The AWSManagementService
resource contains configuration information for your
GKE on AWS management service.
You configure a YAML file named anthos-gke.yaml
before creating your
management service. The anthos-gke
tool uses the configuration when creating
your management service.
The contents of your anthos-gke.yaml
file depend on if you use anthos-gke
to create a
dedicated AWS Virtual Private Cloud (VPC) for you,
or if you use an
existing AWS VPC.
Dedicated VPC
apiVersion: multicloud.cluster.gke.io/v1
kind: AWSManagementService
metadata:
name: management
spec:
version: ANTHOS_CLI_VERSION
region: AWS_REGION
authentication:
awsIAM:
adminIdentityARNs:
- ADMIN_AWS_IAM_ARN
kmsKeyARN: KMS_KEY_ARN
databaseEncryption:
kmsKeyARN: KMS_KEY_ARN
googleCloud:
projectID: GCP_PROJECT_ID
serviceAccountKeys:
managementService: MANAGEMENT_KEY_PATH
connectAgent: CONNECT_KEY_PATH
node: NODE_KEY_PATH
iam:
permissionsBoundary: IAM_PERMISSIONS_BOUNDARY
path: IAM_PATH
dedicatedVPC:
vpcCIDRBlock: VPC_CIDR_BLOCK
availabilityZones:
- ZONE_1
- ZONE_2
- ZONE_3
privateSubnetCIDRBlocks:
- PRIVATE_CIDR_BLOCK_1
- PRIVATE_CIDR_BLOCK_2
- PRIVATE_CIDR_BLOCK_3
publicSubnetCIDRBlocks:
- PUBLIC_CIDR_BLOCK_1
- PUBLIC_CIDR_BLOCK_2
- PUBLIC_CIDR_BLOCK_3
# Optional section
rootVolume:
volumeType: ROOT_VOLUME_TYPE
iops: ROOT_VOLUME_IOPS
kmsKeyARN: ROOT_VOLUME_KEY
dataVolume:
volumeType: DATA_VOLUME_TYPE
iops: DATA_VOLUME_IOPS
kmsKeyARN: DATA_VOLUME_KEY
tags:
tag-name: tag-value
bastionHost:
allowedSSHCIDRBlocks:
- SSH_CIDR_BLOCK
rootVolume:
volumeType: ROOT_VOLUME_TYPE
iops: ROOT_VOLUME_IOPS
kmsKeyARN: ROOT_VOLUME_KEY
bootstrapS3Bucket: BOOTSTRAP_S3_BUCKET
proxy: PROXY_JSON_FILE
terraform:
invokeManually: No
stateGCSBucket: GCS_BUCKET_NAME
Existing VPC
apiVersion: multicloud.cluster.gke.io/v1
kind: AWSManagementService
metadata:
name: management
spec:
version: ANTHOS_CLI_VERSION
region: AWS_REGION
authentication:
awsIAM:
adminIdentityARNs:
- ADMIN_AWS_IAM_ARN
kmsKeyARN: KMS_KEY_ARN
databaseEncryption:
kmsKeyARN: KMS_KEY_ARN
securityGroupIDs:
- SECURITY_GROUP_IDS
googleCloud:
projectID: GCP_PROJECT_ID
serviceAccountKeys:
managementService: MANAGEMENT_KEY_PATH
connectAgent: CONNECT_KEY_PATH
node: NODE_KEY_PATH
iam:
permissionsBoundary: IAM_PERMISSIONS_BOUNDARY
path: IAM_PATH
existingVPC:
subnetID: [MANAGEMENT_SUBNET_ID]
allowedSSHSecurityGroupIDs: [SSH_SECURITY_GROUPS]
# Optional fields
rootVolume:
volumeType: ROOT_VOLUME_TYPE
iops: ROOT_VOLUME_IOPS
kmsKeyARN: ROOT_VOLUME_KEY
dataVolume:
volumeType: DATA_VOLUME_TYPE
iops: DATA_VOLUME_IOPS
kmsKeyARN: DATA_VOLUME_KEY
ubuntuRepositoryMirror: 'packages.cloud.google.com'
bastionHost:
subnetID: [BASTION_HOST_SUBNET_ID]
allowedSSHCIDRBlocks:
- [SSH_CIDR_BLOCK]
rootVolume:
volumeType: ROOT_VOLUME_TYPE
iops: ROOT_VOLUME_IOPS
kmsKeyARN: ROOT_VOLUME_KEY
bootstrapS3Bucket: BOOTSTRAP_S3_BUCKET
tags:
tag-name: tag-value
proxy: PROXY_JSON_FILE
terraform:
invokeManually: No
stateGCSBucket: GCS_BUCKET_NAME
The following sections describe these fields.
spec.version
The value of spec.version
is the version of the management service anthos-
gke
creates. The version matches the output of anthos-gke version
. For
example, aws-1.14.1-gke.0
.
spec.region
The value of spec.region
is the
AWS region
where you want to deploy the management service. For example, us-east-1
.
spec.authentication.awsIAM
The value of spec.authentication.awsIAM.adminIdentityARNs
is a string with
the Amazon resource name (ARN) of an AWS IAM user with
permissions
to create a GKE on AWS management service. For example,
arn:aws:iam::123456789:user/someuser
.
spec.kmsKeyARN
The value of spec.kmsKeyARN
is a string with the Amazon resource name (ARN) or
alias of the AWS KMS key created in
Prerequisites.
GKE on AWS uses the key for
envelope encryption.
For example,
arn:aws:kms:us-west-1:123456789:key/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
.
spec.databaseEncryption
The value of spec.databaseEncryption.kmsKeyARN
is a string with the Amazon
resource name (ARN) or key alias of the AWS KMS key that GKE on AWS
uses to encrypt application-layer secrets in clusters. For example,
arn:aws:kms:us-west-1:123456789:key/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
.
spec.securityGroupIDs
The value of spec.securityGroupIDs
is a list of additional AWS security
group IDs assigned to the management service VM.
For example [sg-00123456789abcd, sg-00123456789def1]`.
spec.dedicatedVPC
This field represents the desired VPC settings.
Name | Description | Type | Example |
---|---|---|---|
vpcCIDRBlock | The CIDR block of your desired AWS VPC. Must be between /16 and /28 bits. | string |
10.0.0.0/16 |
availabilityZones | Availability zones to deploy control plane replicas in. Each zone will have its own subnet and needs a separate CIDR block. | list(string) |
[us-east-1a, us-east-1b] |
privateSubnetCIDRBlocks | CIDR block for private subnets within the VPC in each availability zone. Needs to be a subset of vpcCIDRBlock . You need to have one subnet per availability zone. |
list(string) |
[10.0.101.0/24, 10.0.102.0/24] |
publicSubnetCIDRBlocks | CIDR block for public subnets within the VPC in each availability zone. Needs to be a subset of vpcCIDRBlock . You need to have one subnet per availability zone. |
list(string) |
[10.0.1.0/24, 10.0.2.0/24] |
bastionAllowedSSHCIDRBlocks | CIDR blocks to allow inbound SSH access from. This field is deprecated in GKE on AWS 1.5. Use spec.bastionHost in version 1.5 or higher. |
string |
[104.132.0.0/14] |
spec.existingVPC
Fields under spec.existingVPC
configure GKE on AWS to use
an existing AWS VPC.
Name | Description | Type | Example |
---|---|---|---|
subnetID | Subnet ID where the management service runs. | string |
subnet-00123456789ab |
allowedSSHSecurityGroupIDs | List of security group IDs allowed SSH access within the VPC. | list(string) | [sg-00123456789abcd, sg-00123456789def1] |
spec.googleCloud
Fields under spec.googleCloud
configure your Google Cloud project
and IAM service account keys.
Name | Description | Type | Example |
---|---|---|---|
projectID | Google Cloud Google Cloud project. | string |
my-gcp-project-id |
serviceAccountKeys | File paths to the service account keys. | serviceAccountKeys |
spec.googleCloud.serviceAccountKeys
Fields under spec.googleCloud.serviceAccountKeys
include local file paths to
the GCP service account keys. See
Prerequisites
for detailed descriptions of each key.
Name | Description | Type | Example |
---|---|---|---|
managementService
|
Service account key used by the management cluster | string | path/to/key/management-sa-key.json
|
connectAgent
|
Service account key used by the GKE Hub Connect Agent | string | path/to/key/hub-sa-key.json
|
node
|
Service account key used by the nodes | string | path/to/key/node-sa-key.json
|
spec.iam
Fields under spec.iam
configure optional AWS IAM parameters for
your GKE on AWS environment.
