Should enable service container googleapis com before generating a service account

GSP783

Overview

Welcome to Anthos!

Kubernetes is the de-facto standard for container orchestration, and Google Kubernetes Engine (GKE) is a leader in the field of managed Kubernetes offerings. In 2018, Google brought Kubernetes to data centers with a new offering called GKE On-Prem, a certified and managed extension of the cloud-based GKE platform.

Responding to significant early successes and listening to customer needs, Google has expanded its efforts to enable your modernization effort.

Anthos is a modern application management platform announced by Google at Next '19. Anthos provides the tools and technology you need for modern, hybrid, and multi-cloud solutions, all built on the foundations of GKE. Anthos enables several features, including:

• Infrastructure provisioning in both cloud and on-premises.

• Infrastructure management tooling, security, policies and compliance solutions.

• Streamlined application development, service discovery and telemetry, service management, and workload migration from on-premises to cloud.

Lab architecture

In this lab, you will learn how to perform the following tasks:

• Understand an installed multi-cluster Kubernetes environment

• Use GKE Hub to authenticate and register a remote Kubernetes cluster using GKE Connect

• Add metadata for the remote cluster

• Review GKE clusters, remote and on Google Cloud, with GKE Dashboard

• Review workloads running in multiple locations across all your clusters

Setup and requirements

Before you click the Start Lab button

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.

This hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.

To complete this lab, you need:

• Access to a standard internet browser (Chrome browser recommended).

• Time to complete the lab---remember, once you start, you cannot pause a lab.

After you complete the initial sign-in steps, the project dashboard appears.

How to start your lab and sign in to the Google Cloud Console

1. Click the Start Lab button. If you need to pay for the lab, a pop-up opens for you to select your payment method. On the left is the Lab Details panel with the following:

   • The Open Google Console button
   • Time remaining
   • The temporary credentials that you must use for this lab
   • Other information, if needed, to step through this lab

2. Click Open Google Console. The lab spins up resources, and then opens another tab that shows the Sign in page.

   Tip: Arrange the tabs in separate windows, side-by-side.

   Note: If you see the Choose an account dialog, click Use Another Account.

3. If necessary, copy the Username from the Lab Details panel and paste it into the Sign in dialog. Click Next.

4. Copy the Password from the Lab Details panel and paste it into the Welcome dialog. Click Next.

   Important: You must use the credentials from the left panel. Do not use your Google Cloud Skills Boost credentials. Note: Using your own Google Cloud account for this lab may incur extra charges.

5. Click through the subsequent pages:

   • Accept the terms and conditions.
   • Do not add recovery options or two-factor authentication (because this is a temporary account).
   • Do not sign up for free trials.

After a few moments, the Cloud Console opens in this tab.

Activate Cloud Shell

Cloud Shell is a virtual machine that is loaded with development tools. It offers a persistent 5GB home directory and runs on the Google Cloud. Cloud Shell provides command-line access to your Google Cloud resources.

1. Click Activate Cloud Shell at the top of the Google Cloud console.

When you are connected, you are already authenticated, and the project is set to your PROJECT_ID. The output contains a line that declares the PROJECT_ID for this session:

gcloud is the command-line tool for Google Cloud. It comes pre-installed on Cloud Shell and supports tab-completion.

1. (Optional) You can list the active account name with this command:

1. Click Authorize.

2. Your output should now look like this:

Output:

1. (Optional) You can list the project ID with this command:

Output:

Example output:

Task 1. Understand an installed multi-cluster Kubernetes environment

In this task, you will:

• Review the clusters used in this lab

• Enable the necessary APIs

• Download lab files from a GitHub repo

• Run a bootstrap script that installs tools needed to work with the clusters

Review the clusters used in this lab

In this lab you will use two Kubernetes clusters:

• A GKE cluster, named central, in the us-central1 region.

• A remote Kubernetes cluster, named remote. This cluster connects to Anthos in the same way a GKE On-Prem cluster, or a cluster on another cloud provider, would connect to Anthos. To avoid installing a VMware environment for this lab, the remote cluster runs on Compute Engine.

