This page describes the fields in the admin cluster configuration file.
Generating a template for your configuration file
If you used gkeadm
to create your admin workstation, then gkeadm
generated
a template for your admin cluster configuration file. Also, gkeadm
filled in
some of the fields for you.
If you did not use gkeadm
to create your admin workstation, you can use
gkectl
to generate a template for your admin cluster configuration file.
To generate a template for your admin cluster configuration file:
gkectl create-config admin --config=[OUTPUT_FILENAME]
where [OUTPUT_FILENAME] is a path of your choice for the generated
template. If you omit this flag, gkectl
names the file admin-cluster.yaml
and puts it in the current directory.
Filling in your configuration file
In your configuration file, enter field values as described in the following sections.
bundlePath
String. The path of your GKE on-prem bundle file.
The GKE on-prem full bundle file contains all of the components in a particular release of GKE on-prem. When you create an admin workstation, it comes with a full bundle at:
/var/lib/gke/bundles/gke-onprem-vsphere-[VERSION]-full.tgz
For example:
bundlePath: "/var/lib/gke/bundles/gke-onprem-vsphere-1.4.3-gke.3-full.tgz"
vCenter
This section holds information about your vSphere environment.
vCenter.address
String. The IP address or the hostname of your vCenter server.
Before you fill in the address
field, download and inspect
the serving certificate of your vCenter server. Enter the following command to
download the certificate and save it to a file named vcenter.pem
.
true | openssl s_client -connect [VCENTER_IP]:443 -showcerts 2>/dev/null | sed -ne '/-BEGIN/,/-END/p' > vcenter.pem
where [VCENTER_IP] is the IP address of your vCenter Server.
Open the certificate file to see the Subject Common Name and the Subject Alternative Name:
openssl x509 -in vcenter.pem -text -noout
The output shows the Subject
Common Name (CN). This might be an IP address, or
it might be a hostname. For example:
Subject: ... CN = 203.0.113.100
Subject: ... CN = my-vcenter-server.my-domain.example
The output might also include one or more DNS names under
Subject Alternative Name
:
X509v3 Subject Alternative Name: DNS:vcenter.my-domain.example
Choose the Subject
Common Name or one of the DNS names under
Subject Alternative Name
to use as the value of vcenter.address
in your configuration file. For example:
vCenter: address: "203.0.113.100" ...
vCenter: address: "my-vcenter-server.my-domain.example" ...
vCenter.credentials.username
String. A vCenter Server user account. The user account should have the Administrator role or equivalent privileges. See vSphere requirements.
For example:
vCenter: credentials: username: "my-account@vsphere.local"
vCenter.credentials.password
String. The password for the vCenter Server user account. For example:
vCenter: credentials: password: "#STyZ2T#Ko2o"
vCenter.datastore
String. The name of your vCenter datastore. For example:
vCenter: datastore: "MY-DATASTORE"
vCenter.resourcePool
String. The name of your vCenter resource pool. For example:
If you are using a non-default resource pool, provide the name of your vCenter resource pool. For example:
vCenter: resourcePool: "MY-POOL"
If you are using the default resource pool, provide the following value:
vCenter: resourcePool: "[VCENTER_CLUSTER]/Resources"
where [VCENTER_CLUSTER] is the name of your vCenter cluster.
See Specifying the root resource pool for a standalone host.
vCenter.caCertPath
String. When a client, like GKE on-prem, sends a request to your vCenter server, the server must prove its identity to the client by presenting a certificate or a certificate bundle. To verify the certificate or bundle, GKE on-prem must have the root certificate in the chain of trust.
Set vCenter.caCertPath
to the path of the root certificate. For example:
vCenter: caCertPath: "/usr/local/google/home/me/certs/vcenter-ca-cert.pem"
Your VMware installation has a certificate authority (CA) that issues a certificate to your vCenter server. The root certificate in the chain of trust is a self-signed certificate created by VMware.
If you do not want to use the VMWare CA, which is the default, you can configure VMware to use a different certificate authority.
If your vCenter server uses a certificate issued by the default VMware CA, download the certificate as follows:
curl -k "https://[SERVER_ADDRESS]/certs/download.zip" > download.zip
where [SERVER_ADDRESS] is the address of your vCenter server.
Install the unzip
command and unzip the certificate file:
sudo apt-get install unzip unzip downloads.zip
If the unzip command doesn't work the first time, enter the command again.
