Deploy to a local kind Kubernetes cluster¶
Follow the instructions below to set up a local kind Kubernetes cluster for building and running the controller.
Costs¶
In this document, you use the following billable components of Google Cloud:
To generate a cost estimate based on your projected usage, use the pricing calculator. New Google Cloud users might be eligible for a free trial.
When you finish the tasks that are described in this document, you can avoid continued billing by deleting the resources that you created. For more information, see Clean up.
Before you begin¶
-
Install the Google Cloud SDK.
-
Configure authorization and a base set of properties for the
gcloudcommand line tool. Choose a project that has billing enabled. -
Set the Google Cloud project you want to use:
Replace
PROJECT_IDwith the project ID of the Google Cloud project you want to use. -
Define and export environment variables that you use to configure resources required to run the controller:
-
Enable the Compute Engine, Identity and Access Management (IAM), and Security Token Service APIs on your Google Cloud project:
-
Install the
kubectlKubernetes client command-line tool: -
Install
kind.To create
kindKubernetes clusters, you need one of the following:- Podman, or
- Docker Engine (Linux only), or
- Docker Desktop.
-
Install the
jqcommand-line tool. -
To build the binary and the container image for the controller, install all of the following:
-
Clone the Git repository and navigate to the directory
projects/k8s-hybrid-neg-controller.
Create the local kind Kubernetes cluster¶
-
Create cluster:
This command creates a multi-node Kubernetes cluster with fake
topology.kubernetes.io/zonelabels to simulate a Kubernetes cluster with Nodes spread across multiple zones.
Configure Workload Identity Federation with Kubernetes¶
Allow the controller manager to authenticate to Google Cloud APIs using Kubernetes ServiceAccount tokens, by configuring Workload Identity Federation with Kubernetes.
-
Get the cluster's OpenID Connect issuer URL and save it as an environment variable:
-
Download the cluster's JSON Web Key Set (JWKS):
-
Create a workload identity pool:
-
Add the Kubernetes cluster OIDC issuer as a provider to the workload pool:
export WORKLOAD_IDENTITY_PROVIDER=hybrid-neg-provider gcloud iam workload-identity-pools providers create-oidc $WORKLOAD_IDENTITY_PROVIDER \ --attribute-mapping "google.subject=assertion.sub,attribute.namespace=assertion['kubernetes.io']['namespace'],attribute.service_account_name=assertion['kubernetes.io']['serviceaccount']['name']" \ --issuer-uri "$ISSUER_URL" \ --jwk-json-path cluster-jwks.json \ --location global \ --workload-identity-pool $WORKLOAD_IDENTITY_POOL -
Create a custom IAM role with permissions to manage zonal network endpoint groups (NEGs):
gcloud iam roles create compute.networkEndpointGroupAdmin \ --description "Full control of zonal Network Endpoint Groups (NEGs)" \ --permissions "compute.instances.use,compute.networkEndpointGroups.attachNetworkEndpoints,compute.networkEndpointGroups.create,compute.networkEndpointGroups.createTagBinding,compute.networkEndpointGroups.delete,compute.networkEndpointGroups.deleteTagBinding,compute.networkEndpointGroups.detachNetworkEndpoints,compute.networkEndpointGroups.get,compute.networkEndpointGroups.list,compute.networkEndpointGroups.listEffectiveTags,compute.networkEndpointGroups.listTagBindings,compute.networkEndpointGroups.use,compute.zones.list" \ --project $PROJECT_ID \ --stage GA \ --title "Zonal Network Endpoint Groups Admin"This custom role provides permissions to manage zonal network endpoint groups using the Compute Engine API.
