Setting up Cloud Run for Anthos on Google Cloud

This guide shows how to set up a new Google Kubernetes Engine cluster with Cloud Run for Anthos on Google Cloud enabled. Because you can use either the Cloud Console or the gcloud command line, the instructions cover both of these. If you are enabling Cloud Run on an already existing cluster, refer to Enabling Cloud Run for Anthos on Google Cloud on existing clusters.

Note that enabling Cloud Run for Anthos on Google Cloud installs Istio and Knative Serving into the cluster to connect and manage your stateless workloads.

Prerequisites

  1. Sign in to your Google Account.

    If you don't already have one, sign up for a new account.

  2. In the Cloud Console, on the project selector page, select or create a Cloud project.

    Go to the project selector page

  3. Make sure that billing is enabled for your Google Cloud project. Learn how to confirm billing is enabled for your project.

Setting up gcloud

Although you can use either the Cloud Console or the gcloud command line to use Cloud Run for Anthos on Google Cloud, you may need to use the gcloud command line for some tasks.

To set up the gcloud command line for Cloud Run for Anthos on Google Cloud:

  1. Install and initialize the Cloud SDK.

  2. You should set your default project setting for gcloud to the one you just created:

    gcloud config set project PROJECT-ID

    Replace PROJECT-ID with the project ID of the project you created.

  3. Set zone to the desired zone for the new cluster. You can use any zone where GKE is supported, for example:

    gcloud config set compute/zone ZONE

    Replace ZONE with your zone.

  4. Enable the following APIs for the project, which are needed to create a cluster, build and publish a container into the Google Container registry:

    gcloud services enable container.googleapis.com containerregistry.googleapis.com cloudbuild.googleapis.com
  5. Update installed gcloud components:

    gcloud components update
  6. Install the kubectl command-line tool:

    gcloud components install kubectl

Creating a cluster with Cloud Run enabled

These instructions create a cluster with this configuration:

  • Cloud Run for Anthos on Google Cloud enabled
  • Kubernetes version: see Available GKE versions
  • Nodes with 2 vCPU

These are the recommended settings for a new cluster.

You can use either the gcloud command line or the console to create a cluster. Click the appropriate tab for instructions.

Console

To create a cluster and enable it for Cloud Run for Anthos on Google Cloud:

  1. Go to the Google Kubernetes Engine page in the Cloud Console:

    Go to Google Kubernetes Engine

  2. Click Create cluster to open the Create a Kubernetes cluster page.

  3. Select the Standard cluster template, and set the following values in the template:

    • Enter the name you want for your cluster.
    • Choose either Zonal or regional for the location type: either will work with Cloud Run for Anthos on Google Cloud. Zonal clusters are less expensive, but will incur downtime during master upgrades.
    • Select a zone or region for the cluster, depending on your choice in the previous step. Choose a zone or region close to you, for example, us-central1-a.
    • From the dropdown list, select one of the available versions as the Master cluster version.

    • Select the checkbox Enable Cloud Run for Anthos.

  4. Click Create to create and provision the cluster with the configuration you just completed. It may take a few moments for this process to finish.

Command line

To create a new cluster that enables Cloud Run for Anthos on Google Cloud:

  1. Create a new cluster:

    gcloud container clusters create CLUSTER-NAME \
    --zone=ZONE \
    --addons=HttpLoadBalancing,CloudRun \
    --machine-type=n1-standard-2 \
    --num-nodes=3 \
    --cluster-version=GKE-VERSION \
    --enable-stackdriver-kubernetes

    Note that these instructions will not enable cluster autoscaling to resize clusters for demand, Cloud Run for Anthos on Google Cloud will automatically scale instances within the cluster.

  2. Wait for the cluster creation to complete.

Configuring gcloud for cluster and platform

After you create the cluster,

  • Set your default platform to gke.
  • Optionally set defaults for cluster name, and cluster location to avoid subsequent prompts for these when you use the command line.
  • Get credentials that allow the gcloud command line to access your cluster.

