If you want to deploy a Kubernetes application to non-GKE cluster configurations, such as an Anthos cluster running Anthos clusters on VMware, or a cluster running Istio, you must complete the tasks in this section, as applicable.
Depending on the application you are deploying, there might be additional steps to run the app on your cluster. Refer to the application vendor's documentation for information on configuring the application.
Go to Anthos apps in Cloud Marketplace
Deploying to clusters that run Istio
On clusters that run Istio, external connections to third-party services (such as OS package repositories) are blocked by default. You must configure Istio egress traffic to enable access to external services.
Deploying to Anthos clusters on VMware
You can only deploy Anthos clusters on VMware clusters to Cloud Marketplace applications that support this configuration. To verify whether an application supports Anthos clusters on VMware, open the application's Cloud Marketplace listing and look for the following statement in the Overview: "The application supports GKE On Prem deployment."
After verifying the application supports Anthos clusters on VMware, complete these tasks before you deploy the application:
If you are deploying the application from Cloud Marketplace, you must sign in to your Anthos clusters on VMware cluster using a token or credentials for a Kubernetes Service Account (KSA) that has the Kubernetes
cluster-adminrole.If you are deploying using the command line, you must have the
cluster-adminrole for the Anthos clusters on VMware cluster.You must set up network access to Container Registry so that your cluster can download the application's container images.
You must set up Docker authentication on your Anthos clusters on VMware cluster to access Container Registry to access the application's images.
After you have completed these tasks, open the application's Cloud Marketplace listing, and follow the steps to deploy the application.
Set up network access to Container Registry
To download the container images for the application, make sure that your
cluster has network access to Container Registry. Your cluster host
must be able to ping marketplace.gcr.io. To enable access, you might need
to do one or more of the following:
Create a firewall rule to allow access to
marketplace.gcr.io.If you are using an HTTP or HTTPS proxy, allow
marketplace.gcr.io/*, and configure the Docker daemon to pull images through your proxy.For detailed steps, see Proxy and firewall rules.
If you are using Virtual Private Cloud (VPC), configure your host for private Google access.
If you want to use a private registry for your Anthos clusters on VMware installation, set up your Docker registry and copy the images from the application.
For detailed steps, see Configuring a private Docker registry for installation.
Set up Docker authentication to access Container Registry
To give your Anthos clusters on VMware cluster access to application images in
Container Registry, you must create a Google Cloud service account key,
and annotate the application's namespace with the key. The key is then patched
as an imagePullSecret
to the namespace's default Kubernetes Service Account (KSA) when you deploy
the application.
The first time you deploy an application to a Anthos clusters on VMware cluster, you
must also create a namespace called application-system for Cloud Marketplace
components, and apply an imagePullSecret to the default service account for
the namespace.
Follow these steps to set up authentication to Container Registry:
Create a new Google Cloud service account. You do not need to grant any roles to the service account.
For steps to create a service account, see Creating and managing service accounts.
Create a key for the service account, and download it as a JSON file. For steps to create and download the key, see Creating and managing service account keys.
If applicable, upload the JSON key to the workstation that you use to connect to your Anthos clusters on VMware cluster.
If you are deploying an application from Cloud Marketplace for the first time, follow these steps to set up your
application-systemnamespace with a Secret to access Container Registry. If you have already set up the namespace, skip this step.Create an
application-systemnamespace in your cluster.Create the Secret that contains an
imagePullSecretforapplication-system, using the following command:JSON_KEY_FILENAME=path_to/service_account_key.json IMAGEPULLSECRET_NAME=gcr-json-key kubectl create secret docker-registry $IMAGEPULLSECRET_NAME \ --namespace="application-system" \ --docker-server=gcr.io \ --docker-username=_json_key \ --docker-password="$(cat $JSON_KEY_FILENAME)"Apply this
imagePullSecretto the default ServiceAccount in theapplication-systemnamespace, using the following command:kubectl patch sa default -n application-system -p '"imagePullSecrets": [{"name": "gcr-json-key" }]'
For each namespace that you want to deploy an application to, you must create a new Kubernetes Secret and annotate the namespace with the Secret. You cannot reuse a Secret from another namespace.
Create a Kubernetes Secret to access Container Registry using the Google Cloud service account key:
JSON_KEY_FILENAME=path_to/service_account_key.json IMAGEPULLSECRET_NAME=gcr-json-key kubectl create secret docker-registry $IMAGEPULLSECRET_NAME \ --namespace=$NAMESPACE_NAME \ --docker-server=gcr.io \ --docker-username=_json_key \ --docker-password="$(cat ~/$JSON_KEY_FILENAME)"Where
$NAMESPACE_NAMEis the namespace that you want to use for the application.Annotate the application's namespace using the following command:
kubectl annotate namespace $NAMESPACE_NAME marketplace.cloud.google.com/imagePullSecret=$IMAGEPULLSECRET_NAMEUse this namespace when you deploy the app from Cloud Marketplace, described in Deploying a Kubernetes app.