安装 Kf

本文档介绍了如何设置 GKE 集群,然后安装 Kf 及其依赖项。

准备工作

概览

  • 您的 GKE 集群必须满足以下要求:

    • (可选,但建议执行)将该集群专用于 Kf。我们建议您只安装 Kf 及其依赖项,以确保兼容性矩阵得以维持。

    • 至少具有四个节点。如果需要添加节点,请参阅调整集群大小

    • 具有至少四个 vCPU 的最小机器类型,例如 e2-standard-4。如果集群的机器类型没有至少四个 vCPU,请按照将工作负载迁移到不同的机器类型中所述更改机器类型。

    • (可选,但建议执行)在发布渠道中注册该集群。如果您拥有静态 GKE 版本,请按照在发布渠道中注册现有集群中的说明操作。

    • 已启用 Workload Identity

    • 已启用 Artifact Registry

    • Cloud Service Mesh (ASM).

    • 已安装 Tekton。如需查看版本,请参阅依赖项表

    • 具有以下 IAM 政策的 Google 服务账号(创建说明的链接如下所示):

      • roles/iam.serviceAccountAdmin
      • serviceAccount:${CLUSTER_PROJECT}.svc.id.goog[kf/controller](针对成员 serviceAccount:${CLUSTER_PROJECT}.svc.id.goog[kf/controller]

启用对 Compute Engine 的支持

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  5. Verify that billing is enabled for your Google Cloud project.

  6. 启用 Compute Engine API。

    启用 API

    7. 启用对 Artifact Registry 的支持

    1. 启用 Artifact Registry API。

      启用 Artifact Registry API

    启用并配置 GKE

    在开始之前,请确保您已执行以下任务:

    • 启用 Google Kubernetes Engine API。
      • 启用 Google Kubernetes Engine API
    • 如果您要使用 Google Cloud CLI 执行此任务,请安装初始化 gcloud CLI。 如果您之前安装了 gcloud CLI,请运行 gcloud components update 命令以获取最新版本。较早版本的 gcloud CLI 可能不支持运行本文档中的命令。

    创建并准备新的 GKE 集群

    设置环境变量

    Linux

    export PROJECT_ID=YOUR_PROJECT_ID
export CLUSTER_PROJECT_ID=YOUR_PROJECT_ID
export CLUSTER_NAME=kf-cluster
export COMPUTE_ZONE=us-central1-a
export COMPUTE_REGION=us-central1
export CLUSTER_LOCATION=${COMPUTE_ZONE}
export NODE_COUNT=4
export MACHINE_TYPE=e2-standard-4
export NETWORK=default
export KF_VERSION=v2.3.2
export TEKTON_VERSION=v0.19.0

    Windows Powershell

    Set-Variable -Name PROJECT_ID -Value YOUR_PROJECT_ID
Set-Variable -Name CLUSTER_PROJECT_ID -Value YOUR_PROJECT_ID
Set-Variable -Name CLUSTER_NAME -Value kf-cluster
Set-Variable -Name COMPUTE_ZONE -Value us-central1-a
Set-Variable -Name COMPUTE_REGION -Value us-central1
Set-Variable -Name CLUSTER_LOCATION -Value $COMPUTE_ZONE
Set-Variable -Name NODE_COUNT -Value 4
Set-Variable -Name MACHINE_TYPE -Value e2-standard-4
Set-Variable -Name NETWORK -Value default
Set-Variable -Name KF_VERSION -Value v2.3.0
Set-Variable -Name TEKTON_VERSION -Value v0.19.0

    服务账号设置

    创建通过 Workload Identity 与 Kubernetes 服务账号关联的 GCP 服务账号 (GSA)。这样可以避免创建和注入服务账号密钥。

    1. 创建 Kf 将使用的服务账号。

      gcloud iam service-accounts create ${CLUSTER_NAME}-sa \
  --project=${CLUSTER_PROJECT_ID} \
  --description="GSA for Kf ${CLUSTER_NAME}" \
  --display-name="${CLUSTER_NAME}"

    2. 允许服务账号修改自己的政策。Kf 控制器将使用它来向政策添加新(名称)空间,从而重复使用 Workload Identity。

      gcloud iam service-accounts add-iam-policy-binding ${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com \
  --project=${CLUSTER_PROJECT_ID} \
  --role="roles/iam.serviceAccountAdmin" \
  --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com"

    3. 为监控指标授予角色,以便对 Cloud Monitoring 进行写入访问。

      gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \
  --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
  --role="roles/monitoring.metricWriter"

    4. 授予日志记录角色以提供 Cloud Logging 的写入权限。

      gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \
  --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
  --role="roles/logging.logWriter"

    创建 GKE 集群

    gcloud container clusters create ${CLUSTER_NAME} \
  --project=${CLUSTER_PROJECT_ID} \
  --zone=${CLUSTER_LOCATION} \
  --num-nodes=${NODE_COUNT} \
  --machine-type=${MACHINE_TYPE} \
  --network=${NETWORK} \
  --addons=HttpLoadBalancing,HorizontalPodAutoscaling,NetworkPolicy \
  --enable-stackdriver-kubernetes \
  --enable-ip-alias \
  --enable-network-policy \
  --enable-autorepair \
  --enable-autoupgrade \
  --scopes=https://www.googleapis.com/auth/cloud-platform \
  --release-channel=regular \
  --workload-pool="${CLUSTER_PROJECT_ID}.svc.id.goog" \
  --service-account="${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com"

