-
Notifications
You must be signed in to change notification settings - Fork 68
/
gcp-prepare-env.html.md.erb
315 lines (280 loc) · 14.4 KB
/
gcp-prepare-env.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
---
title: Preparing to Deploy PKS on GCP
owner: Ops Manager
---
<strong><%= modified_date %></strong>
<html class="list-style-none"></html>
This guide describes the preparation steps required to install Pivotal Container Service (PKS) on Google Cloud Platform (GCP).
In addition to fulfilling the prerequisites listed in the [GCP Prerequisites and Resource Requirements](gcp-requirements.html) topic,
you must create resources in GCP such as a new network, firewall rules, load balancers, and a service account before deploying PKS.
Follow these procedures to prepare your GCP environment.
## <a id='service-account'></a>Step 1: Set up an IAM Service Account
In order for Kubernetes to create load balancers and attach persistent disks to pods, you must create a service account with sufficient permissions.
1. From the GCP Console, select **IAM & admin > Service accounts**.
1. Click **Create Service Account**.
1. Enter a name for the service account, and add the following roles:
* `roles/compute.instanceAdmin` (**Compute Engine > Compute Instance Admin**)
* `roles/compute.securityAdmin` (**Compute Engine > Compute Security Admin**)
* `roles/compute.networkAdmin` (**Compute Engine > Compute Network Admin**)
* `roles/compute.storageAdmin` (**Compute Engine > Compute Storage Admin**)
* `roles/compute.viewer` (**Compute Engine > Compute Viewer**)
1. Select **Furnish a new private key** and select **JSON**.
1. Click **Create**.
Your browser automatically downloads a JSON file with a private key for this account.
Save this file in a secure location.
## <a id='gcp-api'></a>Step 2: Enable Google Cloud APIs
Ops Manager manages GCP resources using the Google Compute Engine and Cloud Resource Manager APIs.
To enable these APIs, perform the following steps:
1. Log in to the Google Developers console at [https://console.developers.google.com](https://console.developers.google.com).
1. In the console, navigate to the GCP project where you want to install PKS.
1. Select **APIs & Services > Library**.
1. Under **Google Cloud APIs**, select **Compute Engine API**.
1. On the **Google Compute Engine API** page, click **Enable**.
1. In the search field, enter `Google Cloud Resource Manager API`.
1. On the **Google Cloud Resource Manager API** page, click **Enable**.
1. To verify that the APIs have been enabled, perform the following steps:
1. Log in to GCP:
<pre class="terminal">
$ gcloud auth login
</pre>
1. List your projects:
<pre class="terminal">
$ gcloud projects list
PROJECT\_ID NAME PROJECT\_NUMBER
my-project-id my-project-name ##############
</pre>
This command lists the projects where you enabled Google Cloud APIs.
## <a id='create-network'></a>Step 3: Create a GCP Network with Subnets
1. Log in to the [GCP Console](https://console.cloud.google.com/).
1. Navigate to the GCP project where you want to install PKS.
1. Select **VPC network**, then **CREATE VPC NETWORK**.
1. In the **Name** field, enter `MY-PKS-virt-net`.
`MY-PKS` is a prefix to help you identify resources for this PKS deployment in the GCP console. Use the values from the following tables as a guide when you create each network, replacing the IP addresses with ranges that are available in your GCP environment.
<p class="note"><strong>Note</strong>: Pivotal recommends using all three networks in production environments.
You can choose to combine <code>pks-infrastructure</code> and <code>pks-main</code> into a single network in non-production environments.
<code>pks-services</code> always requires its own network.</p>
1. Under **Subnets**, complete the form as follows to create an infrastructure subnet for Ops Manager, the BOSH Director, and NAT instances:
<table>
<tr>
<th style="width:25%">Name</th>
<td><code>MY-PKS-subnet-infrastructure-GCP-REGION</code></td>
</tr>
<tr>
<th>Region</th>
<td>A region that supports three availability zones (AZs).
For help selecting the correct region for your deployment, see the [Google documentation on regions and zones](https://cloud.google.com/compute/docs/regions-zones/regions-zones).</td>
</tr>
<tr>
<th>IP address range</th>
<td>A CIDR ending in `/26`<br>
Example: `192.168.101.0/26`</td>
</tr>
</table><br>
1. Click **Add subnet** to add a second subnet for the PKS control plane with the following details:
<table>
<tr>
<th style="width:25%">Name</th>
<td><code>MY-PKS-subnet-pks-GCP-REGION</code></td>
</tr>
<tr>
<th>Region</th>
<td>The same region you selected for the infrastructure subnet</td>
</tr>
<tr>
<th>IP address range</th>
<td>A CIDR ending in `/26`<br>
Example: `192.168.16.0/26`</td>
</tr>
</table><br>
1. Click **Add subnet** to add a third subnet for the Kubernetes clusters with the following details:
<table>
<tr>
<th style="width:25%">Name</th>
<td><code>MY-PKS-subnet-services-GCP-REGION</code></td>
</tr>
<tr>
<th>Region</th>
<td>The same region you selected for the previous subnets</td>
</tr>
<tr>
<th>IP address range</th>
<td>A CIDR in `/22`<br>
Example: `192.168.20.0/22`</td>
</tr>
</table><br>
1. Under **Dynamic routing mode**, leave **Regional** selected.
1. Click **Create**.
## <a id='create-nat'></a>Step 4: Create NAT Instances
Use NAT instances when you want to expose only a minimal number of public IP addresses.
