Set up Google Cloud resources

This page describes the Google Cloud resources that you need to create and configure prior to creating clusters.

Before you begin

  1. Create a Google Cloud project and a billing account.

  2. If you aren't a Google Cloud project owner, have a project owner grant you the following Identity and Access Management (IAM) roles:

    Role Purpose
    roles/compute.viewer Required: Needed when bmctl validates the clusterOperations.location field in the cluster configuration file.
    roles/iam.serviceAccountAdmin Required: Needed to create the service accounts that that GKE on Bare Metal requires.
    roles/iam.securityAdmin Required: Needed to grant IAM roles to the service accounts that GKE on Bare Metal requires.
    roles/iam.serviceAccountKeyAdmin Required: Needed to create JSON key files for the service accounts that GKE on Bare Metal requires.
    roles/serviceusage.serviceUsageAdmin Required: Needed to enable the Google APIs that GKE on Bare Metal requires.
    roles/gkeonprem.admin Optional: Needed if you want to create clusters using GKE On-Prem API clients or configure a cluster to be managed by the GKE On-Prem API.
    roles/gkehub.viewer
    roles/container.viewer
    Optional: Needed if you want to access the GKE Enterprise and Google Kubernetes Engine pages in the Google Cloud console.

    For information on granting the roles, see Manage access to projects, folders, and organizations.

Enable APIs

Several Google APIs must be enabled in your associated Google Cloud project. GKE on Bare Metal uses the APIs when creating clusters. The APIs are also needed to maintain a connection to Google Cloud. The connection to Google Cloud lets GKE on Bare Metal use Cloud Logging and Cloud Monitoring and fleet features such as Anthos Service Mesh, Config Sync, Policy Controller, and Config Controller.

If you will be using the bmctl tool to create clusters, you can include the --enable-apis flag when you run bmctl create config, and bmctl will enable the APIs listed in the following gcloud services enable command. If you will be using a GKE On-Prem API client to create an admin cluster or a user cluster, you need enable the APIs prior to creating the cluster.

To enable the APIs, run the following commands:

  1. Login to Google Cloud CLI:

    gcloud auth login
    
  2. Enable the following APIs:

    gcloud services enable --project=PROJECT_ID \
        anthos.googleapis.com \
        anthosaudit.googleapis.com \
        anthosgke.googleapis.com \
        cloudresourcemanager.googleapis.com \
        connectgateway.googleapis.com \
        container.googleapis.com \
        gkeconnect.googleapis.com \
        gkehub.googleapis.com \
        gkeonprem.googleapis.com \
        iam.googleapis.com \
        logging.googleapis.com \
        monitoring.googleapis.com \
        opsconfigmonitoring.googleapis.com \
        serviceusage.googleapis.com \
        stackdriver.googleapis.com \
        storage.googleapis.com
    
  1. To see what APIs and services are enabled in your project, run the following command:

    gcloud services list --project=PROJECT_ID \
        --enabled
    

Configure service accounts

To use the Google APIs, GKE on Bare Metal requires a service account configured with specific IAM roles in your associated Google Cloud project. As a best practice, you should create separate service accounts for different purposes, particularly in production environments.

If you will be using the bmctl tool to create clusters, you can include the --create-service-accounts flag when you run bmctl create config to have bmctl create the service accounts with the required IAM roles. If you will be using a GKE On-Prem API client to create an admin cluster, by default the bmctl register bootstrap command creates the service accounts with the required IAM roles when you run the command to create a bootstrap cluster.

The service accounts are required for user cluster creation as well, but the service accounts would have been created and configured when creating the admin cluster that manages the user clusters.

The following table describes the service accounts that are created automatically:

Service account Purpose Roles
anthos-baremetal-gcr GKE on Bare Metal uses this service account to download container images from Container Registry. None
anthos-baremetal-connect Connect Agent uses this service account to maintain a connection between your cluster and Google Cloud. This enables access to the cluster and to workload management features, including the Google Cloud console and the Connect gateway to interact with your cluster. roles/gkehub.connect
anthos-baremetal-register Connect Agent uses this service account to register your clusters with a fleet. roles/gkehub.admin
anthos-baremetal-cloud-ops Stackdriver Agent uses this service account to export logs and metrics from clusters to Cloud Logging and Cloud Monitoring. roles/logging.logWriter
roles/monitoring.metricWriter
roles/stackdriver.resourceMetadata.writer
roles/opsconfigmonitoring.resourceMetadata.writer
roles/monitoring.dashboardEditor

Configure service accounts manually

If you prefer, you can manually create the service accounts, configure them with the necessary roles, and download JSON key files prior to creating clusters. If you are using bmctl to create clusters, you add references to the JSON key files to the appropriate cluster config file. For an example, see Editing the config file. If you are using a GKE On-Prem API to create an admin cluster, you can specify the key files when you run bmctl register bootstrap to create the bootstrap cluster.