Find the certificate file in certs/lin
.
vCenter.datacenter
String. The name of your vCenter datacenter. For example:
vCenter: datacenter: "MY-DATACENTER"
vCenter.cluster
String. The name of your vCenter cluster. For example:
vCenter: cluster: "MY-CLUSTER"
vCenter.dataDisk
String. GKE on-prem creates a virtual machine disk (VMDK) to hold
Kubernetes object data. The installer creates the VMDK for you, but you must
provide a name for the VMDK in the vCenter.dataDisk
field. For example:
vCenter: dataDisk: "my-disk.vmdk"
network
This section holds information about your admin cluster network.
network.ipMode.type
String. If you want your cluster nodes to get their IP address from a DHCP
server, set this to "dhcp"
. If you want your cluster nodes to have static
IP addresses chosen from a list that you provide, set this to "static"
. For
example
network: ipMode: type: "static"
network.serviceCIDR
and network.podCiDR
Strings. The admin cluster must have a range of IP addresses
to use for Services and a range of IP addresses to use for Pods. These ranges
are specified by the network.serviceCIDR
and network.podCIDR
fields. These fields are populated with default values`. If you
like, you can change the populated values to values of your choice.
The Service and Pod ranges must not overlap. Also, the Service and Pod ranges must not overlap with IP addresses that are used for nodes in any cluster.
For example:
network: ... serviceCIDR: "10.96.232.0/24" podCIDR: "192.168.0.0/16"
network.vCenter.networkName
String. The name of the vSphere network for your cluster nodes.
If the name contains a special character, you must use an escape sequence for it.
Special characters | Escape sequence |
---|---|
Slash (/ ) |
%2f |
Backslash (\ ) |
%5c |
Percent sign (% ) |
%25 |
If the network name is not unique, it is possible to specify a path to the
network, such as /DATACENTER/network/NETWORK_NAME
.
For example:
network: vCenter: networkName: "MY-CLUSTER-NETWORK"
network.ipBlockFilePath
{:#network-ipblockfilepath-field}`
If you set ipMode.type
to "static"
, fill in this field.
If you set ipMode.type
to "dhcp"
, remove this field or leave it commented
out.
String. The path of the hostconfig file for your admin cluster. For example:
network: ipBlockFilePath: "/my-config-directory/admin-hostconfig.yaml"
loadBalancer
This section holds information about the load balancer for your admin cluster.
loadBalancer.vips.controlPlaneVIP
String. The IP address that you have chosen to configure on the load balancer for the Kubernetes API server of the admin cluster. For example:
loadBalancer: vips: controlplaneVIP: "203.0.113.3"
loadBalancer.vips.addonsVIP
String. The IP address you have chosen to configure on the load balancer for add-ons. For example:
loadBalancer: vips: addonsVIP: "203.0.113.4"
loadBalancer.kind
String. Set this to "Seesaw"
, "F5BigIP"
, or "ManualLB"
For example:
loadBalancer: kind: "Seesaw"
loadBalancer.manualLB
If you set loadbalancer.kind
to "ManualLB"
, fill in this section. Otherwise,
remove this section or leave it commented out.
loadBalancer.manualLB.controlPlaneNodePort
Integer. The Kubernetes API server in the admin cluster is implemented as a
Service of type NodePort
. You must choose a nodePort
value for the Service.
Set this field to the nodePort
value. For example:
loadBalancer: manualLB: contolPLaneNodePort: 30968
loadBalancer.manualLB.addonsNodePort
Integer. The add-ons server in the admin cluster is implemented as a Service of
type NodePort
. You must choose a nodePort
value for the Service.
Set this field to the nodePort
value. For example:
loadBalancer: manualLB: addonsNodePort: 31405
loadBalancer.f5BigIP
If you set loadbalancer.kind
to "f5BigIP"
, fill in this section. Otherwise,
remove this section or leave it commented out.
loadBalancer.f5BigIP.address
String. The address of your F5 BIG-IP load balancer. For example:
loadBalancer: f5BigIP: address: "203.0.113.2"
loadBalancer.f5BigIP.credentials.username
String. The username of an account that GKE on-prem can use to connect to your F5 BIG-IP load balancer. For example:
loadBalancer: f5BigIP: credentials: username: "my-admin-f5-name"
loadBalancer.f5BigIP.credentials.password
String. The password that GKE on-prem can use to connect to your F5 BIG-IP load balancer. For example:
loadBalancer: f5BigIP: credentials: password: "rJDlm^%7aOzw"
loadBalancer.f5BigIP.partition
String. The name of a BIG-IP partition that you created for your admin cluster. For example:
loadBalancer: f5BigIP: partition: "my-f5-admin-partition"
loadBalancer.f5BigIP.snatPoolName
String. If you are using SNAT, the name of your SNAT pool. If you are not using SNAT, remove this field or leave it commented out. For example:
loadBalancer: f5BigIP: snatPoolName: "my-snat-pool"
loadBalancer.seesaw
If you set loadbalancer.kind
to "Seesaw"
, fill in this section. Otherwise,
remove this section or leave it commented out.