You can create the custom role at the organization level instead of at the project level, by replacing the
--projectflag with the--organizationflag and your organization resource ID.You can use predefined roles, such as the Kubernetes Engine Service Agent role (
container.serviceAgent), instead of creating a custom role. However, the predefined roles typically provide additional permissions that aren’t needed to manage zonal NEGs. -
Grant the custom IAM role on the Google Cloud project to the federated identity representing the Kubernetes service account of the controller:
gcloud projects add-iam-policy-binding $PROJECT_ID \ --member "principal://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/${WORKLOAD_IDENTITY_POOL}/subject/system:serviceaccount:hybrid-neg-system:hybrid-neg-controller-manager" \ --role projects/$PROJECT_ID/roles/compute.networkEndpointGroupAdmin -
Create a credential configuration file:
gcloud iam workload-identity-pools create-cred-config \ projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/${WORKLOAD_IDENTITY_POOL}/providers/${WORKLOAD_IDENTITY_PROVIDER} \ --credential-source-file /var/run/secrets/iam.googleapis.com/token \ --credential-source-type text \ --output-file k8s/components/secure-token-service/credential-configuration.json -
Create a patch that adds a
serviceAccountTokenprojected volume to the controller Pod spec:echo PROJECT_NUMBER=$PROJECT_NUMBER echo WORKLOAD_IDENTITY_POOL=$WORKLOAD_IDENTITY_POOL echo WORKLOAD_IDENTITY_PROVIDER=$WORKLOAD_IDENTITY_PROVIDER eval "echo \"$(cat k8s/components/secure-token-service/patch-google-sts-token-volume.yaml.template)\"" \ > k8s/components/secure-token-service/patch-google-sts-token-volume.yaml
Configure the controller¶
-
Create a patch that sets the Google Cloud project ID as an environment variable in the controller Pod spec:
-
Create a patch that sets the name of your VPC network on Google Cloud as an environment variable in the controller manager Pod spec:
export NETWORK=VPC_NETWORK eval "echo \"$(cat k8s/components/google-cloud-vpc-network/patch-google-cloud-vpc-network.yaml.template)\"" \ > k8s/components/google-cloud-vpc-network/patch-google-cloud-vpc-network.yamlReplace
VPC_NETWORKwith the name of the VPC network you want the controller to use.You can list the VPC networks in your project with this command:
Build and deploy the controller¶
-
Build the controller manager container image, render the manifests, deploy to the Kubernetes cluster, and tail the controller manager logs:
Verify that the controller can create hybrid NEGs¶
-
Create a Kubernetes Deployment resource with Pods running nginx, and expose them using a Kubernetes Service that has the
solutions.cloud.google.com/hybrid-negannotation: -
Verify that the controller created one hybrid NEG in each of the Compute Engine zones
us-west1-{a,b,c}:gcloud compute network-endpoint-groups list \ --filter 'name=nginx-80 AND networkEndpointType:NON_GCP_PRIVATE_IP_PORT'The output matches the following:
-
Verify that the hybrid NEGs in zones
us-west1-{a,b}have one endpoint each:for zone in us-west1-a us-west1-b ; do gcloud compute network-endpoint-groups list-network-endpoints nginx-80 \ --format yaml \ --zone $zone doneThe output looks similar to the following:
Verify that the controller can delete hybrid NEGs¶
-
Remove the
solutions.cloud.google.com/hybrid-negfrom thenginxKubernetes Service: -
Verify that the controller deleted the hybrid NEGs:
gcloud compute network-endpoint-groups list \ --filter 'name=nginx-80 AND networkEndpointType:NON_GCP_PRIVATE_IP_PORT'The output matches the following:
It may take a few seconds for the controller to delete the hybrid NEGs.
Troubleshoot¶
If you run into problems, please review the troubleshooting guide.
Clean up¶
-
Set up environment variables to use in the following steps:
-
Undeploy
k8s-hybrid-neg-controllerfrom thekindKubernetes cluster: -
Delete the
kindcluster: -
Delete the workload provider:
-
Delete the workload pool:
-
Delete the custom IAM role:
-
Verify that the controller deleted the hybrid NEGs:
gcloud compute network-endpoint-groups list \ --filter 'networkEndpointType:NON_GCP_PRIVATE_IP_PORT'The output matches the following:
To delete NEGs manually, use the command
gcloud compute network-endpoint-groups delete.