Topik ini mencantumkan persyaratan untuk menginstal dan mengonfigurasi GKE di AWS.
Siapkan workstation
Untuk menginstal dan mengupgrade GKE pada penginstalan AWS, Anda harus memiliki akses ke workstation yang menjalankan Linux atau MacOS. Dokumentasi ini mengasumsikan bahwa Anda menggunakan bash shell di Linux atau macOS. Jika tidak memiliki akses ke lingkungan shell reguler, Anda dapat menggunakan Cloud Shell.
Alat
Untuk menyelesaikan penginstalan GKE di AWS, Anda perlu menginstal alat berikut.
- Alat command line
anthos-gke
- Alat command line
terraform
- Alat command line
kubectl
Anda akan menginstal alat ini saat menyelesaikan Prasyarat.
Networking
Workstation penyiapan Anda harus memiliki akses jaringan ke VPC Anda pada port 443.
Persyaratan izin IAM di Google Cloud
Untuk menginstal komponen Google Cloud dari GKE di AWS, Anda memerlukan izin Identity and Access Management berikut.
- Pemilik Project
- Project Owner perlu mengaktifkan API pada project di Google Cloud yang Anda hubungkan ke GKE di layanan pengelolaan AWS.
- Pemilik Bucket Penyimpanan
- Setelah mengaktifkan API di project, Anda memerlukan pengguna dengan izin Storage Object Admin.
Persyaratan izin IAM AWS
Bagian ini menjelaskan izin IAM AWS yang diperlukan untuk GKE di AWS dari penginstalan default yang dibuat dengan anthos-gke init
dan saat menginstal aplikasi ke VPC AWS yang sudah ada.
Pengguna ini harus memiliki akses ke:
Untuk izin khusus, lihat bagian berikut.
AWS Key Management Service (KMS)
GKE di AWS memerlukan kunci AWS KMS untuk mengenkripsi rahasia lapisan aplikasi dalam cluster. Sebelum menginstal GKE di AWS, Anda memerlukan nama resource Amazon (ARN) KMS di region yang sama dengan cluster pengguna atau izin untuk membuat kunci KMS.
Penginstalan default
Saat menginstal GKE di AWS dengan anthos-gke init
, Anda memerlukan pengguna IAM AWS yang dikonfigurasi di AWS CLI.
Izin VPC khusus
Jika mengonfigurasi GKE di AWS di VPC khusus, Anda memerlukan setidaknya izin berikut.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"autoscaling:CreateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeScalingActivities",
"autoscaling:UpdateAutoScalingGroup",
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AssociateRouteTable",
"ec2:AttachInternetGateway",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateInternetGateway",
"ec2:CreateKeyPair",
"ec2:CreateLaunchTemplate",
"ec2:CreateNatGateway",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:CreateVpc",
"ec2:DeleteInternetGateway",
"ec2:DeleteKeyPair",
"ec2:DeleteLaunchTemplate",
"ec2:DeleteNatGateway",
"ec2:DeleteNetworkInterface",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSubnet",
"ec2:DeleteTags",
"ec2:DeleteVolume",
"ec2:DeleteVpc",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceCreditSpecifications",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeKeyPairs",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcClassicLink",
"ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeVpcs",
"ec2:DetachInternetGateway",
"ec2:DisassociateAddress",
"ec2:DisassociateRouteTable",
"ec2:ImportKeyPair",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifySubnetAttribute",
"ec2:ModifyVpcAttribute",
"ec2:ReleaseAddress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RunInstances",
"ec2:TerminateInstances",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:CreateRole",
"iam:CreateServiceLinkedRole",
"iam:DeleteInstanceProfile",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:GetInstanceProfile",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListInstanceProfilesForRole",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:RemoveRoleFromInstanceProfile",
"iam:TagRole",
"kms:CreateAlias",
"kms:CreateKey",
"kms:DescribeKey",
"kms:Decrypt",
"kms:Encrypt",
"s3:CreateBucket",
"s3:PutBucketTagging",
"s3:PutObject",
"s3:PutObjectTagging"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Izin VPC sendiri
Izin berikut diperlukan untuk menggunakan GKE di AWS dengan AWS VPC Anda sendiri.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"autoscaling:CreateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeScalingActivities",
"autoscaling:UpdateAutoScalingGroup",
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateKeyPair",
"ec2:CreateLaunchTemplate",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteKeyPair",
"ec2:DeleteLaunchTemplate",
"ec2:DeleteNetworkInterface",
"ec2:DeleteSecurityGroup",
"ec2:DeleteTags",
"ec2:DeleteVolume",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceCreditSpecifications",
"ec2:DescribeInstances",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcClassicLink",
"ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeVpcs",
"ec2:DescribeKeyPairs",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DisassociateAddress",
"ec2:ImportKeyPair",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ReleaseAddress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RunInstances",
"ec2:TerminateInstances",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:CreateRole",
"iam:CreateServiceLinkedRole",
"iam:DeleteInstanceProfile",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:GetInstanceProfile",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListInstanceProfilesForRole",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:RemoveRoleFromInstanceProfile",
"iam:TagRole",
"kms:CreateAlias",
"kms:CreateKey",
"kms:DescribeKey",
"kms:Decrypt",
"kms:Encrypt",
"s3:CreateBucket",
"s3:PutBucketTagging",
"s3:PutObject",
"s3:PutObjectTagging"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Akses domain keluar
GKE di AWS memerlukan akses keluar ke domain berikut.
gkeconnect.googleapis.com
gkehub.googleapis.com
oauth2.googleapis.com
storage.googleapis.com
www.googleapis.com
gcr.io
k8s.gcr.io
EC2-REGION.ec2.archive.ubuntu.com
Ganti EC2-REGION dengan region AWS EC2 tempat penginstalan GKE di AWS berjalan. Misalnya,
us-west-1.ec2.archive.ubuntu.com/
.
Jika Anda menggunakan Cloud Service Mesh dengan Prometheus dan Kiali, izinkan akses keluar dari domain berikut:
docker.io
quay.io
Izin beban kerja
Untuk menjalankan beban kerja di cluster pengguna, akses AWS tidak diperlukan. Anda dapat mengakses GKE di cluster pengguna AWS dengan Connect atau OIDC.