Enable Workload Identity on GKE

This section will guide you though enabling Workload Identity feature on your GKE cluster which is necessary for running Arrikto Enterprise Kubeflow.

Note

If your cluster and node-pools already have Workload Identity enabled you may proceed to the Verify section.

Procedure

To enable Workload Identity on an existing cluster, modify the cluster with the following commands:

  1. Update your cluster to enable Workload Identity:

    root@rok-tools:~# gcloud container clusters update ${GKE_CLUSTER?} \ > --workload-pool=${PROJECT_ID?}.svc.id.goog Updating arrikto-cluster...done.
  2. Update all node pools to enable Workload Identity:

    root@rok-tools:~# gcloud container node-pools list --cluster ${GKE_CLUSTER?} \ > --format="value(name)" | xargs -n1 -I{} \ > gcloud container node-pools update {} --cluster ${GKE_CLUSTER?} \ > --workload-metadata=GKE_METADATA Updating node pool default-workers...

    Important

    The above will trigger node upgrades so it may take a while.

Verify

  1. Ensure your cluster has Workload Identity enabled:

    root@rok-tools:~# gcloud container clusters describe ${GKE_CLUSTER?} \ > --format="value(workloadIdentityConfig)" workloadPool=myproject.svc.id.goog
  2. Ensure that your node pools have Workload Identity enabled:

    root@rok-tools:~# gcloud container node-pools list --cluster ${GKE_CLUSTER?} \ > --format="value(name)" | xargs -n1 -I{} \ > gcloud container node-pools describe {} --cluster ${GKE_CLUSTER?} \ > --format="value(name,config.workloadMetadataConfig.mode)" default-workers GKE_METADATA

Summary

You have successfully updated your GKE cluster to enable Workload Identity.

What’s Next

The next step is to deploy Rok.