Version 1.9. This is the most recent version. It's supported as outlined in the Anthos version support policy, offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on bare metal. For release details, see the release notes 1.9. For a complete list of each minor and patch release in chronological order, see the combined release notes.

Available supported versions: 1.9  |   1.8  |   1.7  |  

Enable Google services and service accounts

In addition to meeting the installation, hardware, and operating system prerequisites, you must configure and set up Google Cloud projects, APIs, and service accounts to run Anthos clusters on bare metal.

Note that the bmctl command can automatically enable service accounts and APIs at cluster creation time, but you can also manually set up these services for finer control of operations.

Enable APIs

In your Cloud project, enable the following APIs, either in the Google Cloud console or with the following command.

You must have roles/owner, roles/editor, or roles/serviceusage.serviceUsageAdmin roles on the associated project:

  • servicemanagement.googleapis.com
  • servicecontrol.googleapis.com

    gcloud services enable --project=PROJECT_ID \
    servicemanagement.googleapis.com \
    servicecontrol.googleapis.com
    

Set your default Cloud project ID and roles

You can set your default project id in addition to configuring service accounts.

You must have owner or editor roles on your project for Anthos clusters on bare metal.

To set the default project, issue the following command, and replace PROJECT_ID with your Google Cloud project ID:

gcloud config set project PROJECT_ID

Configure service accounts manually

The bmctl command of Anthos clusters on bare metal can automatically set up Google service accounts and APIs when you create clusters.

However, for more control over your system, or to streamline cluster creation with a default set of services, accounts, and projects, you can set up these services manually.

Anthos clusters on bare metal connects your clusters to Google Cloud. This connection lets you manage and observe your clusters from the Cloud Console by using:

  • Connect to connect your bare metal cluster to Google Cloud. This enables access to cluster and to workload management features, including a unified user interface, Cloud Console, to interact with your cluster.
  • Logging and Monitoring to view logs and metrics from the cluster in the Cloud Console.

The process for manually configuring access includes:

  • Enabling the necessary Google services in your Cloud project.
  • Creating the following service accounts with the necessary roles:
    • Connect-agent service account: Connect uses this service account to maintain a connection between your cluster and Google Cloud.
    • Connect-register service account: Connect uses this service account to register your clusters with Google Cloud.
    • Logging-monitoring service account: Connect uses this service account to export logs and metrics from clusters to Logging and Monitoring.

  • Downloading the JSON key files for each service account.

You then add references to the JSON key files to the appropriate cluster config files. See Creating clusters: overview for more information.

Configure service accounts for use with Connect

To create the service accounts and key files:

  1. Make sure you are in the baremetal directory.
  2. Enable the necessary Google services in your Cloud project:
  3. gcloud services enable --project=PROJECT_ID \
        gkeconnect.googleapis.com \
        gkehub.googleapis.com \
        cloudresourcemanager.googleapis.com \
        anthos.googleapis.com
  4. Create the connect-agent service account with the necessary role and download the key file. These steps create the connect-agent.json key file in the baremetal directory:
    1. Create service account:
    2. gcloud iam service-accounts create connect-agent-svc-account --project=PROJECT_ID
    3. Grant the gkehub.connect role:
    4. gcloud projects add-iam-policy-binding  PROJECT_ID \
          --member="serviceAccount:connect-agent-svc-account@PROJECT_ID.iam.gserviceaccount.com" \
          --role="roles/gkehub.connect"
    5. Download the service account JSON key file:
    6. gcloud iam service-accounts keys create connect-agent.json \
          --iam-account=connect-agent-svc-account@PROJECT_ID.iam.gserviceaccount.com \
          --project=PROJECT_ID
  5. Create the connect-register service account with the necessary role and download the key file. These steps create the connect-register.json key file in the baremetal directory:
    1. Create service account:
    2. gcloud iam service-accounts create connect-register-svc-account \
          --project=PROJECT_ID
    3. Grant the gkehub.admin role:
    4. gcloud projects add-iam-policy-binding PROJECT_ID \
          --member="serviceAccount:connect-register-svc-account@PROJECT_ID.iam.gserviceaccount.com" \
          --role=roles/gkehub.admin
    5. Download the service account JSON key file:
    6. gcloud iam service-accounts keys create connect-register.json \
          --iam-account=connect-register-svc-account@PROJECT_ID.iam.gserviceaccount.com \
          --project=PROJECT_ID

Configure a service account to audit logs and monitor projects

To create the service account and key file for logging and monitoring:

  1. Make sure you are in the baremetal directory.
  2. Enable the necessary Google services in your Cloud project:
  3. gcloud services enable --project PROJECT_ID \
        anthos.googleapis.com \
        anthosaudit.googleapis.com \
        anthosgke.googleapis.com \
        cloudresourcemanager.googleapis.com \
        gkeconnect.googleapis.com \
        gkehub.googleapis.com \
        serviceusage.googleapis.com \
        stackdriver.googleapis.com \
        monitoring.googleapis.com \
        logging.googleapis.com \
        opsconfigmonitoring.googleapis.com
    
  4. Create the logging-monitoring service account with the necessary roles and download the key file. These steps create the cloud-ops.json key file in the baremetal directory:
    1. Create service account
    2. gcloud iam service-accounts create logging-monitoring-svc-account \
          --project=PROJECT_ID
      
    3. Grant the logging.logWriter role
    4. gcloud projects add-iam-policy-binding PROJECT_ID \
          --member="serviceAccount:logging-monitoring-svc-account@PROJECT_ID.iam.gserviceaccount.com" \
          --role="roles/logging.logWriter"
      
    5. Grant the monitoring.metricWriter role
    6. gcloud projects add-iam-policy-binding PROJECT_ID \
          --member="serviceAccount:logging-monitoring-svc-account@PROJECT_ID.iam.gserviceaccount.com" \
          --role="roles/monitoring.metricWriter"
      
    7. Grant the roles/stackdriver.resourceMetadata.writer role
    8. gcloud projects add-iam-policy-binding PROJECT_ID \
          --member="serviceAccount:logging-monitoring-svc-account@PROJECT_ID.iam.gserviceaccount.com" \
          --role="roles/stackdriver.resourceMetadata.writer"
      
    9. Grant the roles/opsconfigmonitoring.resourceMetadata.writer role
    10. gcloud projects add-iam-policy-binding PROJECT_ID \
          --member="serviceAccount:logging-monitoring-svc-account@PROJECT_ID.iam.gserviceaccount.com" \
          --role="roles/opsconfigmonitoring.resourceMetadata.writer"
      
    11. Grant the roles/monitoring.dashboardEditor role
    12. gcloud projects add-iam-policy-binding PROJECT_ID \
          --member="serviceAccount:logging-monitoring-svc-account@PROJECT_ID.iam.gserviceaccount.com" \
          --role="roles/monitoring.dashboardEditor"
      
    13. Download the service account JSON key file:
    14. gcloud iam service-accounts keys create cloud-ops.json \
          --iam-account=logging-monitoring-svc-account@PROJECT_ID.iam.gserviceaccount.com \
          --project=PROJECT_ID