KIB with GCP
This procedure describes how to use the Konvoy Image Builder (KIB) to create a Cluster API compliant GCP image. GCP images contain configuration information and software to create a specific, pre-configured, operating environment. For example, you can create a GCP image of your current computer system settings and software. The GCP image can then be replicated and distributed, creating your computer system for other users. KIB uses variable overrides to specify base image and container images to use in your new GCP image.
Google Cloud Platform does not publish images. You must first build the image using Konvoy Image Builder. For more information regarding images and clusters, refer to the GCP Infrastructure section of the documentation.
Prerequisites
Before you begin, you must:
Download the KIB bundle for your version of DKP.
Check the Supported Kubernetes Version for your Provider.
Create a working Docker or other registry setup.
On Debian-based Linux distributions, install a version of the cri-tools package known to be compatible with both the Kubernetes and container runtime versions.
Verify that your Google Cloud project does not have the Enable OS Login feature enabled. See below for more information:
The Enable OS Login feature is sometimes enabled by default in GCP projects. If the OS login feature is enabled, KIB will not be able to ssh
to the VM instances it creates and will not be able to successfully create an image.
To check if it is enabled, use the commands on this page https://cloud.google.com/compute/docs/metadata/setting-custom-metadata#console_2 to inspect the metadata configured in in your project. If you find the the enable-oslogin
flag set to TRUE, you must remove (or set it to FALSE) to successfully use KIB.
GCP Prerequisite Roles
If you are creating your image on either a non-GCP instance or one that does not have the required roles, you must either:
Create a GCP service account.
If you have already created a service account, retrieve the credentials for an existing service account.
Export the static credentials that will be used to create the cluster:
CODEexport GCP_B64ENCODED_CREDENTIALS=$(base64 < "${GOOGLE_APPLICATION_CREDENTIALS}" | tr -d '\n')
Make sure to rotate static credentials for increased security.
If you are creating your image on either a non-GCP instance or one that does not have the required roles:
(option 1) Create a service account using the following
gcloud
commands:CODEexport GCP_PROJECT=<your GCP project ID> export GCP_SERVICE_ACCOUNT_USER=<some new service account user> export GOOGLE_APPLICATION_CREDENTIALS="$HOME/.gcloud/credentials.json" gcloud iam service-accounts create "${GCP_SERVICE_ACCOUNT_USER}" --project=${GCP_PROJECT} gcloud projects add-iam-policy-binding ${GCP_PROJECT} --member="serviceAccount:${GCP_SERVICE_ACCOUNT_USER}@${GCP_PROJECT}.iam.gserviceaccount.com" --role=roles/compute.instanceAdmin.v1 gcloud projects add-iam-policy-binding ${GCP_PROJECT} --member="serviceAccount:${GCP_SERVICE_ACCOUNT_USER}@${GCP_PROJECT}.iam.gserviceaccount.com" --role=roles/iam.serviceAccountUser gcloud iam service-accounts keys create ${GOOGLE_APPLICATION_CREDENTIALS} --iam-account="${GCP_SERVICE_ACCOUNT_USER}@${GCP_PROJECT}.iam.gserviceaccount.com"
(option 2) If you have already created a service account, retrieve the credentials for an existing service account using the following
gcloud
commands:CODEexport GCP_PROJECT=<your GCP project ID> export GCP_SERVICE_ACCOUNT_USER=<existing service account user> export GOOGLE_APPLICATION_CREDENTIALS="$HOME/.gcloud/credentials.json" gcloud projects add-iam-policy-binding ${GCP_PROJECT} --member="serviceAccount:${GCP_SERVICE_ACCOUNT_USER}@${GCP_PROJECT}.iam.gserviceaccount.com" --role=roles/compute.instanceAdmin.v1 gcloud projects add-iam-policy-binding ${GCP_PROJECT} --member="serviceAccount:${GCP_SERVICE_ACCOUNT_USER}@${GCP_PROJECT}.iam.gserviceaccount.com" --role=roles/iam.serviceAccountUser gcloud iam service-accounts keys create ${GOOGLE_APPLICATION_CREDENTIALS} --iam-account="${GCP_SERVICE_ACCOUNT_USER}@${GCP_PROJECT}.iam.gserviceaccount.com"
Export the static credentials that will be used to create the cluster:
CODEexport GCP_B64ENCODED_CREDENTIALS=$(base64 < "${GOOGLE_APPLICATION_CREDENTIALS}" | tr -d '\n')
Make sure to rotate static credentials for increased security.
Build the GCP image
Run the
konvoy-image
command to build and validate the image:CODE./konvoy-image build gcp --project-id ${GCP_PROJECT} --network ${NETWORK_NAME} images/gcp/ubuntu-2004.yaml
KIB will run and print out the name of the created image, you will use this name when creating a Kubernetes cluster. See sample output below:
CODE... ==> ubuntu-2004-focal-v20220419: Deleting instance... ubuntu-2004-focal-v20220419: Instance has been deleted! ==> ubuntu-2004-focal-v20220419: Creating image... ==> ubuntu-2004-focal-v20220419: Deleting disk... ubuntu-2004-focal-v20220419: Disk has been deleted! ==> ubuntu-2004-focal-v20220419: Running post-processor: manifest Build 'ubuntu-2004-focal-v20220419' finished after 7 minutes 46 seconds. ==> Wait completed after 7 minutes 46 seconds ==> Builds finished. The artifacts of successful builds are: --> ubuntu-2004-focal-v20220419: A disk image was created: konvoy-ubuntu-2004-1-23-7-1658523168 --> ubuntu-2004-focal-v20220419: A disk image was created: konvoy-ubuntu-2004-1-23-7-1658523168
To find a list of images you have created in your account, run the following command:
CODEgcloud compute images list --no-standard-images
Create a Network (optional)
Building an image requires a Network with firewall rules that allow SSH access to the VM instance.
Set your GCP Project ID for your
gcp
account unless already set previously:CODEexport GCP_PROJECT=<your GCP project ID>
Run the following to create a new network:
CODEexport NETWORK_NAME=kib-ssh-network gcloud compute networks create "${NETWORK_NAME}" --project="${GCP_PROJECT}" --subnet-mode=auto --mtu=1460 --bgp-routing-mode=regional
Create the firewall rule to allow Ingress access on port 22:
CODEgcloud compute firewall-rules create "${NETWORK_NAME}-allow-ssh" --project="${GCP_PROJECT}" --network="projects/${GCP_PROJECT}/global/networks/${NETWORK_NAME}" --description="Allows TCP connections from any source to any instance on the network using port 22." --direction=INGRESS --priority=65534 --source-ranges=0.0.0.0/0 --action=ALLOW --rules=tcp:22
With your KIB image now created, you can now move on to create your cluster and set up your Cluster API (CAPI) controllers..