In GKE on Bare Metal, you set up admin clusters to manage other clusters securely. You can create, update, upgrade, or delete user clusters from admin clusters. The user clusters run workloads separately from administration, so sensitive information is protected.
Admin clusters managing multi-cluster workloads can provide highly available (HA) reliability. In a HA cluster, if one control plane node fails, other nodes will continue to work.
An admin cluster in a multi-cluster environment provides the best fundamental security. Because access to administration data is separated from workloads, those who access user workloads have no access to sensitive administrative data, like SSH keys and service account data. As a result, there is some trade-off between security and the resources required, since a separate admin cluster means you need dedicated resources for management and workloads.
You create an admin cluster using the bmctl command. After you create
an admin cluster, you create
user clusters
to run workloads.
Prerequisites:
- Latest
bmctlis downloaded (gs://anthos-baremetal-release/bmctl/1.8.9/linux-amd64/bmctl) from Cloud Storage. - Workstation running
bmctlhas network connectivity to all nodes in the target user clusters. - Workstation running
bmctlhas network connectivity to the cluster API server (control plane VIP). - SSH key used to create the Admin cluster is available to root, or there is SUDO user access on all nodes in the target admin cluster.
- Connect-register service account is configured for use with Connect.
See the GKE on Bare Metal quickstart for expanded step-by-step instructions for creating a hybrid cluster. Creating an admin cluster is similar to creating a hybrid cluster, except you don't run workloads on the admin cluster.
Enable SELinux
If you want to enable SELinux to secure your containers, you must make sure that
SELinux is enabled in Enforced mode host machines before installing
GKE on Bare Metal. SELinux is enable by default on RHEL and CentOS
systemes.If SELinux is disabled in your clusters or you aren't sure, see
Securing your containers using SELinux
for instructions on how to enable it.
GKE on Bare Metal supports SELinux in only RHEL and CentOS systems.
Log into gcloud CLI and create an admin cluster config file
Set the default credentials that GKE on Bare Metal can use to create the cluster with the following command:
gcloud auth application-default loginTo use the automatic API enablement and service account creation features in this page, grant the Project Owner role to that principal. If the principal can't have the Project Owner role, complete the next step.
To ensure the cluster creation can succeed without granting the Project Owner role, add the following IAM roles to the principal:
- Service Account Admin
- Service Account Key Admin
- Project IAM Admin
- Compute Viewer
- Service Usage Admin
If the principal is a service account with those roles, you can run:
export GOOGLE_APPLICATION_CREDENTIALS=JSON_KEY_FILEReplace
JSON_KEY_FILEwith the path to your service account's JSON key file.Get the ID of your Google Cloud project and store it in an environment variable to use it for cluster creation:
export CLOUD_PROJECT_ID=$(gcloud config get-value project)
Create an admin cluster config with bmctl
After you've logged into gcloud and have your project set up, you can create the
cluster config file with the bmctl command.
In the following example, all service accounts are automatically created by
the bmctl create config command:
bmctl create config -c ADMIN_CLUSTER_NAME --enable-apis \
--create-service-accounts --project-id=CLOUD_PROJECT_ID
Replace the following:
- ADMIN_CLUSTER_NAME: the name of the new cluster.
- CLOUD_PROJECT_ID: your Google Cloud project ID or the
$CLOUD_PROJECT_IDenvironment variable.
Here's an example to create a config file for a admin cluster
called admin1 associated with project ID my-gcp-project:
bmctl create config -c admin1 --create-service-accounts --enable-apis --project-id=my-gcp-project
The file is written to bmctl-workspace/admin1/admin1.yaml.
