GCP Prerequisites
Prerequisites
Before beginning a DKP installation, verify that you have:
An x86_64-based Linux or macOS machine with a supported version of the operating system.
Download the
dkp
binary for Linux, or macOS. To check which version of DKP you installed for compatibility reasons, run thedkp version -h
command (dkp version).A Container engine/runtime installed is required to bootstrap:
Version Docker® container engine version 18.09.2 or higher installed for Linux or MacOS - On macOS, Docker runs in a virtual machine which needs configured with at least 8 GB of memory.
Version 4.0 of Podman or higher for Linux. Host requirements found here: Host Requirements
kubectl for interacting with the running cluster.
Install the GCP
gcloud
CLI by following the https://cloud.google.com/sdk/docs/install
Control plane nodes
You must have at least three control plane nodes. Each control plane node should have at least:
4 cores
16 GiB memory
Approximately 80 GiB of free space for the volume used for
/var/lib/kubelet
and/var/lib/containerd
.Disk usage must be below 85% on the root volume.
DKP on GCP defaults to deploying an n2-standard-4
instance with an 80GiB root volume for control plane nodes, which meets the above requirements.
Worker nodes
You must have at least four worker nodes. The specific number of worker nodes required for your environment can vary depending on the cluster workload and size of the nodes. Each worker node should have at least:
8 cores
32 GiB memory
Around 80 GiB of free space for the volume used for
/var/lib/kubelet
and/var/lib/containerd
.Disk usage must be below 85% on the root volume.
DKP on GCP defaults to deploying a n2-standard-8
instance with an 80GiB root volume for worker nodes, which meets the above requirements.
GCP Prerequisite Roles
If you are creating your image on either a non-GCP instance or one that does not have the required roles, you must either:
Create a GCP service account.
If you have already created a service account, retrieve the credentials for an existing service account.
Export the static credentials that will be used to create the cluster:
CODEexport GCP_B64ENCODED_CREDENTIALS=$(base64 < "${GOOGLE_APPLICATION_CREDENTIALS}" | tr -d '\n')
Make sure to rotate static credentials for increased security.
If you are creating the cluster on a non-GCP instance or one that does not have the required
Editor
role:(option 1) Create a GCP Service Account using the following
gcloud
commands:CODEexport GCP_PROJECT=<your GCP project ID> export GCP_SERVICE_ACCOUNT_USER=<some new service account user> export GOOGLE_APPLICATION_CREDENTIALS="$HOME/.gcloud/credentials.json" gcloud iam service-accounts create "$GCP_SERVICE_ACCOUNT_USER" --project=$GCP_PROJECT gcloud projects add-iam-policy-binding $GCP_PROJECT --member="serviceAccount:$GCP_SERVICE_ACCOUNT_USER@$GCP_PROJECT.iam.gserviceaccount.com" --role=roles/editor gcloud iam service-accounts keys create $GOOGLE_APPLICATION_CREDENTIALS --iam-account="$GCP_SERVICE_ACCOUNT_USER@$GCP_PROJECT.iam.gserviceaccount.com"
(option 2) Retrieve the credentials for an existing service account using the following
gcloud
commands:CODEexport GCP_PROJECT=<your GCP project ID> export GCP_SERVICE_ACCOUNT_USER=<existing service account user> export GOOGLE_APPLICATION_CREDENTIALS="$HOME/.gcloud/credentials.json" gcloud iam service-accounts keys create $GOOGLE_APPLICATION_CREDENTIALS --iam-account="$GCP_SERVICE_ACCOUNT_USER@$GCP_PROJECT.iam.gserviceaccount.com"
Export the static credentials that will be used to create the cluster:
BASHexport GCP_B64ENCODED_CREDENTIALS=$(base64 < "${GOOGLE_APPLICATION_CREDENTIALS}" | tr -d '\n')
To create a GCP Service Account with the Editor
role, the user creating the GCP Service Account needs the Editor
, RoleAdministrator
, and SecurityAdmin
roles. However, those pre-defined roles grant more permissions than the minimum set needed to create a DKP cluster.
For DKP cluster creation, a minimal set of roles and permissions needed for the user creating the GCP Service Account is the Editor
role plus the following additional permissions:
compute.disks.setIamPolicy
compute.instances.setIamPolicy
iam.roles.create
iam.roles.delete
iam.roles.update
iam.serviceAccounts.setIamPolicy
resourcemanager.projects.setIamPolicy
For more information on GCP service accounts, see GCP’s documentation: