This document shows how to create an admin workstation, for Anthos clusters on VMware (GKE on-prem), that you can use to create clusters.
The steps in this document use the
gkeadm command-line tool, which is
available for 64-bit Linux, Windows 10, Windows Server 2019, and macOS 10.15
The instructions here are complete. For a shorter introduction to creating an admin workstation, see Create an admin workstation (quickstart).
Before you begin
Create one or more Cloud projects as described in Using multiple Google Cloud projects.
Planning your service accounts
When you use
gkeadm to create an admin workstation, you have the option of
gkeadm create most of your service accounts and keys for you. In that
gkeadm also grants the appropriate Identity and Access Management roles to the service
As an alternative, you can create your service accounts and keys manually. In that case, you must manually grant IAM roles to your service accounts.
Creating service accounts manually gives you more flexibility than having
gkeadm create them for you:
Automatically created service accounts are all children of your connect project. When you create a service account manually, you can choose the parent Cloud project.
Automatically created service accounts are all granted IAM roles on your connect project. This is fine if your connect project is the only Cloud project associated with your clusters. But if you want to associate your clusters with multiple Cloud projects, then you need the flexibility to grant roles to a service account on a Cloud project of your choice.
If you decide to create your own service accounts, follow the instructions in Service accounts and keys.
Regardless of whether you have
gkeadm create service accounts
for you automatically, there is one service account that you must create
manually: your component access service account. For instructions on how to create
your component access service account and grant it the appropriate
IAM roles, see
Component access service account.
Generating templates for your configuration files
gkeadm to your current directory.
./gkeadm create config
The preceding command created these files in your current directory:
credential.yaml, fill in your vCenter username and password. For example:
kind: CredentialFile items: - name: vCenter username: "my-account-name" password: "AadmpqGPqq!a"
Several fields in
admin-ws-config.yaml are already filled in with default
or generated values. You can keep the populated values or make changes as you
See the fields that are already filled in.
vCenter: credentials: fileRef: path: credential.yaml entry: vCenter adminWorkstation: name: gke-admin-ws-... cpus: 4 memoryMB: 8192 diskGB: 50 dataDiskName: gke-on-prem-admin-workstation-data-disk,,,.vmdk dataDiskMB: 512 network: ntpServer: ntp.ubuntu.com
Fields that you must fill in
Fill in the following required fields. For information on how to fill in the fields, Admin workstation configuration file.
gcp: whitelistedServiceAccountKeyPath: "Fill in" vCenter: credentials: address: "Fill in" datacenter: "Fill in" datastore: "Fill in" cluster: "Fill in" network: "Fill in" resourcePool: "Fill in" caCertPath: "Fill in"
If your admin workstation will be behind a proxy server, fill in the
adminWorkstation: proxyURL: "Fill in"
If you want your admin workstation to get its IP address from a DHCP server,
"dhcp", and remove the
adminWorkstation: network: ipAllocationMode: "dhcp"
If you want to specify a static IP address for your admin workstation, set
"static", and fill in the
adminWorkstation: network: ipAllocationMode: "static" hostconfig: ip: "Fill in" gateway: "Fill in" netmask: "Fill in" dns: - "Fill in"
Creating your admin workstation
Enter this command to create your admin workstation. If you want
gkeadm to create service accounts for you, include the
--auto-create-service-accounts flag. If you want to manually create
your own service accounts, omit the flag.
./gkeadm create admin-workstation [--auto-create-service-accounts]
The output gives detailed information about the creation of your admin workstation:
... Getting ... service account... ... ******************************************************************** Admin workstation is ready to use. Admin workstation information saved to /usr/local/google/home/me/my-admin-workstation This file is required for future upgrades SSH into the admin workstation with the following command: ssh -i /usr/local/google/home/me/.ssh/gke-admin-workstation email@example.com ********************************************************************
Getting an SSH connection to your admin workstation
Near the end of the preceding output there is a command you can use to get an SSH connection to your admin workstation. Enter that command now. For example:
ssh -i /usr/local/google/home/me/.ssh/gke-admin-workstation firstname.lastname@example.org
List the files on your admin workstation:
In the output, you can see two cluster configuration files, your CA
certificate file, and the JSON key file for your component access service
gkeadm created service accounts for you, you can also
see the JSON key files for those service accounts:
admin-cluster.yaml user-cluster.yaml vcenter-ca-cert.pem component-access-key.json
gkeadm activated your component access service account on your
gcloud config get-value account
Copying JSON key file to your admin workstation
Before you create a cluster, the JSON key files for your service accounts must be on your admin workstation in the home directory.
The key for your component access service account is already on your admin workstation.
If you included the
--auto-create-service-accounts flag when you ran
gkeadm create admin-workstation, then then the keys for the following service
accounts are already on your admin workstation in the home directory. Otherwise
you must manually copy the keys to the home directory of your admin workstation:
- Connect-register service account
- Connect-agent service account
- Logging-monitoring service account
If you created any of the following service accounts, you must manually copy the keys for those service accounts to the home directory of your admin workstation:
- Usage metering service account
- Audit logging service account
- Binary authorization service account