GKE Alpha Access¶
Rok requires local NVMe SSDs in GKE to use as raw block devices. This is still an alpha feature in GKE and you will need to use service account credentials to access it. This guide will walk you through creating and activating the necessary service account, assuming that your project is already allowlisted for alpha access. Typically, alpha participation is by invitation and subject to pre-general-availability terms. Make sure you contact your account manager to get your project allowlisted before proceeding with the rest of the guide.
Note
If you have already a credentialed service account to access gcloud
alpha
commands, you may proceed to the Verify section.
Overview
What You’ll Need¶
- A Google account.
- A Google Cloud project where you have enabled alpha features.
- A configured cloud environment.
Procedure¶
Obtain your active (regular) account:
root@rok-tools:~# export ACCOUNT=$(gcloud auth list --filter=status:ACTIVE --format="value(account)")Specify the name for the new service account:
root@rok-tools:~# export CLUSTER_ADMIN_ACCOUNT_NAME=arrikto-cluster-adminNote
This must be between 6 and 30 characters, and can contain lowercase alphanumeric characters and dashes.
Create the service account:
root@rok-tools:~# gcloud iam service-accounts create ${CLUSTER_ADMIN_ACCOUNT_NAME?} \ > --display-name=${CLUSTER_ADMIN_ACCOUNT_NAME?}Troubleshooting
The command fails with ‘Service account arrikto-cluster-admin already exists within project myproject’.
This happens because you have already created a service account with that name. Follow the instructions again specifying a different name for the service account or proceed to the Verify section.
Specify the service account email:
root@rok-tools:~# export CLUSTER_ADMIN_ACCOUNT=${CLUSTER_ADMIN_ACCOUNT_NAME?}@${PROJECT_ID?}.iam.gserviceaccount.comGrant the
serviceAccountActor
role to the service account:root@rok-tools:~# gcloud projects add-iam-policy-binding ${PROJECT_ID?} \ > --member=serviceAccount:${CLUSTER_ADMIN_ACCOUNT?} \ > --role=roles/iam.serviceAccountActor \ > --condition=NoneGrant the
clusterAdmin
role to the service account:root@rok-tools:~# gcloud projects add-iam-policy-binding ${PROJECT_ID?} \ > --member=serviceAccount:${CLUSTER_ADMIN_ACCOUNT?} \ > --role=roles/container.clusterAdmin \ > --condition=NoneCreate a private key for the service account:
root@rok-tools:~# gcloud iam service-accounts keys create ${CLUSTER_ADMIN_ACCOUNT_NAME?}-keyfile.json \ > --iam-account=${CLUSTER_ADMIN_ACCOUNT?}Activate the service account:
root@rok-tools:~# gcloud auth activate-service-account ${CLUSTER_ADMIN_ACCOUNT?} \ > --key-file=${CLUSTER_ADMIN_ACCOUNT_NAME?}-keyfile.jsonSwitch back to your regular account:
root@rok-tools:~# gcloud config set account ${ACCOUNT?}Enable the GKE API:
root@rok-tools:~# gcloud alpha services enable container.googleapis.com --project ${PROJECT_ID?} Operation "operations/acf.p2-778779819786-4424bae5-490d-422a-be93-d91ffd821f64" finished successfully.Note
There will be no output if you have already enabled it.
Verify¶
Verify that you have credentials for you cluster admin service account:
root@rok-tools:~# gcloud auth list Credentialed Accounts ACTIVE ACCOUNT arrikto-cluster-admin@myproject.iam.gserviceaccount.com ...Verify that your active account is your regular account:
root@rok-tools:~# gcloud auth list --filter=status:ACTIVE --format="value(account)" jdoe@example.comVerify you can access Google Kubernetes Engine:
root@rok-tools:~# gcloud container clusters listVerify you can access the GKE alpha features using the cluster admin service account:
root@rok-tools:~# gcloud alpha container clusters list --account ${CLUSTER_ADMIN_ACCOUNT?}Troubleshooting
The command failed with a ‘Method not found’ error
Ensure that your project is allowlisted for alpha access by reaching out to your account manager.