GKE Alpha Access

Rok requires local NVMe SSDs in GKE to use as raw block devices. This is still an alpha feature in GKE and you will need to use service account credentials to access it. This guide will walk you through creating and activating the necessary service account, assuming that your project is already allowlisted for alpha access. Typically, alpha participation is by invitation and subject to pre-general-availability terms. Make sure you contact your account manager to get your project allowlisted before proceeding with the rest of the guide.

Note

If you have already a credentialed service account to access gcloud alpha commands, you may proceed to the Verify section.

What You’ll Need

  • A Google account.
  • A Google Cloud project where you have enabled alpha features.
  • A configured cloud environment.

Procedure

  1. Obtain your active (regular) account:

    root@rok-tools:~# export ACCOUNT=$(gcloud auth list --filter=status:ACTIVE --format="value(account)")
  2. Specify the name for the new service account:

    root@rok-tools:~# export CLUSTER_ADMIN_ACCOUNT_NAME=arrikto-cluster-admin

    Note

    This must be between 6 and 30 characters, and can contain lowercase alphanumeric characters and dashes.

  3. Create the service account:

    root@rok-tools:~# gcloud iam service-accounts create ${CLUSTER_ADMIN_ACCOUNT_NAME?} \ > --display-name=${CLUSTER_ADMIN_ACCOUNT_NAME?}

    Troubleshooting

    The command fails with ‘Service account arrikto-cluster-admin already exists within project myproject’.

    This happens because you have already created a service account with that name. Follow the instructions again specifying a different name for the service account or proceed to the Verify section.

  4. Specify the service account email:

    root@rok-tools:~# export CLUSTER_ADMIN_ACCOUNT=${CLUSTER_ADMIN_ACCOUNT_NAME?}@${PROJECT_ID?}.iam.gserviceaccount.com
  5. Grant the serviceAccountActor role to the service account:

    root@rok-tools:~# gcloud projects add-iam-policy-binding ${PROJECT_ID?} \ > --member=serviceAccount:${CLUSTER_ADMIN_ACCOUNT?} \ > --role=roles/iam.serviceAccountActor \ > --condition=None
  6. Grant the clusterAdmin role to the service account:

    root@rok-tools:~# gcloud projects add-iam-policy-binding ${PROJECT_ID?} \ > --member=serviceAccount:${CLUSTER_ADMIN_ACCOUNT?} \ > --role=roles/container.clusterAdmin \ > --condition=None
  7. Create a private key for the service account:

    root@rok-tools:~# gcloud iam service-accounts keys create ${CLUSTER_ADMIN_ACCOUNT_NAME?}-keyfile.json \ > --iam-account=${CLUSTER_ADMIN_ACCOUNT?}
  8. Activate the service account:

    root@rok-tools:~# gcloud auth activate-service-account ${CLUSTER_ADMIN_ACCOUNT?} \ > --key-file=${CLUSTER_ADMIN_ACCOUNT_NAME?}-keyfile.json
  9. Switch back to your regular account:

    root@rok-tools:~# gcloud config set account ${ACCOUNT?}
  10. Enable the GKE API:

    root@rok-tools:~# gcloud alpha services enable container.googleapis.com --project ${PROJECT_ID?} Operation "operations/acf.p2-778779819786-4424bae5-490d-422a-be93-d91ffd821f64" finished successfully.

    Note

    There will be no output if you have already enabled it.

Verify

  1. Verify that you have credentials for you cluster admin service account:

    root@rok-tools:~# gcloud auth list Credentialed Accounts ACTIVE ACCOUNT arrikto-cluster-admin@myproject.iam.gserviceaccount.com ...
  2. Verify that your active account is your regular account:

    root@rok-tools:~# gcloud auth list --filter=status:ACTIVE --format="value(account)" jdoe@example.com
  3. Verify you can access Google Kubernetes Engine:

    root@rok-tools:~# gcloud container clusters list
  4. Verify you can access the GKE alpha features using the cluster admin service account:

    root@rok-tools:~# gcloud alpha container clusters list --account ${CLUSTER_ADMIN_ACCOUNT?}

    Troubleshooting

    The command failed with a ‘Method not found’ error

    Ensure that your project is allowlisted for alpha access by reaching out to your account manager.

Summary

You have successfully created and activated the necessary service account for accessing GKE alpha features.

What’s Next

The next step is to create the GKE cluster.