Enable the necessary APIs

To access some of the resource types within Google Cloud, you first need to enable a few APIs. These are enabled automatically when you first access a service through the UI or command line. To simplify the process, and reduce user prompts, you explicitly enable the APIs needed.

• In Cloud Shell, enable the APIs:

Output:

You can confirm any specific APIs are enabled by navigating to APIs & Services in the Cloud Console Navigation menu ().

Download lab files from a GitHub repo

1. From Cloud Shell clone the lab repo:

1. Go into the anthos-workshop directory:

Run a script that connects Cloud Shell to your clusters

The bootstrap script performs the following tasks:

• Installs the kubectx command-line interface (CLI) tools

• Installs the kops CLI tool

• Updates firewall rules for this Cloud Shell to access the clusters

1. Run the connect script:

   source ./common/connect-kops-remote.sh

   For this lab, you will need to allow connections to your cluster from Cloud Shell and a setup vm GCE which was pre-provisioned for you. The setup vm will be used to evaluate progress in Activity Tracking.

2. Assign the Cloud Shell and Setup VM IPs to variables:

1. Assign the source ranges:

1. Store each relevant firewall rule in an array:

1. Loop through the array updating the source ranges of each firewall rule with the IP_ADDRESS/32 value of both Cloud Shell and your Setup VM:

In this task, you enabled remote cluster APIs, installed tools to Cloud Shell including kubectx and istioctl, and established credentials to access central and remote clusters.

The remote cluster that is created will be left detached from Anthos at this time. In the next section, you access the cluster and register it with GKE Hub.

Click Check my progress to verify the objective. Install multicluster kubernetes environment

Task 2. Use GKE Hub to authenticate and register a remote Kubernetes cluster using GKE Connect

GKE Hub is a centralized dashboard that allows you to view and manage all of your Kubernetes clusters from one central location. Clusters can be located within Google Cloud, on other cloud vendors, or on-premises.

The mechanism that enables this centralized management is a standard Pod deployed to your clusters called the GKE Connect agent. The agent is responsible for reaching out to the GKE Hub APIs, listening for commands, and providing updates.

GKE Hub requires that the Pods in your cluster are able to reach www.googleapis.com and gkeconnect.googleapis.com, either directly or through a configured proxy server.

In this task, you will:

• Review the existing clusters in Cloud Console

• Check on the remote cluster using kubectl

• Use a Google Cloud service account to create a private key file

• Install Connect Agent on remote cluster

• Create a Kubernetes Service Account (KSA)

• Use GKE Hub to register, authenticate, and connect to the remote cluster

Review the existing clusters in Cloud Console

• Review existing Kubernetes Clusters in Cloud Console from the Navigation menu > Kubernetes Engine > Clusters.

You will only see a single GKE cluster named central.

Check on the remote cluster using kubectl

As part of bootstrapping this lab, a Kubernetes cluster was provisioned on Compute Engine. This simulates a cluster running outside of Google Cloud. The procedure that follows can be applied to any Kubernetes cluster that can access the GKE control plane APIs mentioned earlier.

For example, this works equally well on different cloud vendors' conforming Kubernetes clusters or VMWare-based clusters using the GKE On-Prem binaries.

1. First, get credentials to access the remote cluster which was created using kOps:

1. Verify the remote cluster is running:

   kubectl get nodes

   Output:

Use a Google Cloud service account to create a private key file

A JSON file containing Google Cloud service account credentials is required to register a cluster. It is recommended that a distinct service account be created for every cluster registration. A service account with a name of format has already been created for you.

In the following steps, you'll assign the appropriate Cloud IAM roles to the service account, and you'll create a JSON private key containing the service account's credentials.