To set defaults:

  1. Set the default platform to gke, set your default cluster and cluster location, and then get credentials as follows:

    gcloud config set run/platform gke
    gcloud config set run/cluster CLUSTER
    gcloud config set run/cluster_location ZONE
    gcloud container clusters get-credentials CLUSTER

    Replace

    • CLUSTER with the name of the cluster
    • ZONE with the location of the cluster.
  2. Kubernetes clusters come with a namespace named default. For information on namespaces, and why you might want to create and use a namespace other than default, refer to namespace in the Kubernetes documentation. To create a new namespace, run:

    kubectl create namespace NAMESPACE

    Replace NAMESPACE with the Namespace you want to create.

  3. If you created a new namespace in the previous step, and want to use it rather than the default namespace, set that new namespace as the one to be used by default when you invoke the gcloud command line:

    gcloud config set run/namespace NAMESPACE

Enabling deployments on a private cluster

To deploy a service to Cloud Run for Anthos on a private GKE cluster, you must allow TCP connections from master servers to nodes on port 8443 and manually specify port 8443 in your list of allowed TCP connections by editing the firewall rules in your project:

  1. View the cluster master's CIDR block and record the value in the masterIpv4CidrBlock field:

    gcloud container clusters describe CLUSTER-NAME
  2. View and record the value in the TARGET_TAGS field:

    gcloud compute firewall-rules list \
        --filter 'name~^gke-CLUSTER-NAME' \
            --format 'table(
                    name,
                    network,
                    direction,
                    sourceRanges.list():label=SRC_RANGES,
                    allowed[].map().firewall_rule().list():label=ALLOW,
                    targetTags.list():label=TARGET_TAGS
            )'
  3. Add a firewall rule using the values you recorded above:

    gcloud compute firewall-rules create FIREWALL-RULE-NAME \
      --action ALLOW \
      --direction INGRESS \
      --source-ranges MASTER-CIDR-BLOCK \
      --rules tcp:8443 \
      --target-tags TARGET

    For more information, see Creating firewall rules.

Enabling metrics on a cluster with Workload Identity

When using Cloud Run for Anthos on a GKE cluster with Workload Identity, the workload identity used by your Service needs to have permissions to write metrics to Cloud Monitoring. This requires you to set up a relationship between the Kubernetes service account (KSA) and the Google service account (GSA).

You need to set up the Cloud Identity and Access Management permissions of the GSA to include the permission required for writing metrics logging.logMetrics.create. This permission is included by default in the Logs Configuration Writer role.

Developing in a multi-tenant setup

In multi-tenant use cases, you'll need to manage and deploy Cloud Run for Anthos services to a Google Kubernetes Engine cluster that is outside your current project. This section instructs you how to develop Cloud Run for Anthos on Google Cloud services in a multi-tenant cluster setup.

To manage and deploy Cloud Run for Anthos services to a Google Kubernetes Engine cluster outside your current project:

  1. Ensure you have read access to the Google Cloud project ID of the cluster you are deploying to.

  2. Update your local kubeconfig file with credentials for the target GKE cluster:

    gcloud container clusters get-credentials NAME \
    --region=REGION \
    --project=PROJECT-ID
    • REGION is the Compute Engine region of your target cluster.
    • PROJECT-ID is the project you have read access to.

    For more information, see the gcloud container clusters get-credentials command reference documentation.

  3. Use the gcloud command line to communicate with the GKE cluster by setting the default platform to kubernetes:

    gcloud config set run/platform kubernetes
    

You can now run commands on the target GKE cluster specified in your kubeconfig file.

For example, the following command will deploy a Cloud Run for Anthos service using a specified container image to the GKE cluster whose credentials are stored in the kubeconfig file:

gcloud run deploy SERVICE-NAME --image IMAGE-NAME

Enabling HTTPS and custom domains

If you want to use HTTPS and custom domains that apply to the cluster, refer to Enabling HTTPS and automatic TLS certs and mapping custom domains.

Disabling Cloud Run for Anthos on Google Cloud

To disable Cloud Run for Anthos on Google Cloud in your cluster:

  1. Go to the Google Kubernetes Engine page in the Cloud Console:

    Go to Google Kubernetes Engine

  2. Click the cluster where you want to disable Cloud Run for Anthos on Google Cloud .

  3. Click Edit.

  4. From the Cloud Run for Anthos dropdown, select Disable.

  5. Click Save.

What's next