As an alternative to automatically enabling APIs and creating service accounts,
you can also provide your existing service accounts with proper
IAM permissions. This means you can skip the automatic service account creation
in the previous example in the bmctl command:
bmctl create config -c admin1
Edit the cluster config file
Now that you have a cluster config file, edit it to make the following changes:
Provide the SSH private key to access the admin cluster nodes:
# bmctl configuration variables. Because this section is valid YAML but not a valid Kubernetes # resource, this section can only be included when using bmctl to # create the initial admin/admin cluster. Afterwards, when creating user clusters by directly # applying the cluster and node pool resources to the existing cluster, you must remove this # section. gcrKeyPath: /bmctl/bmctl-workspace/.sa-keys/my-gcp-project-anthos-baremetal-gcr.json sshPrivateKeyPath: /path/to/your/ssh_private_key gkeConnectAgentServiceAccountKeyPath: /bmctl/bmctl-workspace/.sa-keys/my-gcp-project-anthos-baremetal-connect.json gkeConnectRegisterServiceAccountKeyPath: /bmctl/bmctl-workspace/.sa-keys/my-gcp-project-anthos-baremetal-register.json cloudOperationsServiceAccountKeyPath: /bmctl/bmctl-workspace/.sa-keys/my-gcp-project-anthos-baremetal-cloud-ops.jsonFor 1.7.0 and later versions, you must register your clusters with Connect to your project environ.
- If you created your config file, using the automatic API enablement and Service Account creation features, you can skip this step.
- If you created the config file without using the automatic API enablement
and Service Account creation features, reference the downloaded service
account JSON keys in the corresponding
gkeConnectAgentServiceAccountKeyPathandgkeConnectRegisterServiceAccountKeyPathfields of the cluster config file.
Check to make sure the config specifies a cluster type of
admin(the default value):spec: # Cluster type. This can be: # 1) admin: to create an admin cluster. This can later be used to create user clusters. # 2) user: to create a user cluster. Requires an existing admin cluster. # 3) hybrid: to create a hybrid cluster that runs admin cluster components and user workloads. # 4) standalone: to create a cluster that manages itself, runs user workloads, but does not manage other clusters. type: adminChange the configuration file to specify a multi-node, high availability, control plane. Specify an odd number of nodes to have a majority quorum for HA:
# Control plane configuration controlPlane: nodePoolSpec: nodes: # Control plane node pools. Typically, this is either a single machine # or 3 machines if using a high availability deployment. - address: 10.200.0.4 - address: 10.200.0.5 - address: 10.200.0.6Specify the pod density of cluster nodes and the container runtime:
.... # NodeConfig specifies the configuration that applies to all nodes in the cluster. nodeConfig: # podDensity specifies the pod density configuration. podDensity: # maxPodsPerNode specifies at most how many pods can be run on a single node. maxPodsPerNode: 250 # containerRuntime specifies which container runtime to use for scheduling containers on nodes. # containerd and docker are supported. containerRuntime: containerd ....For admin clusters, allowable values for
maxPodsPerNodeare32-250for HA clusters and64-250for non-HA clusters. The default value if unspecified is110. Once the cluster is created, this value cannot be updated.Pod density is also limited by your cluster's available IP resources. For details, see Pod networking.
Create the admin cluster with the cluster config
Use the bmctl command to deploy the cluster:
bmctl create cluster -c ADMIN_CLUSTER_NAME
ADMIN_CLUSTER_NAME specifies the cluster name created in the previous section.
The following shows an example of the command to create a cluster
called admin1:
bmctl create cluster -c admin1
Sample complete admin cluster config
The following is a sample admin cluster config file created by the bmctl command.
Note that in this sample config, placeholder cluster names, VIPs and addresses
are used. They may not work for your network.
gcrKeyPath: /bmctl/bmctl-workspace/.sa-keys/my-gcp-project-anthos-baremetal-gcr.json
sshPrivateKeyPath: /bmctl/bmctl-workspace/.ssh/id_rsa
gkeConnectAgentServiceAccountKeyPath: /bmctl/bmctl-workspace/.sa-keys/my-gcp-project-anthos-baremetal-connect.json
gkeConnectRegisterServiceAccountKeyPath: /bmctl/bmctl-workspace/.sa-keys/my-gcp-project-anthos-baremetal-register.json
cloudOperationsServiceAccountKeyPath: /bmctl/bmctl-workspace/.sa-keys/my-gcp-project-anthos-baremetal-cloud-ops.json
---
apiVersion: v1
kind: Namespace
metadata:
name: cluster-admin1
---
apiVersion: baremetal.cluster.gke.io/v1
kind: Cluster
metadata:
name: admin1
namespace: cluster-admin1
spec:
