Skip to content
Snippets Groups Projects

Google Cloud Platform - Google Kubernetes Engine Administration

This document describes administration procedures for creating and using a Kubernetes cluster on Google Cloud Platform.

Disclaimer: This document is NOT a substitute for the Google Cloud Platform documentation. Please read their documentation for updated and accurate information.

Accounts and Projects

Accounts related to SSEC work or other University of Wisconsin work must be created by DoIT. See https://it.wisc.edu/services/google-cloud-platform/ for more information. By working with DoIT you should get access through your Google Suite @wisc.edu account to a GCP "project" that you've named. You can then login to the GCP Console (https://console.cloud.google.com/) where you'll have access to everything related to your work on GCP.

NOTE: Once logged in, be careful not to create resources on GCP unless you know what you are doing, even in tutorials. Otherwise you may end up accidentally charging to your business account.

Service Accounts and Kubectl

GCP allows you to create "Service Accounts" for controlling access to specific parts of a GCP project. This is useful for automating access to your future GKE cluster from GitLab (or other) Continuous Integration (CI) jobs. Note that a GCP Service Account is different than a Kubernetes Service Account.

To create a Service Account, first read through:

https://cloud.google.com/iam/docs/service-accounts

Next, go to your GCP Console, click the menu in the upper-left and go to "Project Settings". From there click on "Service Accounts" and then "+ CREATE SERVICE ACCOUNT". Follow the instructions to create your service account. To give your SA permission to create resources on your Kubernetes cluster give it at least the "roles/container.developer" role. See https://cloud.google.com/iam/docs/understanding-roles#kubernetes-engine-roles for more information.

Once created you will likely want to create a key to authenticate to GCP from your CI environment. Click the 3 dots to the right of your newly created key in the list of Service Accounts and select "Create key". See https://cloud.google.com/iam/docs/creating-managing-service-account-keys for more information.

Now that you have that key, you should be able to use the gcloud utility (must be installed separately) in your CI jobs to:

gcloud auth activate-service-account <sa-account-name>@<gcp-project-id>.iam.gserviceaccount.com \
    --key-file=/path/to/json/key/you/downloaded.json

Now you can get the kube cluster configuration information by doing:

gcloud container clusters get-credentials <cluster-name> --zone <zone-name>

This will likely write information to ~/.kube/config about your cluster. You can then use kubectl as normal (unless there are multiple clusters configured then you may need to use the --cluster).

If your SA account includes the "Project/Viewer" role you can do:

gcloud config set project <project-id>

If the above gives you a warning then double check the Project/Viewer role has been added to the Service Account. Otherwise, try enabling this API:

https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=

And then try again. If that still doesn't work try this Stackoverflow thread for more help: https://stackoverflow.com/a/59931415/433202

Install Helm

Follow the instructions in the Helm documentation in the Google web console:

https://helm.sh/docs/intro/install/#from-apt-debianubuntu