Name | Description | Type | Example |
---|---|---|---|
permissionsBoundary | ARN of the Permissions boundaries for IAM roles | string |
arn:aws:iam::126285863215:policy/testPolicyBoundary |
path | Path to the IAM role | string |
/org_abc/team_abc/member_abc/ |
spec.bastionHost
The spec.bastionHost
section is optional and describes a bastion host.
A bastion host is an EC2 instance placed in a public subnet. It allows inbound SSH access from a specified CIDR block and has outbound SSH access into your GKE on AWS management service and user clusters.
You can create a bastion host for either dedicatedVPC
or existingVPC
installations. The allowedSSHCIDRBlocks
field specifies the inbound range of
addresses allowed, and must be non-empty.
If a bastion host does not exist, GKE on AWS creates a new bastion host.
- For a
dedicatedVPC
installation, the GKE on AWS creates a subnet. - For an
existingVPC
installation, you need to provide a subnet for the bastion host and ensure that this subnet has connectivity into your VPC.
You can modify your bastion host by changing or deleting the spec.bastionHost
field and running anthos-gke aws management init
, followed by
anthos-gke aws management apply
.
Name | Description | Type | Example |
---|---|---|---|
subnetID | The ID of the subnet where the bastion host runs. For existingVPC installations, the subnet must allow ingress from where you will access it on port 22. Also, make sure your VPC allows inbound access from this subnet. For dedicatedVPC installations, do not specify this field. GKE on AWS will provision the subnet with the required access. |
string | subnet-003bdf7b0f5e21e45 |
allowedSSHCIDRBlocks | CIDR blocks to allow inbound SSH access from. | list(string) |
[104.132.0.0/14] |
rootVolume | An object describing the bastion host's root volume. | object |
{volumeType: gp2} |
spec.rootVolume, spec.dataVolume, and spec.bastionHost.rootVolume
These following table describes common fields for the following objects:
spec.rootVolume
, for control plane root disk volumesspec.dataVolume
, for control plane data disk volumesspec.bastionHost.rootVolume
, for bastion host root disk volumes
Name | Description | Type | Example | Required |
---|---|---|---|---|
volumeType | The node's AWS EBS volume type. Can be gp2 (default) or gp3 . |
string |
gp2 |
no |
iops | The amount of provisioned IO operations per second (IOPS) for volumes. Only valid when volumeType is GP3 . For more information, see General Purpose SSD volumes (gp3). |
integer |
5000 |
no |
kmsKeyARN | The ARN of the AWS KMS key used to encrypt the EBS volume. For more information, see Using a customer managed CMK to encrypt volumes. | string |
arn:aws:kms:us-west-1:123456789:key/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee |
no |
spec.tags
Name | Description | Type | Example |
---|---|---|---|
tags | Optional key/value metadata assigned to each AWS resource supporting the management service. | map(string) |
{Environment: Production, Team: Analytics} |
spec.proxy
The spec.proxy
field configures an optional HTTP/HTTPS proxy.
Name | Description | Type | Example |
---|---|---|---|
proxy | Path to proxy configuration file. | Relative path from anthos-gke.yaml |
proxy.json |
spec.bootstrapS3Bucket
The spec.bootstrapS3Bucket
field configures an S3 bucket name for
GKE on AWS .
Name | Description | Type | Example |
---|---|---|---|
bootstrapS3Bucket | Optional field for the AWS S3 bucket name where GKE on AWS stores configuration information. If you want to create multiple GKE on AWS management services in the same AWS region, set this value to a unique bucket name. | string |
example-s3-bucket |
spec.terraform
The spec.terraform.invokeManually
field configures the anthos-gke
command
to not create a management service.
Name | Description | Type | Example |
---|---|---|---|
invokeManually | Optional field that configures the anthos-gke command-line tool not to create a management service after building and validating your configuration. If you set invokeManually to Yes , you can edit and apply the Terraform configuration files manually. |
Yes , No |
Yes |
stateGCSBucket | Optional field that specifies a pre-existing Google Cloud Storage bucket for Terraform to store its configuration data. | string |
example-GCS-bucket |