Enabling Cloud Run on existing GKE clusters

This guide shows how to enable Cloud Run on existing GKE clusters.

Note that enabling Cloud Run for Anthos on Google Cloud installs Knative Serving into the cluster to manage your stateless workloads.

Prerequisites

This page assumes that you have already set up your environment and have a cluster with the following minimum configuration:

  • Nodes with 2 vCPU
  • Scopes: https://www.googleapis.com/auth/logging.write, https://www.googleapis.com/auth/monitoring.write

Enabling an existing cluster for Cloud Run

You can use either the gcloud command line or the console to enable Cloud Run for a cluster:

Console

To enable an existing cluster for Cloud Run:

  1. Go to the Google Kubernetes Engine page in the Cloud Console:

    Go to Google Kubernetes Engine

  2. Click on the cluster you want to enable for Cloud Run.

  3. Click Edit

  4. Select Enable Cloud Run for Anthos on Google Cloud.

  5. Click Save. After the update completes, the cluster will support Cloud Run.

Command line

To enable an existing cluster for Cloud Run:

  1. Enable the cluster using the command:

    gcloud container clusters update \
    CLUSTER_NAME \
    --update-addons=CloudRun=ENABLED,HttpLoadBalancing=ENABLED \
    --zone=ZONE

    Replace

    • CLUSTER_NAME with the name you want for your cluster.
    • ZONE with the zone you are using for your cluster, for example, us-central1-a.
  2. Wait for the enabling to complete: upon success, you will see a message similar to Updating your-cluster-name...done..

Enabling deployments on a private cluster

To deploy a service to Cloud Run for Anthos on a private GKE cluster, you must allow TCP connections from master servers to nodes on port 8443 and manually specify port 8443 in your list of allowed TCP connections by editing the firewall rules in your project:

  1. View the cluster master's CIDR block and record the value in the masterIpv4CidrBlock field:

    gcloud container clusters describe CLUSTER-NAME
  2. View and record the value in the TARGET_TAGS field:

    gcloud compute firewall-rules list \
        --filter 'name~^gke-CLUSTER-NAME' \
            --format 'table(
                    name,
                    network,
                    direction,
                    sourceRanges.list():label=SRC_RANGES,
                    allowed[].map().firewall_rule().list():label=ALLOW,
                    targetTags.list():label=TARGET_TAGS
            )'
  3. Add a firewall rule using the values you recorded above:

    gcloud compute firewall-rules create FIREWALL-RULE-NAME \
      --action ALLOW \
      --direction INGRESS \
      --source-ranges MASTER-CIDR-BLOCK \
      --rules tcp:8443 \
      --target-tags TARGET

    For more information, see Creating firewall rules.

Enabling metrics on a cluster with Workload Identity

When using Cloud Run for Anthos on a GKE cluster with Workload Identity, the workload identity used by your Service needs to have permissions to write metrics to Cloud Monitoring. This requires you to set up a relationship between the Kubernetes service account (KSA) and the Google service account (GSA).

You need to set up the Cloud Identity and Access Management permissions of the GSA to include the permission required for writing metrics logging.logMetrics.create. This permission is included by default in the Logs Configuration Writer role.

Developing in a multi-tenant setup

In multi-tenant use cases, you'll need to manage and deploy Cloud Run for Anthos services to a Google Kubernetes Engine cluster that is outside your current project. This section instructs you how to develop Cloud Run for Anthos on Google Cloud services in a multi-tenant cluster setup.

To manage and deploy Cloud Run for Anthos services to a Google Kubernetes Engine cluster outside your current project:

  1. Ensure you have read access to the Google Cloud project ID of the cluster you are deploying to.

  2. Update your local kubeconfig file with credentials for the target GKE cluster:

    gcloud container clusters get-credentials NAME \
    --region=REGION \
    --project=PROJECT-ID
    • REGION is the Compute Engine region of your target cluster.
    • PROJECT-ID is the project you have read access to.

    For more information, see the gcloud container clusters get-credentials command reference documentation.

  3. Use the gcloud command line to communicate with the GKE cluster by setting the default platform to kubernetes:

    gcloud config set run/platform kubernetes
    

You can now run commands on the target GKE cluster specified in your kubeconfig file.

For example, the following command will deploy a Cloud Run for Anthos service using a specified container image to the GKE cluster whose credentials are stored in the kubeconfig file:

gcloud run deploy SERVICE-NAME --image IMAGE-NAME

Disabling Cloud Run for a cluster

You can disable Cloud Run for a cluster at any time, using the console or the command line.

Console

To disable Cloud Run on a cluster:

  1. Go to the Google Kubernetes Engine page in the Cloud Console:

    Go to Google Kubernetes Engine

  2. Click the cluster where you want to disable Cloud Run.

  3. Select Disable Cloud Run for Anthos on Google Cloud.

  4. Optionally disable any addons you will not use in your cluster without Cloud Run. This may include Istio.

  5. Click Save.

Command line

To delete a cluster:

  1. Invoke the following command:

    gcloud container clusters update \
    CLUSTER_NAME \
    --update-addons=CloudRun=DISABLED \
    --zone=ZONE

    Replace

    • CLUSTER_NAME with the name you want for your cluster.
    • ZONE with the zone you are using for your cluster, for example, us-central1-a.
  2. Wait for the enabling to complete: upon success, you will see a message similar to Updating your-cluster-name...done..