Version 1.8. This version is supported as outlined in the Anthos version support policy, offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on bare metal. For more details, see the release notes 1.8. This is the most recent version. For a complete list of each minor and patch release in chronological order, see the combined release notes.

Available versions: 1.8  |   1.7  |   1.6

Installation prerequisites overview

Anthos clusters on bare metal has the following sets of installation prerequisites:

If you use the workstation machine as a cluster node machine, it must meet the prerequisites for both.

Before you begin

During installation, you must provide the following credentials:

  • The private SSH keys needed to access cluster node machines.
  • If you are not using root, the cluster node machine login name.
  • The Google Cloud service account keys. Go to Creating and managing service account keys to learn more.

Ensure you have all the necessary credentials before attempting to install Anthos clusters on bare metal.

Logging into gcloud

  1. Login to gcloud as a user using gcloud auth application-default login:
  2. gcloud auth application-default login
    
    You need to have a Project Owner/Editor role to use the automatic API enablement and Service Account creation features, described below. You can also add the following IAM roles to the user:
    • Service Account Admin
    • Service Account Key Admin
    • Project IAM Admin
    • Compute Viewer
    • Service Usage Admin
    Alternatively, if you already have a service account with those roles, run:
    export GOOGLE_APPLICATION_CREDENTIALS=JSON_KEY_FILE
    
    JSON_KEY_FILE specifies the path to your service account JSON key file.
  3. Get your Google Cloud project ID to use with cluster creation:
  4. export CLOUD_PROJECT_ID=$(gcloud config get-value project)
    

Workstation prerequisites

The bmctl workstation must meet the following prerequisites:

  • Operating system is the same supported Linux distribution running on the cluster node machines.
  • Docker version 19.03 or later installed.
  • Non-root user is member ofdocker group (for instructions, go to Manage Docker as a non-root user).
  • gcloud installed.
  • More than 50 GB of free disk space.
  • L3 connectivity to all cluster node machines.
  • Access to all cluster node machines through SSH via private keys with passwordless root access. Access can be either direct or through sudo.
  • Access the control plane VIP.

Node machine prerequisites

The node machines have the following prerequisites:

  • Their operating system is one of the supported Linux distributions.
  • The Linux kernel version is 4.17.0 or newer. Ubuntu 18.04 and 18.04.1 are on Linux kernel version 4.15 and therefore incompatible.
  • Meet the minimum hardware requirements.
  • Internet access.
  • L3 connectivity to all other node machines.
  • Access the control plane VIP.
  • Properly configured DNS nameservers.
  • One of the following NTP services is enabled and working:
    • chrony
    • ntp
    • ntpdate
    • systemd-timesyncd
  • A working package manager: apt, dnf, etc.
  • On Ubuntu, AppArmor and Uncomplicated Firewall (UFW) are inactive. Run systemctl stop apparmor ufw to disable them.
  • If you choose Docker as your container runtime, you may use Docker version 19.03 or later installed. If you don't have Docker installed on your node machines or have an older version installed, Anthos on bare metal installs Docker 19.03.13 or later when you create clusters.
  • If you use containerd as your runtime you don't need Docker, and installing Docker can cause issues. For more information, see the known issues.
  • Ensure the filesystems backing the following directories have the required capacity and are under 90% utilization whenever you install or re-install Anthos clusters on bare metal. Note that the install process will create these directories if necessary:
    • /var/lib/docker or /var/lib/containerd depending on the container runtime: 30 GiB (32212254720 bytes)
    • /var/lib/kubelet: 10 GiB (10737418240 bytes)
    • /mnt/anthos-system: 25 GiB (26843545600 bytes)
    • /: 20 GiB (21474836480 bytes)
    • /var/lib/etcd: 20 GiB (21474836480 bytes, applicable to control plane nodes only)
  • /var/lib/etcd and /etc/kubernetes directories are either non-existent or empty.

In addition to the prerequisites for installing and running Anthos clusters on bare metal, customers are expected to comply with relevant standards governing their industry or business segment, such as PCI DSS requirements for businesses that process credit cards or Security Technical Implementation Guides (STIGs) for businesses in the defense industry.

Load balancer machines prerequisites

When your deployment doesn't have a specialized load balancer node pool, you can have worker nodes or control plane nodes build a load balancer node pool. In that case, they have additional prerequisites:

  • Machines are in the same L2 subnet.
  • All VIPs are in the load balancer nodes subnet and routable from the gateway of the subnet.
  • The gateway of the load balancer subnet should listen to gratuitous ARPs to forward packets to the master load balancer.

Google Cloud project prerequisites

Before you install Anthos clusters on bare metal, enable the following services for your associated GCP project:

  • anthos.googleapis.com
  • anthosgke.googleapis.com
  • cloudresourcemanager.googleapis.com
  • container.googleapis.com
  • gkeconnect.googleapis.com
  • gkehub.googleapis.com
  • serviceusage.googleapis.com
  • stackdriver.googleapis.com
  • monitoring.googleapis.com
  • logging.googleapis.com

You can also use the bmctl tool to enable these services.

Service accounts prerequisites

In production environments, you should create separate service accounts for different purposes. Anthos clusters on bare metal needs the following different types of Google Cloud service accounts depending on their purpose:

  • To access Container Registry, no special role is required.
  • To register a cluster in environs, grant the roles/gkehub.admin IAM role to the service account on your Google Cloud project.
  • To connect to environs, grant the roles/gkehub.connect IAM role to the service account on your Google Cloud project.
  • To send logs and metrics to Google Cloud's operations suite, grant the following IAM roles to the service account on your Google Cloud project:

    • roles/logging.logWriter
    • roles/monitoring.metricWriter
    • roles/stackdriver.resourceMetadata.writer
    • roles/monitoring.dashboardEditor

You can also use the bmctl tool to create these service accounts.