This page shows how to create an admin cluster.
Generating a configuration file
To create and admin cluster, you need an admin cluster configuration file. If
you used gkeadm
to create your admin workstation, then gkeadm
generated a
template for your configuration file and filled in some of the fields.
If you did not use gkeadm
to create your admin workstation, you can generate
a template by running this command:
gkectl create-config admin --config [OUTPUT_PATH]
where [OUTPUT_PATH] is a path of your choice for the generated
template. If you do not include the --config
flag, gkectl
names the file
admin-cluster.yaml
and puts it in the current directory.
Filling in your configuration file
bundlePath
If you used gkeadm
to create your admin workstation, this field is already
filled in. Otherwise,
provide the path of the bundle file.
vCenter
If you used gkeadm
to create your admin workstation, this section is already
filled in. Otherwise,
provide values for the fields under vCenter
.
network
Decide how you want your cluster nodes to get their IP addresses. The options are:
From a DHCP server. Set
network.ipMode.type
to"dhcp"
.From a list of static IP addresses that you provide. Set
network.ipMode.type
to"static"
, and create a host configuration file that provides the static IP addresses.
Provide values for the remaining fields in the
network
.
section.
loadBalancer
Set aside a VIP for the Kubernetes API server of your admin cluster. Set aside
another VIP for the add-ons server. Provide your VIPs as values for
loadBalancer.controlPlaneVIP
and
loadBalancer.addonsVIP
.
Decide what type of load balancing you want to use. The options are:
Seesaw bundled load balancing. Set
loadBalancer.kind
to"Seesaw"
, and fill in theloadBalancer.seesaw
section.Ingegrated load balancing with F5 BIG-IP. Set
loadBalancer.kind
to"F5BigIP"
, and fill in thef5BigIP
section.Manual load balancing. Set
loadBalancer.kind
to"ManualLB"
, and fill in themanualLB
section.
proxy
If the network that will have your admin cluster nodes is behind a proxy server,
fill in the
proxy
section.
privateRegistry
Decide where you want to keep container images for the GKE on-prem components. The options are:
gcr.io. Do not fill in the
privateRegistry
section.Your own private Docker registry. Fill in the
privateRegistry
section.
gcrKeyPath
Set gcrKeyPath
to the path of the JSON key file for your allowlisted service
account.
stackdriver
Fill in the
stackdriver
section.
cloudAuditLogging
If you want Kubernetes audit logs to be integrated with Cloud Audit Logs, fill
in the
cloudAuditLogging
section.
Validating your configuration file
After you've filled in your admin cluster configuration file, run
gkectl check-config
to verify that the file is valid:
gkectl check-config --config [CONFIG_PATH]
where [CONFIG_PATH] is the path of your admin cluster configuration file.
If the command returns any failure messages, fix the issues and validate the file again.
If you want to skip the more time-consuming validations, pass the --fast
flag.
To skip individual validations, use the --skip-validation-xxx
flags. To
learn more about the check-config
command, see
Running preflight checks.
Running gkectl prepare
Run gkectl prepare
to initialize your vSphere environment:
gkectl prepare --config [CONFIG_PATH] --skip-validation-all
Creating the admin cluster
Create the admin cluster:
gkectl create admin --config [CONFIG_PATH] --skip-validation-all
where [CONFIG_PATH] is the path of your admin cluster configuration file.
The gkectl create admin
command creates a kubeconfig file named
kubeconfig
in the current directory. You will need this kubeconfig file
later to interact with your admin cluster.
Verifying that your admin cluster is running
Verify that your admin cluster is running:
kubectl get nodes --kubeconfig [ADMIN_CLUSTER_KUBECONFIG]
where [ADMIN_CLUSTER_KUBECONFIG] is the path of your kubeconfig file.
The output shows the admin cluster nodes.
Troubleshooting
Diagnosing cluster issues using gkectl
Use gkectl diagnose
commands to identify cluster issues
and share cluster information with Google. See
Diagnosing cluster issues.
Running gkectl
commands verbosely
-v5
Logging gkectl
errors to stderr
--alsologtostderr
Locating gkectl
logs in the admin workstation
Even if you don't pass in its debugging flags, you can view
gkectl
logs in the following admin workstation directory:
/home/ubuntu/.config/gke-on-prem/logs
Locating Cluster API logs in the admin cluster
If a VM fails to start after the admin control plane has started, you can try debugging this by inspecting the Cluster API controllers' logs in the admin cluster:
Find the name of the Cluster API controllers Pod in the
kube-system
namespace, where [ADMIN_CLUSTER_KUBECONFIG] is the path to the admin cluster's kubeconfig file:kubectl --kubeconfig [ADMIN_CLUSTER_KUBECONFIG] -n kube-system get pods | grep clusterapi-controllers
Open the Pod's logs, where [POD_NAME] is the name of the Pod. Optionally, use
grep
or a similar tool to search for errors:kubectl --kubeconfig [ADMIN_CLUSTER_KUBECONFIG] -n kube-system logs [POD_NAME] vsphere-controller-manager
Debugging F5 BIG-IP issues using the admin cluster control plane node's kubeconfig
After an installation, GKE on-prem generates a kubeconfig file in
the home directory of your admin workstation named
internal-cluster-kubeconfig-debug
. This kubeconfig file is
identical to your admin cluster's kubeconfig, except that it points directly at
the admin cluster's control plane node, where the admin control plane runs. You can use
the internal-cluster-kubeconfig-debug
file to debug F5 BIG-IP
issues.
gkectl check-config
validation fails: can't find F5 BIG-IP partitions
- Symptoms
Validation fails because F5 BIG-IP partitions can't be found, even though they exist.
- Potential causes
An issue with the F5 BIG-IP API can cause validation to fail.
- Resolution
Try running
gkectl check-config
again.
gkectl prepare --validate-attestations
fails: could not validate build attestation
- Symptoms
Running
gkectl prepare
with the optional--validate-attestations
flag returns the following error:could not validate build attestation for gcr.io/gke-on-prem-release/.../...: VIOLATES_POLICY
- Potential causes
An attestation might not exist for the affected image(s).
- Resolution
Try downloading and deploying the admin workstation OVA again, as instructed in Creating an admin workstation. If the issue persists, reach out to Google for assistance.
Debugging using the bootstrap cluster's logs
During installation, GKE on-prem creates a temporary bootstrap cluster. After a successful installation, GKE on-prem deletes the bootstrap cluster, leaving you with your admin cluster and user cluster. Generally, you should have no reason to interact with this cluster.
If something goes wrong during an installation, and you did pass
--cleanup-external-cluster=false
to gkectl create cluster
,
you might find it useful to debug using the bootstrap cluster's logs. You can
find the Pod, and then get its logs:
kubectl --kubeconfig /home/ubuntu/.kube/kind-config-gkectl get pods -n kube-system
kubectl --kubeconfig /home/ubuntu/.kube/kind-config-gkectl -n kube-system get logs [POD_NAME]
For more information, refer to Troubleshooting.