Links

Google Kubernetes Engine (GKE)

Learn how to connect your Google Kubernetes Engine (GKE) resources to Sedai agentlessly.
We recommend connecting GKE clusters with Sedai's Smart Agent.
In order to add your GKE cluster to Sedai agentlessly, you will need the following details:
  • Cluster Name
  • Cluster URL
  • Certifying Authority Certificate
  • Region
  • Service Account JSON
GKE uses IAM Service Accounts for authentication and Kubernetes Role Based Access Control (RBAC) for authorization.
To access the above information and grant Sedai programmatic access, complete the following steps:

Setup Cloud IAM Service Account

GKE and the Kubernetes API call require that the requesting account has sufficient permissions. You can use Google Cloud IAM in order to authenticate.
Learn more about Sedai's access permissions:
The following are required in order to set up a Cloud IAM Service Account:

Select a method to set up the Service Account:

via GCP Console
via CLI
  1. 1.
    Log in to the GCP Console and select your Project.
  2. 2.
    Go to IAM & Admin console and select Service Account. Enter the following details and select Create.
    • Service Account Name: service-account-sedai-integration
    • Service Account ID (leave the default generated value)
    • Service Account Description
  3. 3.
    Grant access to the Project via the Role (learn more about Sedai's access permissions >)
    • For Autonomous Sedai: Kubernetes Engine Developer
    • For Read-only Sedai: Kubernetes Engine Cluster Viewer
  4. 4.
    Skip the optional step to grant users access to this service account.
  5. 5.
    Select Done to finish setup.
  6. 6.
    Select the IAM Service Account's actions menu and select Manage Keys > Add Keys > JSON. Download and save the key (this will be used to add your cluster within Sedai).
Learn more about Sedai's autonomous access permissions >

Autonomous Setup

1. Create IAM Service Account:
gcloud iam service-accounts create service-account-sedai-integration
2. Grant predefined GKE Role roles/container.developer for the IAM Service Account:
gcloud projects add-iam-policy-binding PROJECT_ID \
--member=serviceAccount:service-account-sedai-integration@PROJECT_ID.iam.gserviceaccount.com \
--role=roles/container.developer
3. Generate the IAM Service Key:
Replace project_id with your unique ID.
gcloud iam service-accounts keys create gsa-key.json \
--iam-account=service-account-sedai-integration@PROJECT_ID.iam.gserviceaccount.com

Read-only Setup

1. Create IAM Service Account:
gcloud iam service-accounts create service-account-sedai-integration
2. Grant predefined GKE Role roles/container.viewer for the IAM Service Account:
gcloud projects add-iam-policy-binding PROJECT_ID \
--member=serviceAccount:service-account-sedai-integration@PROJECT_ID.iam.gserviceaccount.com \
--role=roles/container.viewer
3. Generate IAM Service Key (this will be used to connect your cluster within Sedai):
gcloud iam service-accounts keys create gsa-key.json \
--iam-account=service-account-sedai-integration@PROJECT_ID.iam.gserviceaccount.com
While IAM has a stronger focus on permissions at the project and organization level, it does provide several predefined roles specific to GKE:

Setup Kubernetes RBAC

This step requires kubectl access.
IAM and Kubernetes RBAC work together to help manage access to your cluster. RBAC controls access on a cluster and namespace level, while IAM works on the project level. An entity must have sufficient permissions at either level to work with resources in your cluster.
Download the manifest based on your preferred cloud access for setting up Kubernetes RBAC and apply it in your cluster:
Autonomous (Recommended)
Read-only
1. Download the Kubernetes Resource Manifest YAML file:
curl -O https://raw.githubusercontent.com/SedaiEngineering/sedai-onboarding/main/gke/sedai-readonly-mode-clusterrole.yaml
2. Edit the YAML file and update the ClusterRoleBinding Name with the IAM Service Account Name created in the previous step.
3. Apply the updated manifests in your GKE Cluster (this will create the ClusterRole and ClusterRoleBindings in your cluster):
kubectl apply -f sedai-readonly-mode-clusterrole.yaml
1. Download the Kubernetes Resource Manifest YAML file:
curl -O https://raw.githubusercontent.com/SedaiEngineering/sedai-onboarding/main/gke/sedai-readonly-mode-clusterrole.yaml
2. Edit the YAML file and update the ClusterRoleBinding Name with the IAM Service Account Name created in the previous step.
3. Apply the updated manifests in your GKE Cluster (this will create the ClusterRole and ClusterRoleBindings in your cluster):
kubectl apply -f sedai-readonly-mode-clusterrole.yaml

Fetch GKE Cluster Details

via GCP Dashboard
via Console
  1. 1.
    Log in to the GCP Console and select Project.
  2. 2.
    Navigate to the GKE Dashboard and select the cluster.
  3. 3.
    Go to the Cluster basics tab. Copy the Name, Endpoint URL, and Cluster Certificate.
1. Open the Google Cloud CLI.
2. Run command and select your cluster Name:
gcloud container clusters list
3. Run command to retrieve the cluster Endpoint:
gcloud container clusters describe <CLUSTER_NAME> --zone <CLUSTER_ZONE> --format='get(endpoint)'
4. Run command to retrieve cluster Certificate:
Update the command with your cluster name and zone before executing.
gcloud container clusters describe <CLUSTER_NAME> --zone <CLUSTER_ZONE> --format='get(masterAuth.clusterCaCertificate)'