Google Kubernetes Engine (GKE)
Learn how to connect your Google Kubernetes Engine (GKE) resources to Sedai agentlessly.
In order to add your GKE cluster to Sedai agentlessly, you will need the following details:
- Cluster Name
- Cluster URL
- Certifying Authority Certificate
- Region
- Service Account JSON
GKE uses IAM Service Accounts for authentication and Kubernetes Role Based Access Control (RBAC) for authorization.
To access the above information and grant Sedai programmatic access, complete the following steps:
GKE and the Kubernetes API call require that the requesting account has sufficient permissions. You can use Google Cloud IAM in order to authenticate.
Learn more about Sedai's access permissions:
The following are required in order to set up a Cloud IAM Service Account:
- Access to the GCP Project
- Set up default Google Cloud CLI settings for your project
via GCP Console
via CLI
- 1.
- 2.Go to IAM & Admin console and select Service Account. Enter the following details and select Create.
- Service Account Name:
service-account-sedai-integration
- Service Account ID (leave the default generated value)
- Service Account Description
- 3.
- For Autonomous Sedai: Kubernetes Engine Developer
- For Read-only Sedai: Kubernetes Engine Cluster Viewer
- 4.Skip the optional step to grant users access to this service account.
- 5.Select Done to finish setup.
- 6.Select the IAM Service Account's actions menu and select Manage Keys > Add Keys > JSON. Download and save the key (this will be used to add your cluster within Sedai).
1. Create IAM Service Account:
gcloud iam service-accounts create service-account-sedai-integration
2. Grant predefined GKE Role
roles/container.developer
for the IAM Service Account:gcloud projects add-iam-policy-binding PROJECT_ID \
--member=serviceAccount:[email protected]_ID.iam.gserviceaccount.com \
--role=roles/container.developer
3. Generate the IAM Service Key:
Replace
project_id
with your unique ID.gcloud iam service-accounts keys create gsa-key.json \
[email protected]_ID.iam.gserviceaccount.com
1. Create IAM Service Account:
gcloud iam service-accounts create service-account-sedai-integration
2. Grant predefined GKE Role
roles/container.viewer
for the IAM Service Account:gcloud projects add-iam-policy-binding PROJECT_ID \
--member=serviceAccount:[email protected]_ID.iam.gserviceaccount.com \
--role=roles/container.viewer
3. Generate IAM Service Key (this will be used to connect your cluster within Sedai):
gcloud iam service-accounts keys create gsa-key.json \
[email protected]_ID.iam.gserviceaccount.com
While IAM has a stronger focus on permissions at the project and organization level, it does provide several predefined roles specific to GKE:
This step requires
kubectl
access.IAM and Kubernetes RBAC work together to help manage access to your cluster. RBAC controls access on a cluster and namespace level, while IAM works on the project level. An entity must have sufficient permissions at either level to work with resources in your cluster.
Download the manifest based on your preferred cloud access for setting up Kubernetes RBAC and apply it in your cluster:
Autonomous (Recommended)
Read-only
1. Download the Kubernetes Resource Manifest YAML file:
curl -O https://raw.githubusercontent.com/SedaiEngineering/sedai-onboarding/main/gke/sedai-readonly-mode-clusterrole.yaml
2. Edit the YAML file and update the ClusterRoleBinding Name with the IAM Service Account Name created in the previous step.
3. Apply the updated manifests in your GKE Cluster (this will create the ClusterRole and ClusterRoleBindings in your cluster):
kubectl apply -f sedai-readonly-mode-clusterrole.yaml
1. Download the Kubernetes Resource Manifest YAML file:
curl -O https://raw.githubusercontent.com/SedaiEngineering/sedai-onboarding/main/gke/sedai-readonly-mode-clusterrole.yaml
2. Edit the YAML file and update the ClusterRoleBinding Name with the IAM Service Account Name created in the previous step.
3. Apply the updated manifests in your GKE Cluster (this will create the ClusterRole and ClusterRoleBindings in your cluster):
kubectl apply -f sedai-readonly-mode-clusterrole.yaml
via GCP Dashboard
via Console
- 1.Log in to the GCP Console and select Project.
- 2.Navigate to the GKE Dashboard and select the cluster.
- 3.Go to the Cluster basics tab. Copy the Name, Endpoint URL, and Cluster Certificate.
2. Run command and select your cluster Name:
gcloud container clusters list
3. Run command to retrieve the cluster Endpoint:
gcloud container clusters describe <CLUSTER_NAME> --zone <CLUSTER_ZONE> --format='get(endpoint)'
4. Run command to retrieve cluster Certificate:
Update the command with your cluster name and zone before executing.
gcloud container clusters describe <CLUSTER_NAME> --zone <CLUSTER_ZONE> --format='get(masterAuth.clusterCaCertificate)'
Last modified 5mo ago