In addition to meeting the installation, hardware, and operating system prerequisites, you must configure and set up Google Cloud projects, APIs, and service accounts to run Google Distributed Cloud.
Note that the bmctl command can automatically enable service accounts and APIs
at cluster creation time, but you can also manually set up these services
for finer control of operations.
Enabling APIs
In order to enable APIs in your project, one of the following roles needs
to have been assigned to your account: roles/owner, roles/editor, or
roles/serviceusage.serviceUsageAdmin.
For additional information, see Grant a single role.
Set your default Google Cloud project ID and roles
You can set your default project id in addition to configuring service
accounts.
You must have owner or editor roles on your project for
Google Distributed Cloud.
To set the default project, issue the following command, and replace PROJECT_ID with your Google Cloud project ID:
gcloud config set project PROJECT_ID
Configure service accounts manually
The bmctl command of Google Distributed Cloud can automatically set up Google
service accounts and APIs when you create clusters.
However, for more control over your system, or to streamline cluster creation with a default set of services, accounts, and projects, you can set up these services manually.
Google Distributed Cloud connects your clusters to Google Cloud. This connection enables the following functionality:
- Connect to connect your bare metal cluster to Google Cloud. This enables access to cluster and to workload management features, including a unified user interface, Cloud console, to interact with your cluster.
- Logging and Monitoring to view logs and metrics from the cluster in the Cloud console.
- Automatic uploads of cluster snapshots to Cloud Storage buckets.
The process for manually configuring access includes:
- Enabling the necessary Google services in your Cloud project.
- Creating the following service accounts with the necessary roles:
- connect-agent service account: Connect uses this service account to maintain a connection between your cluster and Google Cloud.
- connect-register service account: Connect uses this service account to register your clusters with Google Cloud.
- logging-monitoring service account: Connect uses this service account to export logs and metrics from clusters to Logging and Monitoring.
- storage-agent service account:
bmctluses this service account to automatically store snapshots of clusters to Cloud Storage.
- Downloading the JSON key files for each service account.
You then add references to the JSON key files to the appropriate cluster config files. See Creating clusters: overview for more information.
Configure service accounts for use with Connect
To create the service accounts and key files:
- Make sure you are in the
baremetaldirectory. - Enable the necessary Google services in your Cloud project:
- Create the connect-agent service account with the necessary role and download the key file.
These steps create the
connect-agent.jsonkey file in thebaremetaldirectory:- Create service account:
- Grant the gkehub.connect role:
- Download the service account JSON key file:
gcloud iam service-accounts create connect-agent-svc-account --project=PROJECT_ID
gcloud projects add-iam-policy-binding PROJECT_ID \ --member="serviceAccount:connect-agent-svc-account@PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/gkehub.connect"gcloud iam service-accounts keys create connect-agent.json \ --project=PROJECT_ID \ --iam-account=connect-agent-svc-account@PROJECT_ID.iam.gserviceaccount.com - Create the connect-register service account with the necessary role and download
the key file. These steps create the connect-
register.jsonkey file in thebaremetaldirectory:- Create service account:
- Grant the gkehub.admin role:
- Download the service account JSON key file:
gcloud iam service-accounts create connect-register-svc-account \ --project=PROJECT_IDgcloud projects add-iam-policy-binding PROJECT_ID \ --member="serviceAccount:connect-register-svc-account@PROJECT_ID.iam.gserviceaccount.com" \ --role=roles/gkehub.admingcloud iam service-accounts keys create connect-register.json \ --project=PROJECT_ID \ --iam-account=connect-register-svc-account@PROJECT_ID.iam.gserviceaccount.com
gcloud services enable --project=PROJECT_ID \
gkeconnect.googleapis.com \
gkehub.googleapis.com \
cloudresourcemanager.googleapis.com \
anthos.googleapis.com
Configure a service account to audit logs and monitor projects
To create the service account and key file for logging and monitoring:
- Make sure you are in the
baremetaldirectory. - Enable the necessary Google services in your Cloud project:
- Create the logging-monitoring service account with the necessary roles and download
the key file. These steps create the
cloud-ops.jsonkey file in thebaremetaldirectory: - Create service account
- Grant the logging.logWriter role
- Grant the monitoring.metricWriter role
- Grant the roles/stackdriver.resourceMetadata.writer role
- Grant the roles/opsconfigmonitoring.resourceMetadata.writer role
- Grant the roles/monitoring.dashboardEditor role
- Download the service account JSON key file:
gcloud services enable --project PROJECT_ID \
anthos.googleapis.com \
anthosaudit.googleapis.com \
anthosgke.googleapis.com \
cloudresourcemanager.googleapis.com \
gkeconnect.googleapis.com \
gkehub.googleapis.com \
serviceusage.googleapis.com \
stackdriver.googleapis.com \
monitoring.googleapis.com \
logging.googleapis.com \
opsconfigmonitoring.googleapis.com
gcloud iam service-accounts create logging-monitoring-svc-account \
--project=PROJECT_ID
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="serviceAccount:logging-monitoring-svc-account@PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/logging.logWriter"
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="serviceAccount:logging-monitoring-svc-account@PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/monitoring.metricWriter"
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="serviceAccount:logging-monitoring-svc-account@PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/stackdriver.resourceMetadata.writer"
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="serviceAccount:logging-monitoring-svc-account@PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/opsconfigmonitoring.resourceMetadata.writer"
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="serviceAccount:logging-monitoring-svc-account@PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/monitoring.dashboardEditor"
gcloud iam service-accounts keys create cloud-ops.json \
--project=PROJECT_ID \
--iam-account=logging-monitoring-svc-account@PROJECT_ID.iam.gserviceaccount.com
Configure a service account that can upload to Cloud Storage bucket
To create the service account and key file which enables snapshots of clusters to be automatically uploaded to Cloud Storage buckets:
- Make sure you are in the
baremetaldirectory. - Enable the necessary Google services in your Cloud project:
- Create a service account that the
bmctl check cluster --snapshotcommand will use to automatically upload a cluster snapshot to a Cloud Storage bucket: - Grant a
storage.adminrole to the service account so that the service account can upload data to a Cloud Storage bucket.: - Download the service account JSON key file:
gcloud services enable --project=PROJECT_ID \
storage.googleapis.com
gcloud iam service-accounts create storage-agent-svc-account \ --project=PROJECT_ID
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="serviceAccount:storage-agent-svc-account@PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/storage.admin"
gcloud iam service-accounts keys create storage-agent.json \
--iam-account=storage-agent-svc-account@PROJECT_ID.iam.gserviceaccount.com
For more information about how to create cluster snapshots and automatically upload them to a Cloud Storage bucket, see Create snapshots to help diagnose cluster problems.