# GKE Agentless Setup Sedai independently connects to each Google Kubernetes Engine (GKE) cluster within an AWS account. GKE uses Identity and Access management (IAM) Service Accounts for authentication and Kubernetes Role Based Access Control (RBAC) for authorization. To connect a GKE cluster to Sedai, follow these steps: 1. [Set up Cloud IAM Service Account](#set-up-cloud-iam-service-account) 2. [Set up Kubernetes RBAC](#setup-kubernetes-rbac) 3. [Fetch GKE cluster details](#fetch-gke-cluster-details) ### Step 1: Set up Cloud IAM Service Account GKE and the Kubernetes API call require the requesting account to have sufficient permissions. You can use Google Cloud IAM to authenticate. The following are required in order to set up a Cloud IAM Service Account: * Access to the cluster's GCP Project * Enabled [Google Kubernetes Engine API](https://console.cloud.google.com/flows/enableapi?apiid=container.googleapis.com) * [Google Cloud CLI](https://cloud.google.com/sdk/downloads) * Permission to set up default Google Cloud CLI settings for your project #### Select a method to set up the Service Account: {% tabs %} {% tab title="via GCP Console" %} 1. Log in to the [GCP Console](https://console.cloud.google.com/) and select your project. 2. Go to IAM & Admin console and select **Service Account.** Enter the following details and select **Create**. * **Service Account Name**: `service-account-sedai-integration` * **Service Account ID** (leave the default generated value) * **Service Account Description** 3. Grant access to the project via the Role: * **For Autonomous Sedai:** Kubernetes Engine Developer * **For Read-only Sedai:** Kubernetes Engine Cluster Viewer 4. Skip the optional step to grant users access to this service account. 5. Select **Done** to finish setup. 6. Click the IAM Service Account's actions menu and select **Manage** **Keys** > **Add** **Keys** > **JSON**. Download and save the key (this will be used to add your cluster within Sedai). {% endtab %} {% tab title="via CLI" %} Learn more about Sedai's [autonomous access permissions >](https://docs.sedai.io/get-started/onboarding/autonomous-cloud-management/connect-kubernetes-cluster/broken-reference) #### Autonomous Setup 1\. Create IAM Service Account: ``` gcloud iam service-accounts create service-account-sedai-integration ``` 2\. Grant predefined GKE Role `roles/container.developer` for the IAM Service Account: ``` gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:service-account-sedai-integration@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/container.developer ``` 3\. Generate the IAM Service Key: {% hint style="info" %} Replace `project_id` with your unique ID. {% endhint %} ``` gcloud iam service-accounts keys create gsa-key.json \ --iam-account=service-account-sedai-integration@PROJECT_ID.iam.gserviceaccount.com ``` #### Read-only Setup 1\. Create IAM Service Account: ``` gcloud iam service-accounts create service-account-sedai-integration ``` 2\. Grant predefined GKE Role `roles/container.viewer` for the IAM Service Account: ``` gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:service-account-sedai-integration@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/container.viewer ``` 3\. Generate IAM Service Key (this will be used to connect your cluster within Sedai): ``` gcloud iam service-accounts keys create gsa-key.json \ --iam-account=service-account-sedai-integration@PROJECT_ID.iam.gserviceaccount.com ``` {% endtab %} {% endtabs %} While IAM has a stronger focus on permissions at the project and organization level, it does provide several predefined roles specific to GKE: {% embed url="" %} *** ### Step 2: Set up Kubernetes RBAC {% hint style="warning" %} This step requires `kubectl` access. {% endhint %} IAM and Kubernetes RBAC work together to help manage access to your cluster. RBAC controls access on a cluster and namespace level, while IAM works on the project level. An entity must have sufficient permissions at either level to work with resources in your cluster. Download the manifest based on your preferred cloud access for setting up Kubernetes RBAC and apply it in your cluster: {% tabs %} {% tab title="Read-write" %} {% hint style="info" %} You can control whether Sedai can make changes on your behalf from the Settings page. {% endhint %} 1. Download the Kubernetes Resource Manifest YAML file: ``` curl -O https://raw.githubusercontent.com/SedaiEngineering/sedai-onboarding/main/gke/sedai-readonly-mode-clusterrole.yaml ``` 2\. Edit the YAML file and update the **ClusterRoleBinding Name** with the **IAM Service Account Name** created in the previous step. 3\. Apply the updated manifests in your GKE Cluster (this will create the ClusterRole and ClusterRoleBindings in your cluster): ``` kubectl apply -f sedai-readonly-mode-clusterrole.yaml ``` {% endtab %} {% tab title="Read-only" %} 1\. Download the Kubernetes Resource Manifest YAML file: ``` curl -O https://raw.githubusercontent.com/SedaiEngineering/sedai-onboarding/main/gke/sedai-readonly-mode-clusterrole.yaml ``` 2\. Edit the YAML file and update the **ClusterRoleBinding Name** with the **IAM Service Account Name** created in the previous step. 3\. Apply the updated manifests in your GKE Cluster (this will create the ClusterRole and ClusterRoleBindings in your cluster): 
kubectl apply -f sedai-readonly-mode-clusterrole.yaml
{% endtab %} {% endtabs %} ### Step 3: Fetch GKE Cluster Details {% tabs %} {% tab title="via GCP Dashboard" %} 1. Log in to the GCP Console and select **Project.** 2. Navigate to the GKE Dashboard and select the cluster. 3. Go to the **Cluster basics** tab. Copy the **Name**, **Endpoint URL**, and **Cluster Certificate**. {% endtab %} {% tab title="via Console" %} 1\. Open the [Google Cloud CLI](https://cloud.google.com/sdk/downloads). 2\. Run command and select your cluster **Name**: ``` gcloud container clusters list ``` 3\. Run command to retrieve the cluster **Endpoint**: ``` gcloud container clusters describe --zone --format='get(endpoint)' ``` 4\. Run command to retrieve cluster **Certificate**: {% hint style="warning" %} Update the command with your **cluster name and zone** before executing. {% endhint %} ``` gcloud container clusters describe --zone --format='get(masterAuth.clusterCaCertificate)' ``` {% endtab %} {% endtabs %} When you're done, navigate to **Settings > Integrations** and select the **Add Cloud** button. Follow the prompts to add a GKE cluster. {% hint style="info" %} In the cluster integration screens, Sedai automatically generates Helm and kubectl commands to deploy the Smart Agent within your cluster. Underneath the commands is an option to switch to agentless setup. {% endhint %}