- Acquire new user credentials to use for Application Default Credentials
gcloud auth application-default login- Throughout the document, a GCP Project ID parameter
--project=kt-nas-demois used forgcloudcommand syntax. Please changekt-nas-demoto specify a GCP Project ID you intend to use for the deployment - Where applicable, GCP Region
us-west1(Oregon) and/or Zoneus-west1-bare used withing the document. Consider changing to a region and zone that fit your deployment via--region=us-west1and--zone=us-west1-bparameters.
- Create a VPC network for K8s cluster deployment
| Parameter | Value |
|---|---|
| Name | kne-demo |
| Description | Kubernetes Network Emulation Demo |
| Subnets | Auto |
gcloud compute networks create kne-demo --project=kt-nas-demo --description="Kubernetes Network Emulation Demo" --subnet-mode=auto --mtu=1460 --bgp-routing-mode=regional- Create firewall rules for the VPC - we're going to permit all internal connectivity for now, and SSH access from the outside
gcloud compute firewall-rules create kne-demo-allow-internal --project=kt-nas-demo --network=projects/kt-nas-demo/global/networks/kne-demo --description=Allows\ connections\ from\ any\ source\ in\ the\ network\ IP\ range\ to\ any\ instance\ on\ the\ network\ using\ all\ protocols. --direction=INGRESS --priority=65534 --source-ranges=10.128.0.0/9 --action=ALLOW --rules=all
gcloud compute firewall-rules create kne-demo-allow-ssh --project=kt-nas-demo --network=projects/kt-nas-demo/global/networks/kne-demo --description=Allows\ TCP\ connections\ from\ limited\ sources\ to\ any\ instance\ on\ the\ network\ using\ port\ 22. --direction=INGRESS --priority=65534 --source-ranges="`curl -s ifconfig.me`/32" --action=ALLOW --rules=tcp:22
gcloud compute firewall-rules create kne-demo-allow-https --project=kt-nas-demo --network=projects/kt-nas-demo/global/networks/kne-demo --description=Allows\ TCP\ connections\ from\ limited\ sources\ to\ any\ instance\ on\ the\ network\ using\ port\ 443. --direction=INGRESS --priority=65534 --source-ranges="`curl -s ifconfig.me`/32" --action=ALLOW --rules=tcp:443-
Give the service account created in Prerequisites section the following IAM roles
- Compute Instance Admin
- Compute Network Admin
- Storage Admin
- Service Account User
- Create a storage bucket for kOps to keep K8s cluster configuration
gsutil mb -p kt-nas-demo -l us-west1 gs://kne-demo-bucket-${USER}- Create a K8s cluster using kOps
export KOPS_STATE_STORE=gs://kne-demo-bucket-${USER}
export KOPS_FEATURE_FLAGS=AlphaAllowGCE
export CLUSTER=$USER.k8s.local
export SITE="`curl -s ifconfig.me`/32" # ip range you will be accessing cluster from
export ZONES=us-west1-b
export VPC=kne-demo
export SVCACCNT=athena-g@kt-nas-demo.iam.gserviceaccount.com
./kne-demo/scripts/cluster_deploy.sh
sleep 300
kops validate cluster $CLUSTER --wait 10m- Add Meshnet CNI to K8s cluster and validate
meshnetnamespace is present in the cluster
kustomize build ./kne/manifests/meshnet/base | kubectl apply -f -
kubectl get pods -n meshnet- To make kOps environment persistent accross multiple shell sesssions, set the following env variables in
$HOME/.bash_profile:
cat >> $HOME/.bash_profile << EOF
# Set kOps environment for KNE
export KOPS_STATE_STORE=gs://kne-demo-bucket-${USER}
export KOPS_FEATURE_FLAGS=AlphaAllowGCE
EOFNow try validating the cluster status in a new shell session
kops validate cluster $USER.k8s.local --wait 10m- Kubectl configuration created by kOps contains API keys with expiration of 1 day. To refresh the keys, run the following command
kops export kubecfg $USER.k8s.local