Version 1.12. This is the most recent version. It's supported as outlined in the Anthos version support policy, offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on bare metal. For release details, see the release notes 1.12. For a complete list of each minor and patch release in chronological order, see the combined release notes.

For version 1.12, the documentation structure has changed. See New documentation structure.

Available supported versions: 1.12  |   1.11  |   1.10  |  

Enable Google services and service accounts

In addition to meeting the installation, hardware, and operating system prerequisites, you must configure and set up Google Cloud projects, APIs, and service accounts to run Anthos clusters on bare metal.

Note that the bmctl command can automatically enable service accounts and APIs at cluster creation time, but you can also manually set up these services for finer control of operations.

Enable APIs

In order to enable APIs in your project, one of the following roles needs to have been assigned to your account: roles/owner, roles/editor, or roles/serviceusage.serviceUsageAdmin.

For additional information, see Grant a single role.

Set your default Cloud project ID and roles

You can set your default project id in addition to configuring service accounts.

You must have owner or editor roles on your project for Anthos clusters on bare metal.

To set the default project, issue the following command, and replace PROJECT_ID with your Google Cloud project ID:

gcloud config set project PROJECT_ID

Configure service accounts manually

The bmctl command of Anthos clusters on bare metal can automatically set up Google service accounts and APIs when you create clusters.

However, for more control over your system, or to streamline cluster creation with a default set of services, accounts, and projects, you can set up these services manually.

Anthos clusters on bare metal connects your clusters to Google Cloud. This connection enables the following functionality:

  • Connect to connect your bare metal cluster to Google Cloud. This enables access to cluster and to workload management features, including a unified user interface, Cloud console, to interact with your cluster.
  • Logging and Monitoring to view logs and metrics from the cluster in the Cloud console.
  • Automatic uploads of cluster snapshots to Cloud Storage buckets.

The process for manually configuring access includes:

  • Enabling the necessary Google services in your Cloud project.
  • Creating the following service accounts with the necessary roles:
    • connect-agent service account: Connect uses this service account to maintain a connection between your cluster and Google Cloud.
    • connect-register service account: Connect uses this service account to register your clusters with Google Cloud.
    • logging-monitoring service account: Connect uses this service account to export logs and metrics from clusters to Logging and Monitoring.
    • storage-agent service account: bmctl uses this service account to automatically store snapshots of clusters to Cloud Storage.

  • Downloading the JSON key files for each service account.

You then add references to the JSON key files to the appropriate cluster config files. See Creating clusters: overview for more information.

Configure service accounts for use with Connect

To create the service accounts and key files:

  1. Make sure you are in the baremetal directory.
  2. Enable the necessary Google services in your Cloud project:
  3. gcloud services enable --project=PROJECT_ID \
        gkeconnect.googleapis.com \
        gkehub.googleapis.com \
        cloudresourcemanager.googleapis.com \
        anthos.googleapis.com
  4. Create the connect-agent service account with the necessary role and download the key file. These steps create the connect-agent.json key file in the baremetal directory:
    1. Create service account:
    2. gcloud iam service-accounts create connect-agent-svc-account --project=PROJECT_ID
    3. Grant the gkehub.connect role:
    4. gcloud projects add-iam-policy-binding  PROJECT_ID \
          --member="serviceAccount:connect-agent-svc-account@PROJECT_ID.iam.gserviceaccount.com" \
          --role="roles/gkehub.connect"
    5. Download the service account JSON key file:
    6. gcloud iam service-accounts keys create connect-agent.json \
          --project=PROJECT_ID \
          --iam-account=connect-agent-svc-account@PROJECT_ID.iam.gserviceaccount.com
      
  5. Create the connect-register service account with the necessary role and download the key file. These steps create the connect-register.json key file in the baremetal directory:
    1. Create service account:
    2. gcloud iam service-accounts create connect-register-svc-account \
          --project=PROJECT_ID
    3. Grant the gkehub.admin role:
    4. gcloud projects add-iam-policy-binding PROJECT_ID \
          --member="serviceAccount:connect-register-svc-account@PROJECT_ID.iam.gserviceaccount.com" \
          --role=roles/gkehub.admin
    5. Download the service account JSON key file:
    6. gcloud iam service-accounts keys create connect-register.json \
          --project=PROJECT_ID \
          --iam-account=connect-register-svc-account@PROJECT_ID.iam.gserviceaccount.com
      