Creating NAT instances permits Internet access from cluster VMs.
You might, for example, need this Internet access for pulling Docker images or enabling Internet access for your workloads.
1. In the console, navigate to **Compute Engine** > **VM instances**.
1. Click **CREATE INSTANCE**.
1. Complete the following fields:
* **Name**: Enter `MY-PKS-nat-gateway-pri`.
This is the first, or primary, of three NAT instances you need.
If you are using a single AZ, you need only one NAT instance.
* **Zone**: Select the first zone from your region.
Example: For region `us-west1`, select zone `us-west1-a`.
* **Machine type**: Select `n1-standard-4`.
* **Boot disk**: Click **Change** and select `Ubuntu 14.04 LTS`.
1. Expand the additional configuration fields by clicking **Management, disks, networking, SSH keys**.
1. In the **Startup script** field under **Automation**, enter the following text:
<code>#! /bin/bash<br>
sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'<br>
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</code>
1. Click **Networking** to open additional network configuration fields:
1. In the **Network tags** field, add the following: `nat-traverse` and `MY-PKS-nat-instance`.
1. Click the pencil icon to edit the **Network interface**.
1. For **Network**, select `MY-PKS-virt-net`. You created this network in [Step 3: Create a GCP Network with Subnets](#create-network).
1. For **Subnetwork**, select `MY-PKS-subnet-infrastructure-GCP-REGION`.
1. For **Primary internal IP**, select `Ephemeral (Custom)`.
1. Enter an IP address in the **Custom ephemeral IP address** field. Example: `192.168.101.2`. The IP address must meet the following requirements:
- The IP address must exist in the CIDR range you set for the `MY-PKS-subnet-infrastructure-GCP-REGION` subnet.
- The IP address must exist in a reserved IP range set later in Ops Manager Director. The reserved range is typically the first `.1` through `.9` addresses in the CIDR range you set for the `MY-PKS-subnet-infrastructure-GCP-REGION` subnet.
- The IP address cannot be the same as the Gateway IP address set later in Ops Manager. The Gateway IP address is typically the first `.1` address in the CIDR range you set for the `MY-PKS-subnet-infrastructure-GCP-REGION` subnet.
1. For **External IP**, select `Ephemeral`.
1. Set **IP forwarding** to `On`.
1. Click **Done**.
1. Click **Create** to finish creating the NAT instance.
1. To create additional NAT instances, repeat steps 2-6 using the names and zones specified in the table below.
<table>
<tr>
<th rowspan="3" width="15%">Instance 2</th>
<td width="15%"><strong>Name</strong></td>
<td>
<code>MY-PKS-nat-gateway-sec</code>
</td>
</tr>
<tr>
<td><strong>Zone</strong></td>
<td>
Select the second zone from your region.<br>
Example: For region <code>us-west1</code>, select zone <code>us-west1-b</code>.<br>
</td>
</tr>
<tr>
<td><strong>Internal IP</strong></td>
<td>
Select <code>Custom</code> and enter an IP address in the <strong>Internal IP address</strong> field. Example: `192.168.101.3`.
<br><br>As described above, this address must in the CIDR range you set for the <code>MY-PKS-subnet-infrastructure-GCP-REGION</code> subnet, must exist in a reserved IP range set later in Ops Manager Director, and cannot be the same as the Gateway IP address set later in Ops Manager.
</td>
</tr>
<tr>
<th rowspan="3">Instance 3</th>
<td><strong>Name</strong></td>
<td>
<code>MY-PKS-nat-gateway-ter</code>
</td>
</tr>
<tr>
<td><strong>Zone</strong></td>
<td>
Select the third zone from your region.<br>
Example: For region <code>us-west1</code>, select zone <code>us-west1-c</code>.
</td>
</tr>
<tr>
<td><strong>Internal IP</strong></td>
<td>
Select <code>Custom</code> and enter an IP address in the <strong>Internal IP address</strong> field. Example: `192.168.101.4`.
<br><br>As described above, this address must in the CIDR range you set for the <code>MY-PKS-subnet-infrastructure-GCP-REGION</code> subnet, must exist in a reserved IP range set later in Ops Manager Director, and cannot be the same as the Gateway IP address set later in Ops Manager.
