Deploying Kubernetes applications to non-GKE clusters

If you want to deploy a Kubernetes application to non-GKE cluster configurations, such as a GKE On-Prem cluster, or a cluster running Istio, you must complete the tasks in this section, as applicable.

Depending on the application you are deploying, there might be additional steps to run the app on your cluster. Refer to the application vendor's documentation for information on configuring the application.

Deploying to clusters that run Istio

On clusters that run Istio, external connections to third-party services (such as OS package repositories) are blocked by default. You must configure Istio egress traffic to enable access to external services.

Deploying to GKE On-Prem

If you are deploying an application to a GKE On-Prem cluster, you must complete the tasks before you deploy the application:

After you have completed these tasks, open the application's GCP Marketplace listing, and follow the steps to deploy the application.

Set up network access to Container Registry

To download the container images for the application, make sure that your cluster has network access to Container Registry. Your cluster host must be able to ping marketplace.gcr.io. To enable access, you might need to do one or more of the following:

Set up Docker authentication to access Container Registry

To give your GKE On-Prem cluster access to application images in Container Registry, you must create a GCP service account key, and annotate the application's namespace with the key. The key is then patched as an imagePullSecret to the namespace's default Kubernetes Service Account (KSA) when you deploy the application.

The first time you deploy an application to a GKE On-Prem cluster, you must also create a namespace called application-system and apply an imagePullSecret to the default service account for the namespace.

Follow these steps to set up authentication to Container Registry:

  1. Create a new GCP service account. You do not need to grant any roles to the service account.

    For steps to create a service account, see Creating and managing service accounts.

  2. Create a key for the service account, and download it as a JSON file. For steps to create and download the key, see Creating and managing service account keys.

  3. If applicable, upload the JSON key to the workstation that you use to connect to your GKE On-Prem cluster.

  4. If you are deploying an application from GCP Marketplace for the first time, follow these steps to set up your application-system namespace with a Secret to access Container Registry. If you have already set up the namespace, skip this step.

    1. Create an application-system namespace in your cluster.

    2. Create the Secret that contains an imagePullSecret for application-system, using the following command:

      JSON_KEY_FILENAME = path_to/service_account_key.json
      IMAGEPULLSECRET_NAME = gcr-json-key
      kubectl create secret docker-registry $IMAGEPULLSECRET_NAME \
        --namespace="application-system"
        --docker-server=gcr.io \
        --docker-username=_json_key \
        --docker-password="$(cat ~/$JSON_KEY_FILENAME)"
      
    3. Apply this imagePullSecret to the default ServiceAccount in the application-system namespace, using the following command:

      kubectl patch sa default -n application-system -p '"imagePullSecrets": [{"name": "gcr-json-key" }]'
      
  5. For each namespace that you want to deploy an application to, do the following:

    1. Create a Kubernetes Secret to access Container Registry using the GCP service account key:

      JSON_KEY_FILENAME = path_to/service_account_key.json
      IMAGEPULLSECRET_NAME = gcr-json-key
      kubectl create secret docker-registry $IMAGEPULLSECRET_NAME \
        --namespace=$NAMESPACE_NAME
        --docker-server=gcr.io \
        --docker-username=_json_key \
        --docker-password="$(cat ~/$JSON_KEY_FILENAME)"
      

      Where $NAMESPACE_NAME is the namespace that you want to use for the application.

    2. For each namespace that you want to deploy an application to, annotate the application's namespace using the following command:

      kubectl annotate namespace $NAMESPACE_NAME marketplace.cloud.google.com/imagePullSecret=$IMAGEPULLSECRET_NAME
      

      You must use this namespace when you deploy the app from GCP Marketplace, described in Deploying a Kubernetes app.

Σας βοήθησε αυτή η σελίδα; Πείτε μας τη γνώμη σας:

Αποστολή σχολίων σχετικά με…

Αυτή η σελίδα