GSP783 Show
OverviewWelcome to Anthos! Kubernetes is the de-facto standard for container orchestration, and Google Kubernetes Engine (GKE) is a leader in the field of managed Kubernetes offerings. In 2018, Google brought Kubernetes to data centers with a new offering called GKE On-Prem, a certified and managed extension of the cloud-based GKE platform. Responding to significant early successes and listening to customer needs, Google has expanded its efforts to enable your modernization effort. Anthos is a modern application management platform announced by Google at Next '19. Anthos provides the tools and technology you need for modern, hybrid, and multi-cloud solutions, all built on the foundations of GKE. Anthos enables several features, including:
Lab architectureIn this lab, you will learn how to perform the following tasks:
Setup and requirementsBefore you click the Start Lab buttonRead these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you. This hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab. To complete this lab, you need:
After you complete the initial sign-in steps, the project dashboard appears. How to start your lab and sign in to the Google Cloud Console
After a few moments, the Cloud Console opens in this tab. Note: You can view the menu with a list of Google Cloud Products and Services by clicking the Navigation menu at the top-left.Activate Cloud ShellCloud Shell is a virtual machine that is loaded with development tools. It offers a persistent 5GB home directory and runs on the Google Cloud. Cloud Shell provides command-line access to your Google Cloud resources.
When you are connected, you are already authenticated, and the project is set to your PROJECT_ID. The output contains a line that declares the PROJECT_ID for this session: Your Cloud Platform project in this session is set to YOUR_PROJECT_ID
Output: ACTIVE: * ACCOUNT: To set the active account, run: $ gcloud config set account `ACCOUNT`
Output: [core] project = <project_ID>Example output: [core] project = qwiklabs-gcp-44776a13dea667a6 Note: For full documentation ofgcloud , in Google Cloud, refer to the gcloud CLI overview guide. Task 1. Understand an installed multi-cluster Kubernetes environmentIn this task, you will:
Review the clusters used in this labIn this lab you will use two Kubernetes clusters:
Enable the necessary APIsTo access some of the resource types within Google Cloud, you first need to enable a few APIs. These are enabled automatically when you first access a service through the UI or command line. To simplify the process, and reduce user prompts, you explicitly enable the APIs needed.
Output: Operation "operations/acf.e33064b2-43fc-43dc-9ec6-ad28658a338d" finished successfully. Warning: An error occurs when executing this step if Anthos API access is not properly enabled.You can confirm any specific APIs are enabled by navigating to APIs & Services in the Cloud Console Navigation menu (). Download lab files from a GitHub repo
Run a script that connects Cloud Shell to your clustersThe bootstrap script performs the following tasks:
In this task, you enabled remote cluster APIs, installed tools to Cloud Shell including kubectx and istioctl, and established credentials to access The Click Check my progress to verify the objective. Install multicluster kubernetes environment Task 2. Use GKE Hub to authenticate and register a remote Kubernetes cluster using GKE ConnectGKE Hub is a centralized dashboard that allows you to view and manage all of your Kubernetes clusters from one central location. Clusters can be located within Google Cloud, on other cloud vendors, or on-premises. The mechanism that enables this centralized management is a standard Pod deployed to your clusters called the GKE Connect agent. The agent is responsible for reaching out to the GKE Hub APIs, listening for commands, and providing updates. GKE Hub requires that the Pods in your
cluster are able to reach In this task, you will:
Review the existing clusters in Cloud Console
You will only see a single GKE cluster named
Check on the remote cluster using kubectlAs part of bootstrapping this lab, a Kubernetes cluster was provisioned on Compute Engine. This simulates a cluster running outside of Google Cloud. The procedure that follows can be applied to any Kubernetes cluster that can access the GKE control plane APIs mentioned earlier. For example, this works equally well on different cloud vendors' conforming Kubernetes clusters or VMWare-based clusters using the GKE On-Prem binaries.
Use a Google Cloud service account to create a private key fileA JSON file containing Google Cloud service account credentials is required to register a
cluster. It is recommended that a distinct service account be created for every cluster registration. A service account with a name of format In the following steps, you'll assign the appropriate Cloud IAM roles to the service account, and you'll create a JSON private key containing the service account's credentials.
Output: Updated IAM policy for project [qwiklabs-gcp-xxxxxxxxxx]. bindings: ... etag: BwWQyH9ObbI= version: 1
Output: created key [###] of type [json] as [.../anthos-workshop/workdir/anthos-connect-creds.json] for []Click Check my progress to verify the objective. Create a gcp service account key Install Connect Agent on the remote cluster
Output: Waiting for membership to be created...done. Created a new membership [...] for the cluster [remote] Generating the Connect Agent manifest... Deploying the Connect Agent on cluster [remote] in namespace [gke-connect]... Deployed the Connect Agent on cluster [remote] in namespace [gke-connect]. Finished registering the cluster [remote] with the Hub. Note: You can also register remote clusters using the Cloud Console UI with Register Cluster.
Now you see the Click Check my progress to verify the objective. Create a gke hub membership Create a Kubernetes Service Account (KSA)To finalize the registration and
connection, you need to authenticate and log into the
Most Kubernetes clusters with RBAC enabled have basic authentication disabled. You can use the KSA token method to authenticate to the
Click Check my progress to verify the objective. Create kubernetes service account Use GKE Hub to register, authenticate, and connect to the remote cluster
Click Check my progress to verify the objective. Register and connect to the remote cluster Task 3. Add metadata for the remote clusterAs a best practice, describe the
Click Check my progress to verify the objective. Add metadata to remote cluster Task 4. Review GKE clusters, remote and on Google Cloud, with GKE DashboardIn this task, you inspect the underlying nodes in your Review the existing clusters in Cloud Console
You can see the labels you created and authentication status.
You can see the resources of the nodes (CPU, memory, storage) as well as pods that are running on that node. Task 5. Review workloads running in multiple locations across all your clustersIn this task, you review workloads across all clusters using GKE Hub (system workloads) Review the existing workloads in Cloud ConsoleThe Cloud Console has a view which shows aggregates of all the workloads running on all your GKE clusters. With Anthos, you can see the workloads running on all your remote clusters.
CongratulationsIn this lab you have installed multi-cluster Kubernetes environment, used GKE Hub to authenticate and register a remote Kubernetes cluster using GKE Connect and added metadata for the cluster. Next stepsRead more about registering clusters in these reference guides:
GKE On-Prem is a certified and managed extension of the cloud-based GKE platform.
Google Cloud training and certification...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies. Manual Last Updated October 24, 2022 Lab Last Tested August 12, 2022 Copyright 2022 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated. When creating a new service account what does Google Cloud use to create a Google managed key pair?Use the IAM API to create a user-managed key pair automatically. Google generates a public/private key pair; stores only the public key; and returns the private key to you.
Why does GCP require service account?A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs. Typically, service accounts are used in scenarios such as: Running workloads on virtual machines (VMs).
|