</td>
</tr>
</table>
### <a id='nat-routes'></a>Create Routes for NAT Instances
1. In the GCP console, navigate to **VPC Networks** > **Routes**.
1. Click **CREATE ROUTE**.
1. Complete the form as follows:
* **Name**: `MY-PKS-nat-pri`
* **Network**: `MY-PKS-virt-net`
* **Destination IP range**: `0.0.0.0/0`
* **Priority**: `800`
* **Instance tags**: `MY-PKS`
* **Next hop**: `Specify an instance`
* **Next hop instance**: `MY-PKS-nat-gateway-pri`
1. Click **Create** to finish creating the route.
1. Repeat steps 2-4 to create two additional routes with the names and next hop instances specified in the table below.
The rest of the configuration remains the same.
<table>
<tr>
<th>Route 2</th>
<td>
<strong>Name</strong>: <code>MY-PKS-nat-sec</code><br>
<strong>Next hop instance</strong>: <code>MY-PKS-nat-gateway-sec</code>
</td>
</tr>
<tr>
<th>Route 3</th>
<td>
<strong>Name</strong>: <code>MY-PKS-nat-ter</code><br>
<strong>Next hop instance</strong>: <code>MY-PKS-nat-gateway-ter</code>
</td>
</tr>
</table>
## <a id='firewall-rules'></a>Step 5: Create Firewall Rules for the Network
GCP lets you assign [tags](https://cloud.google.com/compute/docs/label-or-tag-resources#tags) to virtual machine (VM) instances and create firewall rules that apply to VMs based on their tags. This step assigns tags and firewall rules to Ops Manager components and VMs that handle incoming traffic.
1. In the **Networking** pane, select **Firewall rules**.
1. Create firewall rules according to the table below:
<p class="note"><strong>Note</strong>: If you want your firewalls rules to only allow traffic within your private network, modify the <strong>Source IP Ranges</strong> from the table accordingly.</p>
<table>
<tr><th colspan="2" style="text-align: center;">Firewall Rules</th></tr>
<tr>
<tr>
<th>Rule 1</th>
<td>
This rule allows SSH from public networks.<br><br>
<strong>Name</strong>: <code>MY-PKS-allow-ssh</code><br>
<strong>Network</strong>: <code>MY-PKS-virt-net</code><br>
<strong>Allowed protocols and ports</strong>: <code>tcp:22</code><br>
<strong>Source filter</strong>: IP ranges<br>
<strong>Source IP ranges</strong>: <code>0.0.0.0/0</code><br>
<strong>Target tags</strong>: <code>allow-ssh</code>
</td>
</tr>
<tr>
<th>Rule 2</th>
<td>
This rule allows HTTP from public networks.<br><br>
<strong>Name</strong>: <code>MY-PKS-allow-http</code><br>
<strong>Network</strong>: <code>MY-PKS-virt-net</code><br>
<strong>Allowed protocols and ports</strong>: <code>tcp:80</code><br>
<strong>Source filter</strong>: IP ranges<br>
<strong>Source IP ranges</strong>: <code>0.0.0.0/0</code><br>
<strong>Target tags</strong>: <code>allow-http</code>, <code>router</code>
</td>
</tr>
<tr>
<th>Rule 3</th>
<td>
This rule allows HTTPS from public networks.<br><br>
<strong>Name</strong>: <code>MY-PKS-allow-https</code><br>
<strong>Network</strong>: <code>MY-PKS-virt-net</code><br>
<strong>Allowed protocols and ports</strong>: <code>tcp:443</code><br>
<strong>Source filter</strong>: IP ranges<br>
<strong>Source IP ranges</strong>: <code>0.0.0.0/0</code><br>
<strong>Target tags</strong>: <code>allow-https</code>, <code>router</code>
</td>
</tr>
<tr>
<th>Rule 4</th>
<td>
This rule allows communication between BOSH-deployed jobs.<br><br>
<strong>Name</strong>: <code>MY-PKS-allow-pks-all</code><br>
<strong>Network</strong>: <code>MY-PKS-virt-net</code><br>
<strong>Allowed protocols and ports</strong>: <code>tcp;udp;icmp</code><br>
<strong>Source filter</strong>: Source tags<br>
<strong>Target tags</strong>: <code>MY-PKS</code>, <code>MY-PKS-opsman</code>, <code>nat-traverse</code><br>
<strong>Source tags</strong>: <code>MY-PKS</code>, <code>MY-PKS-opsman</code>, <code>nat-traverse</code>
</td>
</tr>
</table>
1. If you are only using your GCP project to deploy PKS, then you can delete the following default firewall rules:
* `default-allow-http`
* `default-allow-https`
* `default-allow-icmp`
* `default-allow-internal`
* `default-allow-rdp`
* `default-allow-ssh`
## <a id='next-steps'></a>Next Steps
To install PKS on GCP, follow the procedures in [Deploying Ops Manager to GCP](gcp-om-deploy.html).