# Cluster type. This can be:
# 1) admin: to create an admin cluster. This can later be used to create user clusters.
# 2) user: to create a user cluster. Requires an existing admin cluster.
# 3) hybrid: to create a hybrid cluster that runs admin cluster components and user workloads.
# 4) standalone: to create a cluster that manages itself, runs user workloads, but does not manage other clusters.
type: admin
# Anthos cluster version.
anthosBareMetalVersion: 1.8.9
# GKE connect configuration
gkeConnect:
projectID: $GOOGLE_PROJECT_ID
# Control plane configuration
controlPlane:
nodePoolSpec:
nodes:
# Control plane node pools. Typically, this is either a single machine
# or 3 machines if using a high availability deployment.
- address: 10.200.0.4
- address: 10.200.0.5
- address: 10.200.0.6
# Cluster networking configuration
clusterNetwork:
# Pods specify the IP ranges from which pod networks are allocated.
pods:
cidrBlocks:
- 192.168.0.0/16
# Services specify the network ranges from which service virtual IPs are allocated.
# This can be any RFC 1918 range that does not conflict with any other IP range
# in the cluster and node pool resources.
services:
cidrBlocks:
- 10.96.0.0/20
# Load balancer configuration
loadBalancer:
# Load balancer mode can be either 'bundled' or 'manual'.
# In 'bundled' mode a load balancer will be installed on load balancer nodes during cluster creation.
# In 'manual' mode the cluster relies on a manually-configured external load balancer.
mode: bundled
# Load balancer port configuration
ports:
# Specifies the port the load balancer serves the Kubernetes control plane on.
# In 'manual' mode the external load balancer must be listening on this port.
controlPlaneLBPort: 443
# There are two load balancer virtual IP (VIP) addresses: one for the control plane
# and one for the L7 Ingress service. The VIPs must be in the same subnet as the load balancer nodes.
# These IP addresses do not correspond to physical network interfaces.
vips:
# ControlPlaneVIP specifies the VIP to connect to the Kubernetes API server.
# This address must not be in the address pools below.
controlPlaneVIP: 10.200.0.71
# IngressVIP specifies the VIP shared by all services for ingress traffic.
# Allowed only in non-admin clusters.
# This address must be in the address pools below.
# ingressVIP: 10.0.0.2
# AddressPools is a list of non-overlapping IP ranges for the data plane load balancer.
# All addresses must be in the same subnet as the load balancer nodes.
# Address pool configuration is only valid for 'bundled' LB mode in non-admin clusters.
# addressPools:
# - name: pool1
# addresses:
# # Each address must be either in the CIDR form (1.2.3.0/24)
# # or range form (1.2.3.1-1.2.3.5).
# - 10.0.0.1-10.0.0.4
# A load balancer node pool can be configured to specify nodes used for load balancing.
# These nodes are part of the Kubernetes cluster and run regular workloads as well as load balancers.
# If the node pool config is absent then the control plane nodes are used.
# Node pool configuration is only valid for 'bundled' LB mode.
# nodePoolSpec:
# nodes:
# - address: <Machine 1 IP>
# Proxy configuration
# proxy:
# url: http://[username:password@]domain
# # A list of IPs, hostnames or domains that should not be proxied.
# noProxy:
# - 127.0.0.1
# - localhost
# Logging and Monitoring
clusterOperations:
# Cloud project for logs and metrics.
projectID: $GOOGLE_PROJECT_ID
# Cloud location for logs and metrics.
location: us-central1
# Whether collection of application logs/metrics should be enabled (in addition to
# collection of system logs/metrics which correspond to system components such as
# Kubernetes control plane or cluster management agents).
# enableApplication: false
# Storage configuration
storage:
# lvpNodeMounts specifies the config for local PersistentVolumes backed by mounted disks.
# These disks need to be formatted and mounted by the user, which can be done before or after
# cluster creation.
lvpNodeMounts:
