Deploying Kubernetes applications to non-GKE clusters

If you want to deploy a Kubernetes application to non-GKE cluster configurations, such as an Anthos cluster running GKE on-prem, or a cluster running Istio, you must complete the tasks in this section, as applicable.

Depending on the application you are deploying, there might be additional steps to run the app on your cluster. Refer to the application vendor's documentation for information on configuring the application.

Go to Anthos apps in Cloud Marketplace

Deploying to clusters that run Istio

On clusters that run Istio, external connections to third-party services (such as OS package repositories) are blocked by default. You must configure Istio egress traffic to enable access to external services.

Deploying to GKE on-prem

You can only deploy GKE on-prem clusters to Cloud Marketplace applications that support this configuration. To verify whether an application supports GKE on-prem, open the application's Cloud Marketplace listing and look for the following statement in the Overview: "The application supports GKE On Prem deployment."

After verifying the application supports GKE on-prem, complete these tasks before you deploy the application:

After you have completed these tasks, open the application's Cloud Marketplace listing, and follow the steps to deploy the application.

Set up network access to Container Registry

To download the container images for the application, make sure that your cluster has network access to Container Registry. Your cluster host must be able to ping marketplace.gcr.io. To enable access, you might need to do one or more of the following:

Set up Docker authentication to access Container Registry

To give your GKE on-prem cluster access to application images in Container Registry, you must create a Google Cloud service account key, and annotate the application's namespace with the key. The key is then patched as an imagePullSecret to the namespace's default Kubernetes Service Account (KSA) when you deploy the application.

The first time you deploy an application to a GKE on-prem cluster, you must also create a namespace called application-system for Cloud Marketplace components, and apply an imagePullSecret to the default service account for the namespace.

Follow these steps to set up authentication to Container Registry:

  1. Create a new Google Cloud service account. You do not need to grant any roles to the service account.

    For steps to create a service account, see Creating and managing service accounts.

  2. Create a key for the service account, and download it as a JSON file. For steps to create and download the key, see Creating and managing service account keys.

  3. If applicable, upload the JSON key to the workstation that you use to connect to your GKE on-prem cluster.

  4. If you are deploying an application from Cloud Marketplace for the first time, follow these steps to set up your application-system namespace with a Secret to access Container Registry. If you have already set up the namespace, skip this step.

    1. Create an application-system namespace in your cluster.

    2. Create the Secret that contains an imagePullSecret for application-system, using the following command:

      JSON_KEY_FILENAME=path_to/service_account_key.json
      IMAGEPULLSECRET_NAME=gcr-json-key
      kubectl create secret docker-registry $IMAGEPULLSECRET_NAME \
        --namespace="application-system" \
        --docker-server=gcr.io \
        --docker-username=_json_key \
        --docker-password="$(cat $JSON_KEY_FILENAME)"
      
    3. Apply this imagePullSecret to the default ServiceAccount in the application-system namespace, using the following command:

      kubectl patch sa default -n application-system -p '"imagePullSecrets": [{"name": "gcr-json-key" }]'
      
  5. For each namespace that you want to deploy an application to, you must create a new Kubernetes Secret and annotate the namespace with the Secret. You cannot reuse a Secret from another namespace.

    1. Create a Kubernetes Secret to access Container Registry using the Google Cloud service account key:

      JSON_KEY_FILENAME=path_to/service_account_key.json
      IMAGEPULLSECRET_NAME=gcr-json-key
      kubectl create secret docker-registry $IMAGEPULLSECRET_NAME \
        --namespace=$NAMESPACE_NAME \
        --docker-server=gcr.io \
        --docker-username=_json_key \
        --docker-password="$(cat ~/$JSON_KEY_FILENAME)"
      

      Where $NAMESPACE_NAME is the namespace that you want to use for the application.

    2. Annotate the application's namespace using the following command:

      kubectl annotate namespace $NAMESPACE_NAME marketplace.cloud.google.com/imagePullSecret=$IMAGEPULLSECRET_NAME
      

      Use this namespace when you deploy the app from Cloud Marketplace, described in Deploying a Kubernetes app.