This guide shows how to set up a new Google Kubernetes Engine cluster with Cloud Run for Anthos on Google Cloud enabled. Because you can use either the Cloud Console or the gcloud command line, the instructions cover both of these. If you are enabling Cloud Run on an already existing cluster, refer to Enabling Cloud Run for Anthos on Google Cloud on existing clusters.
Sign in to your Google Account.
If you don't already have one, sign up for a new account.
In the Cloud Console, on the project selector page, select or create a Cloud project.
Make sure that billing is enabled for your Google Cloud project. Learn how to confirm billing is enabled for your project.
Setting up gcloud
Although you can use either the Cloud Console or the gcloud command line to use Cloud Run for Anthos on Google Cloud, you may need to use the gcloud command line for some tasks.
To set up the gcloud command line for Cloud Run for Anthos on Google Cloud:
You should set your default project setting for
gcloudto the one you just created:
gcloud config set project PROJECT-ID
Replace PROJECT-ID with the project ID of the project you created.
zoneto the desired zone for the new cluster. You can use any zone where GKE is supported, for example:
gcloud config set compute/zone ZONE
Replace ZONE with your zone.
Enable the following APIs for the project, which are needed to create a cluster, build and publish a container into the Google Container registry:
gcloud services enable container.googleapis.com containerregistry.googleapis.com cloudbuild.googleapis.com
Update installed gcloud components:
gcloud components update
gcloud components install kubectl
Creating a cluster with Cloud Run enabled
These instructions create a cluster with this configuration:
- Cloud Run for Anthos on Google Cloud enabled
- Kubernetes version: see Available GKE versions
- Nodes with 2 vCPU
These are the recommended settings for a new cluster.
You can use either the gcloud command line or the console to create a cluster. Click the appropriate tab for instructions.
To create a cluster and enable it for Cloud Run for Anthos on Google Cloud:
Go to the Google Kubernetes Engine page in the Cloud Console:
Click Create cluster to open the Create a Kubernetes cluster page.
Select the Standard cluster template, and set the following values in the template:
- Enter the name you want for your cluster.
- Choose either Zonal or regional for the location type: either will work with Cloud Run for Anthos on Google Cloud. Zonal clusters are less expensive, but will incur downtime during master upgrades.
- Select a zone or region for the cluster, depending on your choice in
the previous step. Choose a zone or region close to you, for example,
From the dropdown list, select one of the available versions as the Master cluster version.
Select the checkbox Enable Cloud Run for Anthos.
Click Create to create and provision the cluster with the configuration you just completed. It may take a few moments for this process to finish.
To create a new cluster that enables Cloud Run for Anthos on Google Cloud:
Create a new cluster:
gcloud container clusters create CLUSTER-NAME \ --zone=ZONE \ --addons=HttpLoadBalancing,CloudRun \ --machine-type=n1-standard-2 \ --num-nodes=3 \ --cluster-version=GKE-VERSION \ --enable-stackdriver-kubernetes
- ZONE is the desired Compute Engine zone for your cluster.
- GKE-VERSION is the desired GKE version. See available versions.
Note that these instructions will not enable cluster autoscaling to resize clusters for demand, Cloud Run for Anthos on Google Cloud will automatically scale instances within the cluster.
Wait for the cluster creation to complete.
Configuring gcloud for cluster and platform
After you create the cluster,
- Set your default platform to
- Optionally set defaults for cluster name, and cluster location to avoid subsequent prompts for these when you use the command line.
- Get credentials that allow the gcloud command line to access your cluster.
To set defaults:
Set the default platform to
gke, set your default cluster and cluster location, and then get credentials as follows:
gcloud config set run/platform gke gcloud config set run/cluster CLUSTER gcloud config set run/cluster_location ZONE gcloud container clusters get-credentials CLUSTER
- CLUSTER with the name of the cluster
- ZONE with the location of the cluster.
Kubernetes clusters come with a namespace named
default. For information on namespaces, and why you might want to create and use a namespace other than
default, refer to namespace in the Kubernetes documentation. To create a new namespace, run:
kubectl create namespace NAMESPACE
Replace NAMESPACE with the Namespace you want to create.
If you created a new namespace in the previous step, and want to use it rather than the
defaultnamespace, set that new namespace as the one to be used by default when you invoke the gcloud command line:
gcloud config set run/namespace NAMESPACE
Enabling deployments on a private cluster
To deploy a service to Cloud Run for Anthos on a private
GKE cluster, you must allow TCP connections from master
servers to nodes on port
8443 and manually specify port 8443 in your list of
allowed TCP connections by editing the firewall rules in your project:
View the cluster master's CIDR block and record the value in the
gcloud container clusters describe CLUSTER-NAME
View and record the value in the
gcloud compute firewall-rules list \ --filter 'name~^gke-CLUSTER-NAME' \ --format 'table( name, network, direction, sourceRanges.list():label=SRC_RANGES, allowed.map().firewall_rule().list():label=ALLOW, targetTags.list():label=TARGET_TAGS )'
Add a firewall rule using the values you recorded above:
gcloud compute firewall-rules create FIREWALL-RULE-NAME \ --action ALLOW \ --direction INGRESS \ --source-ranges MASTER-CIDR-BLOCK \ --rules tcp:8443 \ --target-tags TARGET
For more information, see Creating firewall rules.
Enabling metrics on a cluster with Workload Identity
When using Cloud Run for Anthos on a GKE cluster with Workload Identity, the workload identity used by your Service needs to have permissions to write metrics to Cloud Monitoring. This requires you to set up a relationship between the Kubernetes service account (KSA) and the Google service account (GSA).
You need to set up the Cloud Identity and Access Management permissions of the GSA
to include the permission required for writing metrics
logging.logMetrics.create. This permission is included by default in the
Logs Configuration Writer role.
Developing in a multi-tenant setup
In multi-tenant use cases, you'll need to manage and deploy Cloud Run for Anthos services to a Google Kubernetes Engine cluster that is outside your current project. This section instructs you how to develop Cloud Run for Anthos on Google Cloud services in a multi-tenant cluster setup.
To manage and deploy Cloud Run for Anthos services to a Google Kubernetes Engine cluster outside your current project:
Ensure you have read access to the Google Cloud project ID of the cluster you are deploying to.
Update your local
kubeconfigfile with credentials for the target GKE cluster:
gcloud container clusters get-credentials NAME \ --region=REGION \ --project=PROJECT-ID
- REGION is the Compute Engine region of your target cluster.
- PROJECT-ID is the project you have read access to.
For more information, see the
gcloud container clusters get-credentialscommand reference documentation.
gcloudcommand line to communicate with the GKE cluster by setting the default platform to
gcloud config set run/platform kubernetes
You can now run commands on the target GKE cluster
specified in your
For example, the following command will deploy a Cloud Run for Anthos
service using a specified container image to the GKE
cluster whose credentials are stored in the
gcloud run deploy SERVICE-NAME --image IMAGE-NAME
Enabling HTTPS and custom domains
Disabling Cloud Run for Anthos on Google Cloud
To disable Cloud Run for Anthos on Google Cloud in your cluster:
Go to the Google Kubernetes Engine page in the Cloud Console:
Click the cluster where you want to disable Cloud Run for Anthos on Google Cloud .
From the Cloud Run for Anthos dropdown, select Disable.