1. Grant the service account permission to register clusters by assigning the gkehub.connect Cloud IAM role to the service account:

   export PROJECT=$(gcloud config get-value project) export GKE_SA_CREDS=$WORK_DIR/anthos-connect-creds.json gcloud projects add-iam-policy-binding $PROJECT \ --member="serviceAccount:$PROJECT@$PROJECT.iam.gserviceaccount.com" \ --role="roles/gkehub.connect"

Output:

1. Generate and download a private key to use later:

   gcloud iam service-accounts keys create $GKE_SA_CREDS \ --iam-account=$PROJECT@$PROJECT.iam.gserviceaccount.com \ --project=$PROJECT

Output:

Click Check my progress to verify the objective. Create a gcp service account key

Install Connect Agent on the remote cluster

1. Register the remote cluster using gcloud:

   export REMOTE_CLUSTER_NAME="remote" gcloud container hub memberships register $REMOTE_CLUSTER_NAME \ --context=$(kubectl config current-context) \ --service-account-key-file=$GKE_SA_CREDS \ --project=$PROJECT

   This creates a membership, then installs the Connect Agent.

Output:

1. Review existing Kubernetes Clusters in Cloud Console from the Navigation menu > Kubernetes Engine > Clusters.

2. You may need to click Refresh.

Now you see the remote cluster listed, but you need to log in before it's fully connected.

Click Check my progress to verify the objective. Create a gke hub membership

Create a Kubernetes Service Account (KSA)

To finalize the registration and connection, you need to authenticate and log into the remote cluster through the Console. Currently, you can authenticate to an external cluster in one of three ways:

• Token-based authentication: using a Kubernetes Service Account (KSA) with proper RBAC roles to authenticate (using its Secret as a token).
• Basic authentication: using a username and password.
• OpenID Connect.

Most Kubernetes clusters with RBAC enabled have basic authentication disabled.

You can use the KSA token method to authenticate to the remote cluster.

1. Switch kubectl context to remote:

   kubectx remote.k8s.local

2. Create a KSA that you will use to log in:

   export KSA=remote-admin-sa kubectl create serviceaccount $KSA

   Output:

   serviceaccount/remote-admin-sa created

3. Assign it the cluster-admin ClusterRole:

   kubectl create clusterrolebinding ksa-cluster-admin-binding \ --clusterrole cluster-admin \ --serviceaccount default:$KSA

   Output:

   clusterrolebinding.rbac.authorization.k8s.io/ksa-admin-binding created

4. Extract the token from its associated Secret:

   printf "\n$(kubectl describe secret $KSA | sed -ne 's/^token: *//p')\n\n"

   Output:

   aSB3aWxsIG5vdCB0cnkgdG8gc3RlYWwgc29tZW9uZSBlbHNlcyB0b2tlbiBhZ2FpbgppIHdpbGwgbm90IHRyeSB0byBzdGVhbCBzb21lb25lIGVsc2VzIHRva2VuIGFnYWluCmkgd2lsbCBub3QgdHJ5IHRvIHN0ZWFsIHNvbWVvbmUgZWxzZXMgdG9rZW4gYWdhaW4KaSB3aWxsIG5vdCB0cnkgdG8gc3RlYWwgc29tZW9uZSBlbHNlcyB0b2tlbiBhZ2FpbgppIHdpbGwgbm90IHRyeSB0byBzdGVhbCBzb21lb25lIGVsc2VzIHRva2VuIGFnYWluCmkgd2lsbCBub3QgdHJ5IHRvIHN0ZWFsIHNvbWVvbmUgZWxzZXMgdG9rZW4gYWdhaW4KaSB3aWxsIG5vdCB0cnkgdG8gc3RlYWwgc29tZW9uZSBlbHNlcyB0b2tlbiBhZ2FpbgppIHdpbGwgbm90IHRyeSB0byBzdGVhbCBzb21lb25lIGVsc2VzIHRva2VuIGFnYWluCmkgd2lsbCBub3QgdHJ5IHRvIHN0ZWFsIHNvbWVvbmUgZWxzZXMgdG9rZW4gYWdhaW4K

   That is an excerpt from the KSA token.

