事前準備
總覽
GKE 叢集必須符合下列規定:
建議使用專為 Kf 打造的叢集,但這並非必要條件。建議您只安裝 Kf 和其依附元件,確保相容性矩陣維持不變。
至少四個節點。如要新增節點,請參閱調整叢集大小。
至少有四個 vCPU 的最低機器類型,例如
e2-standard-4。如果叢集的機器類型沒有至少四個 vCPU,請按照「將工作負載遷移至其他機器類型」一文的說明變更機器類型。建議您在發布管道中註冊叢集 (選用)。如果使用靜態 GKE 版本,請按照「在發布版本中註冊現有叢集」一文中的操作說明進行。
已啟用 Workload Identity。
已啟用 Artifact Registry。
具有下列 IAM 政策的 Google 服務帳戶 (建立說明請參閱下方連結):
roles/iam.serviceAccountAdminserviceAccount:${CLUSTER_PROJECT}.svc.id.goog[kf/controller](成員:serviceAccount:${CLUSTER_PROJECT}.svc.id.goog[kf/controller])
啟用 Compute Engine 支援
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Verify that billing is enabled for your Google Cloud project.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Verify that billing is enabled for your Google Cloud project.
- 啟用 Compute Engine API。
- 啟用 Google Kubernetes Engine API。 啟用 Google Kubernetes Engine API
- 如要使用 Google Cloud CLI 執行這項工作,請安裝並初始化 gcloud CLI。如果您先前已安裝 gcloud CLI,請執行
gcloud components update指令,取得最新版本。較舊的 gcloud CLI 版本可能不支援執行本文件中的指令。 建立 Kf 將使用的服務帳戶。
gcloud iam service-accounts create ${CLUSTER_NAME}-sa \ --project=${CLUSTER_PROJECT_ID} \ --description="GSA for Kf ${CLUSTER_NAME}" \ --display-name="${CLUSTER_NAME}"允許服務帳戶修改自己的政策。Kf 控制器會使用這項資訊,在政策中新增 (名稱) 空間,以便重複使用 Workload Identity。
gcloud iam service-accounts add-iam-policy-binding ${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com \ --project=${CLUSTER_PROJECT_ID} \ --role="roles/iam.serviceAccountAdmin" \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com"授予監控指標角色,取得 Cloud Monitoring 的寫入存取權。
gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/monitoring.metricWriter"授予記錄角色,取得 Cloud Logging 的寫入權限。
gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/logging.logWriter"建立 Artifact Registry 存放區,用於儲存容器映像檔。
gcloud artifacts repositories create ${CLUSTER_NAME} \ --repository-format=docker \ --location=${COMPUTE_REGION}授予服務帳戶 Artifact Registry 存放區的權限。
gcloud artifacts repositories add-iam-policy-binding ${CLUSTER_NAME} \ --location=${COMPUTE_REGION} \ --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role='roles/artifactregistry.writer'設定本機驗證。
gcloud auth configure-docker ${COMPUTE_REGION}-docker.pkg.dev安裝 Tekton:
kubectl apply -f "https://github.com/tektoncd/pipeline/releases/download/${TEKTON_VERSION}/release.yaml"如要建立叢集並準備執行 Kf,請參閱「建立並準備 GKE 叢集以執行 Kf」。
選取並記下所需的 Kf 版本。請參閱 Kf 下載頁面,瞭解可用版本
安裝 CLI:
Linux
系統會為所有使用者安裝
kf。按照「Cloud Shell」分頁中的操作說明,為自己安裝。gcloud storage cp gs://kf-releases/${KF_VERSION}/kf-linux /tmp/kfchmod a+x /tmp/kfsudo mv /tmp/kf /usr/local/bin/kfMac
系統會為所有使用者安裝
kf。gcloud storage cp gs://kf-releases/${KF_VERSION}/kf-darwin /tmp/kfchmod a+x /tmp/kfsudo mv /tmp/kf /usr/local/bin/kfCloud Shell
如果您使用
bash,這會在 Cloud Shell 執行個體上安裝kf。如果是其他殼層,您可能需要修改指令。mkdir -p ~/bingcloud storage cp gs://kf-releases/${KF_VERSION}/kf-linux ~/bin/kfchmod a+x ~/bin/kfecho "export PATH=$HOME/bin:$PATH" >> ~/.bashrcsource ~/.bashrcWindows
這會將
kf下載到目前的目錄。如要從目前目錄以外的任何位置呼叫,請將其新增至路徑。gcloud storage cp gs://kf-releases/${KF_VERSION}/kf-windows.exe kf.exe安裝伺服器元件:
Linux 與 Mac
這會將 kf.yaml 下載到目前目錄。
gcloud storage cp gs://kf-releases/${KF_VERSION}/kf.yaml /tmp/kf.yamlkubectl apply -f /tmp/kf.yamlWindows
這會將 kf.yaml 下載到目前目錄。