loadBalancer.seesaw.ipBlockFilePath
String. Set this to the path of the hostconfig file for your Seesaw VM. For example:
loadbalancer: seesaw: ipBlockFilePath: "admin-seesaw-hostconfig.yaml"
loadBalancer.seesaw.vird
Integer. The virtual router identifier of your Seesaw VM. This identifier must be unique in a VLAN. Valid range is 1-255. For example:
loadBalancer: seesaw: vrid: 125
loadBalancer.seesaw.masterIP
String. The VIP of your Seesaw VM or VM pair. For example:
loadBalancer: seesaw: masterIP: 172.16.20.21
loadBalancer.seesaw.cpus
Integer. The number of CPUs for your Seesaw VM. For example:
loadBalancer: seesaw: cpus: 8
loadBalancer.seesaw.memoryMB
Integer. The number of megabytes of memory for your Seesaw VM. For example:
loadBalancer: seesaw: memoryMB: 8192
loadBalancer.seesaw.vCenter.networkName
String. The name of the network that contains your Seesaw VMs. For example:
loadBalancer: seesaw: vCenter: networkName: "my-seesaw-network"
loadBalancer.seesaw.enableHA
Boolean. If you want to create a highly-available Seesaw load balancer, set this
to true
. Otherwise set this to false
. For example:
loadBalancer: seesaw: enableHA: true
proxy
If your network is behind a proxy server, fill in this section. Otherwise, remove this section.
proxy.url
String. The HTTP address of your proxy server. Include the port number even if it's the same as the scheme's default port. For example:
proxy: url: "http://my-proxy.example.local:80"
The proxy server you specify here is used by your GKE on-prem
clusters. Also, your admin workstation is automatically configured to use this
same proxy server unless you set the HTTPS_PROXY
environment variable on your
admin workstation.
If you specify proxy.url
, you must also specify proxy.noProxy
.
proxy.noProxy
String. A comma-separated list of IP addresses, IP address ranges, host names, and domain names that should not go through the proxy server. When GKE on-prem sends a request to one of these addresses, hosts, or domains, the request is sent directly. For example:
proxy: noProxy: "10.151.222.0/24, my-host.example.local,10.151.2.1"
privateRegistry
If you have a private Docker registry, fill in this section. Otherwise, remove this section or leave it commented out.
privateRegistry.address
String. The IP address of the machine that runs your private Docker registry. For example:
privateRegistry: address: "203.0.113.10"
privateRegistry.credentials.username
String. The username of an account that GKE on-prem can use to access your private Docker registry. For example:
privateRegistry: credentials: username: "my-registry-account"
privateRegistry.credentials.password
String. The password for the account that GKE on-prem can use to access your private Docker registry. For example:
privateRegistry: credentials: password: "H0!%fwH0rBnh"
privateRegistry.caCertPath
String. When Docker pulls an image from your private registry, the registry must prove its identity by presenting a certificate. The registry's certificate is signed by a certificate authority (CA). Docker uses the CA's certificate to validate the registry's certificate.
Set thie field to the path of the CA's certificate. For example:
privateRegistry: caCertPath: "my-cert-folder/registry-ca.crt"
gcrKeyPath
String. The path of the JSON key file for your allowlisted service account. For example:
gcrKeyPath: "my-key-folder/whitelisted-key.json"
stackdriver
This section holds information about the project and service account that you want to use for storing logs and metrics.
stackdriver.projectID
String. The project ID of the Google Cloud project where you want to view logs. For example:
stackdriver: projectID: "my-logs-project"
stackdriver.clusterLocation
String. The Google Cloud region where you want to store logs. It is a good idea to choose a region that is near your on-prem data center. For example:
stackdriver: clusterLocation: "us-central1"
stackdriver.enableVPC
Boolean. If your cluster's network is controlled by a VPC, set this
field to true
. This ensures that all telemetry flows through Google's
restricted IP addresses. Otherwise, set this field to false
. For example:
stackdriver: enableVPC: false
stackdriver.serviceAccountKeyPath
String. The path of the JSON key file for your logging-monitoring service account. For example:
stackdriver: serviceAccountKeyPath: "my-key-folder/log-mon-key.json"
cloudAuditLogging
If you want to integrate the audit logs from your cluster's Kubernetes API server with Cloud Audit Logs, fill in this section. Otherwise, remove this section or leave it commented out.
cloudAuditLogging.projectid
String. The project ID of the Google Cloud project where you want to view audit logs. For example:
cloudAuditLogging: projectid: "my-audit-project"
cloudAuditLogging.clusterlocation
String. The Google Cloud region where you want to store audit logs. It is a good idea to choose a region that is near your on-prem data center. For example:
cloudAuditLogging: clusterlocation: "us-central1"
cloudAuditLogging.serviceaccountkeypath
String. The path of the JSON key file for your audit-logging service account. For example:
cloudAuditLogging: serviceaccountkeypath: "my-key-folder/audit-log-key.json"