Configure a service account to audit logs and monitor projects

To create the service account and key file for logging and monitoring:

  1. Make sure you are in the baremetal directory.
  2. Enable the necessary Google services in your Cloud project:
  3. gcloud services enable --project PROJECT_ID \
        anthos.googleapis.com \
        anthosaudit.googleapis.com \
        anthosgke.googleapis.com \
        cloudresourcemanager.googleapis.com \
        gkeconnect.googleapis.com \
        gkehub.googleapis.com \
        serviceusage.googleapis.com \
        stackdriver.googleapis.com \
        monitoring.googleapis.com \
        logging.googleapis.com \
        opsconfigmonitoring.googleapis.com
    
  4. Create the logging-monitoring service account with the necessary roles and download the key file. These steps create the cloud-ops.json key file in the baremetal directory:
    1. Create service account
    2. gcloud iam service-accounts create logging-monitoring-svc-account \
          --project=PROJECT_ID
      
    3. Grant the logging.logWriter role
    4. gcloud projects add-iam-policy-binding PROJECT_ID \
          --member="serviceAccount:logging-monitoring-svc-account@PROJECT_ID.iam.gserviceaccount.com" \
          --role="roles/logging.logWriter"
      
    5. Grant the monitoring.metricWriter role
    6. gcloud projects add-iam-policy-binding PROJECT_ID \
          --member="serviceAccount:logging-monitoring-svc-account@PROJECT_ID.iam.gserviceaccount.com" \
          --role="roles/monitoring.metricWriter"
      
    7. Grant the roles/stackdriver.resourceMetadata.writer role
    8. gcloud projects add-iam-policy-binding PROJECT_ID \
          --member="serviceAccount:logging-monitoring-svc-account@PROJECT_ID.iam.gserviceaccount.com" \
          --role="roles/stackdriver.resourceMetadata.writer"
      
    9. Grant the roles/opsconfigmonitoring.resourceMetadata.writer role
    10. gcloud projects add-iam-policy-binding PROJECT_ID \
          --member="serviceAccount:logging-monitoring-svc-account@PROJECT_ID.iam.gserviceaccount.com" \
          --role="roles/opsconfigmonitoring.resourceMetadata.writer"
      
    11. Grant the roles/monitoring.dashboardEditor role
    12. gcloud projects add-iam-policy-binding PROJECT_ID \
          --member="serviceAccount:logging-monitoring-svc-account@PROJECT_ID.iam.gserviceaccount.com" \
          --role="roles/monitoring.dashboardEditor"
      
    13. Download the service account JSON key file:
    14. gcloud iam service-accounts keys create cloud-ops.json \
          --project=PROJECT_ID \
          --iam-account=logging-monitoring-svc-account@PROJECT_ID.iam.gserviceaccount.com
      

Configure a service account that can access a Cloud Storage bucket

You use a service account and key file to access Cloud Storage. You can use this service account to enable snapshots of clusters to be automatically uploaded to Cloud Storage buckets, or to import virtual machine (VM) images from Cloud Storage buckets for use with Anthos VM Runtime.

To create the service account and key file, complete the following steps:

  1. Make sure you are in the baremetal directory.
  2. Enable the necessary Google services in your Cloud project:
  3. gcloud services enable --project=PROJECT_ID \
        storage.googleapis.com
  4. Create a service account that your cluster can use to access Cloud Storage buckets:
  5. gcloud iam service-accounts create storage-agent-svc-account \
      --project=PROJECT_ID
  6. Grant a storage.admin role to the service account so that the service account can upload data to a Cloud Storage bucket or import VM images:
  7. gcloud projects add-iam-policy-binding PROJECT_ID \
        --member="serviceAccount:storage-agent-svc-account@PROJECT_ID.iam.gserviceaccount.com" \
        --role="roles/storage.admin"
    
  8. Download the service account JSON key file:
  9. gcloud iam service-accounts keys create storage-agent.json \
        --iam-account=storage-agent-svc-account@PROJECT_ID.iam.gserviceaccount.com

For more information about how to create cluster snapshots and automatically upload them to a Cloud Storage bucket, see Create snapshots to help diagnose cluster problems.

For more information on how to import VM images from Cloud Storage, see Create and use credentials to import images from Cloud Storage for Anthos VM Runtime.