# path specifies the host machine path where mounted disks will be discovered and a local PV
# will be created for each mount.
path: /mnt/localpv-disk
# storageClassName specifies the StorageClass that PVs will be created with. The StorageClass
# is created during cluster creation.
storageClassName: local-disks
# lvpShare specifies the config for local PersistentVolumes backed by subdirectories in a shared filesystem.
# These subdirectories are automatically created during cluster creation.
lvpShare:
# path specifies the host machine path where subdirectories will be created on each host. A local PV
# will be created for each subdirectory.
path: /mnt/localpv-share
# storageClassName specifies the StorageClass that PVs will be created with. The StorageClass
# is created during cluster creation.
storageClassName: local-shared
# numPVUnderSharedPath specifies the number of subdirectories to create under path.
numPVUnderSharedPath: 5
# NodeConfig specifies the configuration that applies to all nodes in the cluster.
nodeConfig:
# podDensity specifies the pod density configuration.
podDensity:
# maxPodsPerNode specifies at most how many pods can be run on a single node.
maxPodsPerNode: 250
# containerRuntime specifies which container runtime to use for scheduling containers on nodes.
# containerd and docker are supported.
containerRuntime: containerd
# KubeVirt configuration, uncomment this section if you want to install kubevirt to the cluster
# kubevirt:
# # if useEmulation is enabled, hardware accelerator (i.e relies on cpu feature like vmx or svm)
# # will not be attempted. QEMU will be used for software emulation.
# # useEmulation must be specified for KubeVirt installation
# useEmulation: false
# Authentication; uncomment this section if you wish to enable authentication to the cluster with OpenID Connect.
# authentication:
# oidc:
# # issuerURL specifies the URL of your OpenID provider, such as "https://accounts.google.com". The Kubernetes API
# # server uses this URL to discover public keys for verifying tokens. Must use HTTPS.
# issuerURL: <URL for OIDC Provider; required>
# # clientID specifies the ID for the client application that makes authentication requests to the OpenID
# # provider.
# clientID: <ID for OIDC client application; required>
# # clientSecret specifies the secret for the client application.
# clientSecret: <Secret for OIDC client application; optional>
# # kubectlRedirectURL specifies the redirect URL (required) for the gcloud CLI, such as
# # "http://localhost:[PORT]/callback".
# kubectlRedirectURL: <Redirect URL for the gcloud CLI; optional, default is "http://kubectl.redirect.invalid">
# # username specifies the JWT claim to use as the username. The default is "sub", which is expected to be a
# # unique identifier of the end user.
# username: <JWT claim to use as the username; optional, default is "sub">
# # usernamePrefix specifies the prefix prepended to username claims to prevent clashes with existing names.
# usernamePrefix: <Prefix prepended to username claims; optional>
# # group specifies the JWT claim that the provider will use to return your security groups.
# group: <JWT claim to use as the group name; optional>
# # groupPrefix specifies the prefix prepended to group claims to prevent clashes with existing names.
# groupPrefix: <Prefix prepended to group claims; optional>
# # scopes specifies additional scopes to send to the OpenID provider as a comma-delimited list.
# scopes: <Additional scopes to send to OIDC provider as a comma-separated list; optional>
# # extraParams specifies additional key-value parameters to send to the OpenID provider as a comma-delimited
# # list.
# extraParams: <Additional key-value parameters to send to OIDC provider as a comma-separated list; optional>
# # proxy specifies the proxy server to use for the cluster to connect to your OIDC provider, if applicable.
# # Example: https://user:password@10.10.10.10:8888. If left blank, this defaults to no proxy.
# proxy: <Proxy server to use for the cluster to connect to your OIDC provider; optional, default is no proxy>
# # deployCloudConsoleProxy specifies whether to deploy a reverse proxy in the cluster to allow Google Cloud
# # Console access to the on-premises OIDC provider for authenticating users. If your identity provider is not
# # reachable over the public internet, and you wish to authenticate using Google Cloud console, then this field
# # must be set to true. If left blank, this field defaults to false.
# deployCloudConsoleProxy: <Whether to deploy a reverse proxy for Google Cloud console authentication; optional>
# # certificateAuthorityData specifies a Base64 PEM-encoded certificate authority certificate of your identity
# # provider. It's not needed if your identity provider's certificate was issued by a well-known public CA.
# # However, if deployCloudConsoleProxy is true, then this value must be provided, even for a well-known public
# # CA.
# certificateAuthorityData: <Base64 PEM-encoded certificate authority certificate of your OIDC provider; optional>
# Node access configuration; uncomment this section if you wish to use a non-root user
# with passwordless sudo capability for machine login.
# nodeAccess:
# loginUser: <login user name>