gcloud storage cp gs://kf-releases/${KF_VERSION}/kf.yaml kf.yamlkubectl apply -f kf.yaml設定密鑰:
export WI_ANNOTATION=iam.gke.io/gcp-service-account=${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com kubectl annotate serviceaccount controller ${WI_ANNOTATION} \ --namespace kf \ --overwrite echo "{\"apiVersion\":\"v1\",\"kind\":\"ConfigMap\",\"metadata\":{\"name\":\"config-secrets\", \"namespace\":\"kf\"},\"data\":{\"wi.googleServiceAccount\":\"${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com\"}}" | kubectl apply -f -設定 Kf 預設值,這些值稍後可以變更。以下範例使用網域範本和萬用字元 DNS 供應商,為每個空間提供專屬網域名稱:
export CONTAINER_REGISTRY=${COMPUTE_REGION}-docker.pkg.dev/${CLUSTER_PROJECT_ID}/${CLUSTER_NAME} export DOMAIN='$(SPACE_NAME).$(CLUSTER_INGRESS_IP).nip.io' kubectl patch configmaps config-defaults \ -n=kf \ -p="{\"data\":{\"spaceContainerRegistry\":\"${CONTAINER_REGISTRY}\",\"spaceClusterDomains\":\"- domain: ${DOMAIN}\"}}"驗證安裝:
kf doctor --retries 10
啟用及設定 GKE
開始之前,請確認您已完成下列工作:
建立及準備新的 GKE 叢集
設定環境變數
Linux
export PROJECT_ID=YOUR_PROJECT_ID
export CLUSTER_PROJECT_ID=YOUR_PROJECT_ID
export CLUSTER_NAME=kf-cluster
export COMPUTE_ZONE=us-central1-a
export COMPUTE_REGION=us-central1
export CLUSTER_LOCATION=${COMPUTE_ZONE}
export NODE_COUNT=4
export MACHINE_TYPE=e2-standard-4
export NETWORK=default
export KF_VERSION=v2.2.0
export TEKTON_VERSION=v0.19.0
Windows Powershell
Set-Variable -Name PROJECT_ID -Value YOUR_PROJECT_ID Set-Variable -Name CLUSTER_PROJECT_ID -Value YOUR_PROJECT_ID Set-Variable -Name CLUSTER_NAME -Value kf-cluster Set-Variable -Name COMPUTE_ZONE -Value us-central1-a Set-Variable -Name COMPUTE_REGION -Value us-central1 Set-Variable -Name CLUSTER_LOCATION -Value $COMPUTE_ZONE Set-Variable -Name NODE_COUNT -Value 4 Set-Variable -Name MACHINE_TYPE -Value e2-standard-4 Set-Variable -Name NETWORK -Value default Set-Variable -Name KF_VERSION -Value v2.2.0 Set-Variable -Name TEKTON_VERSION -Value v0.19.0
設定服務帳戶
建立 GCP 服務帳戶 (GSA),並透過 Workload Identity 與 Kubernetes 服務帳戶建立關聯。這樣就不需要建立及插入服務帳戶金鑰。
建立 GKE 叢集
gcloud container clusters create ${CLUSTER_NAME} \
--project=${CLUSTER_PROJECT_ID} \
--zone=${CLUSTER_LOCATION} \
--num-nodes=${NODE_COUNT} \
--machine-type=${MACHINE_TYPE} \
--network=${NETWORK} \
--addons=HttpLoadBalancing,HorizontalPodAutoscaling,NetworkPolicy \
--enable-stackdriver-kubernetes \
--enable-ip-alias \
--enable-network-policy \
--enable-autorepair \
--enable-autoupgrade \
--scopes=https://www.googleapis.com/auth/cloud-platform \
--release-channel=regular \
--workload-pool="${CLUSTER_PROJECT_ID}.svc.id.goog" \
--service-account="${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com"設定防火牆規則
Kf 需要開啟部分防火牆通訊埠。主節點必須能透過通訊埠 80、443、8080、8443 和 6443 與 Pod 通訊。
啟用 Workload Identity
現在您已擁有服務帳戶和 GKE 叢集,請將叢集的 ID 命名空間與叢集建立關聯。
gcloud iam service-accounts add-iam-policy-binding \
"${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
--project=${CLUSTER_PROJECT_ID} \
--role="roles/iam.workloadIdentityUser" \
--member="serviceAccount:${CLUSTER_PROJECT_ID}.svc.id.goog[kf/controller]"目標 GKE 叢集
執行下列指令,設定 kubectl 指令列存取權。
gcloud container clusters get-credentials ${CLUSTER_NAME} \
--project=${CLUSTER_PROJECT_ID} \
--zone=${CLUSTER_LOCATION}