    设置防火墙规则

    Kf 需要打开一些防火墙端口。主节点需要能够在端口 80、443、8080、8443 和 6443 上与 pod 通信。

    启用 Workload Identity

    现在您已经拥有服务账号和 GKE 集群,接下来将集群的身份命名空间与集群关联。

    gcloud iam service-accounts add-iam-policy-binding \
  "${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
  --project=${CLUSTER_PROJECT_ID} \
  --role="roles/iam.workloadIdentityUser" \
  --member="serviceAccount:${CLUSTER_PROJECT_ID}.svc.id.goog[kf/controller]"

    目标 GKE 集群

    运行以下命令来配置 kubectl 命令行访问权限:

    gcloud container clusters get-credentials ${CLUSTER_NAME} \
    --project=${CLUSTER_PROJECT_ID} \
    --zone=${CLUSTER_LOCATION}

    创建 Artifact Registry 代码库

    1. 为要存储的容器映像创建 Artifact Registry。

      gcloud artifacts repositories create ${CLUSTER_NAME} \
  --project=${CLUSTER_PROJECT_ID} \
  --repository-format=docker \
  --location=${COMPUTE_REGION}

    2. 向 Artifact Registry 代码库授予服务账号权限。

      gcloud artifacts repositories add-iam-policy-binding ${CLUSTER_NAME} \
  --project=${CLUSTER_PROJECT_ID} \
  --location=${COMPUTE_REGION} \
  --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
  --role='roles/artifactregistry.writer'

    在集群上安装软件依赖项

    1. 安装 Service Mesh。

    2. 安装 Tekton:

      kubectl apply -f "https://github.com/tektoncd/pipeline/releases/download/${TEKTON_VERSION}/release.yaml"

    安装 Kf

    1. 请参阅为 Kf 创建并准备 GKE 集群,创建准备运行 Kf 的集群。

    2. 选择并记下所需的 Kf 版本。如需了解可用的版本,请参阅 Kf 下载页面

    3. 安装 CLI:

      Linux

      此操作会为系统中的所有用户安装 kf。请按照 Cloud Shell 标签页中的说明自行安装。

      gcloud storage cp gs://kf-releases/${KF_VERSION}/kf-linux /tmp/kf
chmod a+x /tmp/kf
sudo mv /tmp/kf /usr/local/bin/kf

      Mac

      此操作会为系统中的所有用户安装 kf

      gcloud storage cp gs://kf-releases/${KF_VERSION}/kf-darwin /tmp/kf
chmod a+x /tmp/kf
sudo mv /tmp/kf /usr/local/bin/kf

      Cloud Shell

      如果您使用 bash,此操作会在 Cloud Shell 实例上安装 kf;您可能需要为其他 Shell 修改说明。

      mkdir -p ~/bin
gcloud storage cp gs://kf-releases/${KF_VERSION}/kf-linux ~/bin/kf
chmod a+x ~/bin/kf
echo "export PATH=$HOME/bin:$PATH" >> ~/.bashrc
source ~/.bashrc

      Windows

      此操作会将 kf 下载到当前目录。如果要从当前目录以外的任何位置调用,请将其添加到路径中。

      gcloud storage cp gs://kf-releases/${KF_VERSION}/kf-windows.exe kf.exe

    4. 安装服务器组件:

      Linux 和 Mac

      此操作会将 kf.yaml 下载到当前目录。

      gcloud storage cp gs://kf-releases/${KF_VERSION}/kf.yaml /tmp/kf.yaml
kubectl apply -f /tmp/kf.yaml

      Windows

      此操作会将 kf.yaml 下载到当前目录。

      gcloud storage cp gs://kf-releases/${KF_VERSION}/kf.yaml kf.yaml
kubectl apply -f kf.yaml

    5. 设置 Secret:

      export WI_ANNOTATION=iam.gke.io/gcp-service-account=${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com

kubectl annotate serviceaccount controller ${WI_ANNOTATION} \
--namespace kf \
--overwrite

echo "{\"apiVersion\":\"v1\",\"kind\":\"ConfigMap\",\"metadata\":{\"name\":\"config-secrets\", \"namespace\":\"kf\"},\"data\":{\"wi.googleServiceAccount\":\"${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com\"}}" | kubectl apply -f -

    6. 设置 KF 默认值,这些值以后可以更改。以下示例使用带通配符 DNS 提供商的网域模板为每个空间提供自己的域名:

      export CONTAINER_REGISTRY=${COMPUTE_REGION}-docker.pkg.dev/${CLUSTER_PROJECT_ID}/${CLUSTER_NAME}
export DOMAIN='$(SPACE_NAME).$(CLUSTER_INGRESS_IP).nip.io'

kubectl patch configmaps config-defaults \
-n=kf \
-p="{\"data\":{\"spaceContainerRegistry\":\"${CONTAINER_REGISTRY}\",\"spaceClusterDomains\":\"- domain: ${DOMAIN}\"}}"

    7. 验证安装:

      kf doctor --retries 10

    清理

    这些步骤应移除在创建并准备新的 GKE 集群部分中创建的所有组件。

    1. 删除 Google 服务账号:

      gcloud iam service-accounts delete ${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com

    2. 删除 IAM 政策绑定:

      gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \
  --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
  --role="roles/storage.admin"

gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \
  --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
  --role="roles/iam.serviceAccountAdmin"

gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \
  --member="serviceAccount:${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
  --role="roles/monitoring.metricWriter"

    3. 删除容器映像代码库:

      gcloud artifacts repositories delete ${CLUSTER_NAME} \
  --location=${COMPUTE_REGION}

    4. 删除 GKE 集群:

      gcloud container clusters delete ${CLUSTER_NAME} --zone ${CLUSTER_LOCATION}