GCP Prerequisites
Prerequisites
Before beginning a DKP installation, verify that you have:
An x86_64-based Linux or macOS machine with a supported version of the operating system.
The
dkp
binary on this machine.Docker version 18.09.2 or later.
kubectl for interacting with the running cluster.
Install the GCP
gcloud
CLI by following https://cloud.google.com/sdk/docs/install.
Control plane nodes
You must have at least three control plane nodes. Each control plane node should have at least:
4 cores
16 GiB memory
Approximately 80 GiB of free space for the volume used for /var/lib/kubelet and /var/lib/containerd.
Disk usage must be below 85% on the root volume.
DKP on GCP defaults to deploying an n2-standard-4
instance with an 80GiB root volume for control plane nodes, which meets the above requirements.
Worker nodes
You must have at least four worker nodes. The specific number of worker nodes required for your environment can vary depending on the cluster workload and size of the nodes. Each worker node should have at least:
8 cores
32 GiB memory
Around 80 GiB of free space for the volume used for /var/lib/kubelet and /var/lib/containerd.
Disk usage must be below 85% on the root volume.
DKP on GCP defaults to deploying a n2-standard-8
instance with an 80GiB root volume for worker nodes, which meets the above requirements.
GCP Prerequisite Roles
If you are creating the bootstrap cluster on a non-GCP instance or one that does not have the required
editor
role:(option 1) Create a service account using the following
gcloud
commands:CODEexport GCP_PROJECT=<your GCP project ID> export SERVICE_ACCOUNT_USER=<some new service account user> export GOOGLE_APPLICATION_CREDENTIALS="$HOME/.gcloud/credentials.json" gcloud iam service-accounts create "$SERVICE_ACCOUNT_USER" --project=$GCP_PROJECT gcloud projects add-iam-policy-binding $GCP_PROJECT --member="serviceAccount:$SERVICE_ACCOUNT_USER@$GCP_PROJECT.iam.gserviceaccount.com" --role=roles/editor gcloud iam service-accounts keys create $GOOGLE_APPLICATION_CREDENTIALS --iam-account="$SERVICE_ACCOUNT_USER@$GCP_PROJECT.iam.gserviceaccount.com"
(option 2) Retrieve the credentials for an existing service account using the following
gcloud
commands:CODEexport GCP_PROJECT=<your GCP project ID> export SERVICE_ACCOUNT_USER=<existing service account user> export GOOGLE_APPLICATION_CREDENTIALS="$HOME/.gcloud/credentials.json" gcloud iam service-accounts keys create $GOOGLE_APPLICATION_CREDENTIALS --iam-account="$SERVICE_ACCOUNT_USER@$GCP_PROJECT.iam.gserviceaccount.com"
Export the static credentials that will be used to create the cluster:
BASHexport GCP_B64ENCODED_CREDENTIALS=$(base64 < "${GOOGLE_APPLICATION_CREDENTIALS}" | tr -d '\n')
In order to create a GCP Service Account with the
editor
role, the user creating the GCP Service Account needs theeditor
,RoleAdministrator
, andSecurityAdmin
roles. However, those pre-defined roles grant more permissions than the minimum set needed to create a DKP cluster.
NOTE: A minimal set of roles and permissions needed for the user creating the GCP Service Account is the editor
role plus the following additional permissions:
compute.disks.setIamPolicy
compute.instances.setIamPolicy
iam.roles.create
iam.roles.delete
iam.roles.update
iam.serviceAccounts.setIamPolicy
resourcemanager.projects.setIamPolicy
For more information on GCP service accounts, see GCP’s documentation: https://cloud.google.com/iam/docs/creating-managing-service-accounts