service Accounts
  • Click Create Service Account
  • Provide a Service Account Name and the Service Account ID (auto generated)
  • Optionally, provide a Service account description and click Create and Continue

Register an Application

Add Roles to SAs

Add the below roles to the created Service Account

  • Compute Admin
  • Kubernetes Engine Admin
  • Service Account User

Subscription ID

Click Continue

Grant User Access

Optionally, add one or more users to this service account and click Done

Subscription ID

On successful creation, you can view the service account listed in the table as shown below

Subscription ID


Step 3: JSON Credential

Once the Service Account is created,

  • Select the service account from the list and click the Keys tab
  • Click Add Key and select Create new Key

Subscription ID

By default, JSON key type is selected

  • Click Create

Subscription ID

On successful creation, the json file will be downloaded automatically. We will use this json file to create a Cloud Credential in Controller for GKE lifecycle management.


Step 4: Enable APIs

Enable the following APIs on your Google Cloud Platform to allow the controller to interact with GCP progammatically using GCP's APIs.

In the GCP Console,

  • Click APIs & Services
  • Enable APIs And Services

  • Search for the below three (3) APIs from a list of APIs and enable

    • Compute Engine API
    • Cloud Resource Manager API
    • Kubernetes Engine API

Below is an example showing what this looks like for the Compute Engine API

Subscription ID


Share VPC Network

A Shared Virtual Private Cloud (VPC) enables to link resources across various projects to a central VPC network. In the context of Shared VPC, specify a project as the host project and connect one or more additional service projects (target projects) to it. The VPC networks within the host project are referred to as Shared VPC networks. During cluster provisioning, the Shared VPC can be utilized in the target clusters

To share the VPC Network, user must have the permission compute.networks.get.

Below is an example of a host project, kr-test-200723, and the target project, demos

Subscription ID

Once the VPC Network shared, users can retrieve the Pod Secondary CIDR Range (Name) and Service Secondary CIDR Range (Name) from the Subnet details page as shown below

Subscription ID