To create the service accounts and key files:

  1. On your admin workstation, make sure you're in the baremetal directory.

  2. If you haven't already, login to Google Cloud CLI:

    gcloud auth login
    
  3. Create the service accounts:

    gcloud iam service-accounts create anthos-baremetal-gcr \
        --project=PROJECT_ID
    
    gcloud iam service-accounts create anthos-baremetal-connect \
        --project=PROJECT_ID
    
    gcloud iam service-accounts create anthos-baremetal-register \
        --project=PROJECT_ID
    
    gcloud iam service-accounts create anthos-baremetal-cloud-ops \
        --project=PROJECT_ID
    
  4. Grant the required IAM roles on the service accounts:

    gcloud projects add-iam-policy-binding  PROJECT_ID \
        --member="serviceAccount:anthos-baremetal-connect@PROJECT_ID.iam.gserviceaccount.com" \
        --role="roles/gkehub.connect"
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member="serviceAccount:anthos-baremetal-register@PROJECT_ID.iam.gserviceaccount.com" \
        --role=roles/gkehub.admin
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member="serviceAccount:anthos-baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com" \
        --role="roles/logging.logWriter"
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member="serviceAccount:anthos-baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com" \
        --role="roles/monitoring.metricWriter"
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member="serviceAccount:anthos-baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com" \
        --role="roles/stackdriver.resourceMetadata.writer"
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member="serviceAccount:anthos-baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com" \
        --role="roles/opsconfigmonitoring.resourceMetadata.writer"
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member="serviceAccount:anthos-baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com" \
        --role="roles/monitoring.dashboardEditor"
    
  5. Download the service account JSON key files:

    gcloud iam service-accounts keys create anthos-baremetal-gcr.json \
        --project=PROJECT_ID \
        --iam-account=anthos-baremetal-gcr@PROJECT_ID.iam.gserviceaccount.com
    
    gcloud iam service-accounts keys create connect-agent.json \
        --project=PROJECT_ID \
        --iam-account=anthos-baremetal-connect@PROJECT_ID.iam.gserviceaccount.com
    
    gcloud iam service-accounts keys create connect-register.json \
        --project=PROJECT_ID \
        --iam-account=anthos-baremetal-register@PROJECT_ID.iam.gserviceaccount.com
    
    gcloud iam service-accounts keys create anthos-baremetal-cloud-ops.json \
        --project=PROJECT_ID \
        --iam-account=anthos-baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com
    

Configure a service account that can access a Cloud Storage bucket

You use a service account and key file to access Cloud Storage. You can use this service account to enable snapshots of clusters to be automatically uploaded to Cloud Storage buckets, or to import virtual machine (VM) images from Cloud Storage buckets for use with VM Runtime on GDC.

To create the service account and key file, complete the following steps:

  1. Make sure you are in the baremetal directory.

  2. If you haven't already, login to Google Cloud CLI:

    gcloud auth login
    
  3. If it isn't already, enable the Cloud Storage API, storage.googleapis.com in your Google Cloud project:

    gcloud services enable --project=PROJECT_ID \
        storage.googleapis.com
    
  4. Create a service account that your cluster can use to access Cloud Storage buckets:

    gcloud iam service-accounts create SA_NAME \
        --project=PROJECT_ID
    

    Replace SA_NAME with the name of the new service account. This service account name appears in the email address that is provisioned during creation, in the format SA_NAME@PROJECT_ID.iam.gserviceaccount.com.

  5. Create a custom role with the following permissions:

    • storage.buckets.create
    • storage.buckets.get
    • storage.buckets.list
    • storage.objects.create
    • resourcemanager.projects.get
    gcloud iam roles create ROLE_ID \
        --permissions=storage.buckets.create,storage.buckets.get,storage.buckets.list,storage.objects.create \
        --project=PROJECT_ID
    

    Replace ROLE_ID with the name of the new custom role, such as snapshotUpload. The complete path of this custom role has the format projects/PROJECT_ID/roles/ROLE_ID.

  6. Add a policy binding to the service account:

    gcloud iam service-accounts add-iam-policy-binding SA_NAME@PROJECT_ID.iam.gserviceaccount.com \
        --member=serviceAccount:SA_NAME@PROJECT_ID.iam.gserviceaccount.com \
        --role='projects/PROJECT_ID/roles/ROLE_ID'
    
  7. Download the service account JSON key file:

    gcloud iam service-accounts keys create OUTPUT_FILE \
        --iam-account=SA_NAME@PROJECT_ID.iam.gserviceaccount.com
    

For more information about how to create cluster snapshots and automatically upload them to a Cloud Storage bucket, see Create snapshots to help diagnose cluster problems.

For more information on how to import VM images from Cloud Storage, see Create and use credentials to import images from Cloud Storage for VM Runtime on GDC.