5. Copy the value of the token returned to the clipboard.

6. In Cloud Shell, select the token output by carefully selecting the text, without capturing any trailing spaces.

   Important: Using Ctrl+c or Command+c will copy over new line breaks from the display, instead of treating the token as a single line of text. Simply selecting text in Cloud Shell will put the contents in your clipboard buffer.

Click Check my progress to verify the objective. Create kubernetes service account

Use GKE Hub to register, authenticate, and connect to the remote cluster

1. Open Kubernetes Clusters in Cloud Console from the Navigation menu > Kubernetes Engine > Clusters.

1. Click on the three dots next to your remote cluster and then click Log in.

   Note: Logging into the cluster through Cloud Console is specific to the user. If another user logs into the Console and has the permissions to view Kubernetes clusters, that user would have to log in to remote with their own credentials. In this example, you generated a remote-admin-sa KSA with the cluster-admin ClusterRole. Typically, each user would use their own KSA to log into the cluster from Cloud Console. GKE Connect leverages your end-user credentials and per-user RBAC rules for all actions. Users have scoped access to the resources they expect, and Kubernetes audit logs will continue to function as required.

2. Fill out the Log in to cluster form.

   • Select Token as the authentication method
   • Paste the token value copied from the previous step to the Token field
   • Click Login

3. Kubernetes Clusters in Cloud Console updates on success.

   Confirm that the login is successful.

Click Check my progress to verify the objective. Register and connect to the remote cluster

Task 3. Add metadata for the remote cluster

As a best practice, describe the remote cluster with detailed metadata.

1. From Kubernetes clusters, click into the remote cluster.

2. In the following page, navigate to the Labels section and click the pencil icon:

3. Click on + ADD LABEL to add a key and value.

   • Add the key location
   • Provide a value of remote

   Feel free to add more labels as desired, such as key:env, value:prod.

4. Click Save, then click on the back arrow to return to the clusters page.

   The Labels column has been updated, and your updates are shown.

Click Check my progress to verify the objective. Add metadata to remote cluster

Task 4. Review GKE clusters, remote and on Google Cloud, with GKE Dashboard

In this task, you inspect the underlying nodes in your remote cluster.

Review the existing clusters in Cloud Console

1. Click into the remote cluster details in Cloud Console from the Navigation menu > Kubernetes Engine > Clusters.

You can see the labels you created and authentication status.

1. Click to switch to the Nodes tab of Kubernetes cluster details.

1. Click one of the nodes to review Node details.

You can see the resources of the nodes (CPU, memory, storage) as well as pods that are running on that node.

Task 5. Review workloads running in multiple locations across all your clusters

In this task, you review workloads across all clusters using GKE Hub (system workloads)

Review the existing workloads in Cloud Console

The Cloud Console has a view which shows aggregates of all the workloads running on all your GKE clusters. With Anthos, you can see the workloads running on all your remote clusters.

1. Open Kubernetes Workloads in Cloud Console from the Navigation menu > Kubernetes Engine > Workloads.

2. Remove the filter Is system object: False.

   Observe that workloads from both clusters are shown. Notice the GKE Connect Agent is running in remote.

3. Click on workloads in both clusters.

4. Verify that that the same information is shown for workloads, like kube-dns, that run in both central and in the remote cluster.

Congratulations

In this lab you have installed multi-cluster Kubernetes environment, used GKE Hub to authenticate and register a remote Kubernetes cluster using GKE Connect and added metadata for the cluster.

Next steps

Read more about registering clusters in these reference guides:

• GKE On-Prem overview

GKE On-Prem is a certified and managed extension of the cloud-based GKE platform.

• Google Kubernetes Engine (GKE)
• Kubernetes

Google Cloud training and certification

...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies.

Manual Last Updated October 24, 2022

Lab Last Tested August 12, 2022

Copyright 2022 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.

When creating a new service account what does Google Cloud use to create a Google managed key pair?

Why does GCP require service account?