Requirements for Kubernetes clusters in Google Cloud
You can add and manage managed Google Kubernetes Engine (GKE) clusters and self-managed Kubernetes clusters in Google using Cloud Manager. Before you can add the clusters to Cloud Manager, ensure the following requirements are met.
|This topic uses Kubernetes cluster where configuration is the same for GKE and self-managed Kubernetes clusters. The cluster type is specified where configuration differs.|
- Astra Trident
One of the four most recent versions of Astra Trident is required. You can install Astra Trident directly from Cloud Manager. You should review the prerequisites prior to installing Astra Trident
To upgrade Astra Trident, upgrade with the operator.
- Cloud Volumes ONTAP
Cloud Volumes ONTAP must be in Cloud Manager under the same tenancy account, workspace, and Connector as the Kubernetes cluster. Go to the Astra Trident docs for configuration steps.
- Cloud Manager Connector
A Connector must be running in Google with the required permissions. Learn more below.
- Network connectivity
Network connectivity is required between the Kubernetes cluster and the Connector and between the Kubernetes cluster and Cloud Volumes ONTAP. Learn more below.
- RBAC authorization
Cloud Manager supports RBAC-enabled clusters with and without Active Directory. The Cloud Manager Connector role must be authorized on each GKE cluster. Learn more below.
Prepare a Connector
A Cloud Manager Connector in Google is required to discover and manage Kubernetes clusters. You’ll need to create a new Connector or use an existing Connector that has the required permissions.
Create a new Connector
Follow the steps in one of the links below.
Add the required permissions to an existing Connector (to discover a managed GKE cluster)
If you want to discover a managed GKE cluster, you might need to modify the custom role for the Connector to provide the permissions.
In Cloud Console, go to the Roles page.
Using the drop-down list at the top of the page, select the project or organization that contains the role that you want to edit.
Click a custom role.
Click Edit Role to update the role’s permissions.
Click Add Permissions to add the following new permissions to the role.
Click Update to save the edited role.
Review networking requirements
You need to provide network connectivity between the Kubernetes cluster and the Connector and between the Kubernetes cluster and the Cloud Volumes ONTAP system that provides backend storage to the cluster.
Each Kubernetes cluster must have an inbound connection from the Connector
The Connector must have an outbound connection to each Kubernetes cluster over port 443
The simplest way to provide this connectivity is to deploy the Connector and Cloud Volumes ONTAP in the same VPC as the Kubernetes cluster. Otherwise, you need to set up a peering connection between the different VPC.
Here’s an example that shows each component in the same VPC.
Set up RBAC authorization
RBAC validation occurs only on Kubernetes clusters with Active Directory (AD) enabled. Kubernetes clusters without AD will pass validation automatically.
You need authorize the Connector role on each Kubernetes cluster so the Connector can discover and manage a cluster.
- Backup and restore
Backup and restore requires only basic authorization.
- Add storage classes
Expanded authorization is required to add storage classes using Cloud Manager.
- Install Astra trident
You need to provide full authorization for Cloud Manager to install Astra Trident.
When installing Astra Trident, Cloud Manager installs the Astra Trident backend and Kubernetes secret that contains the credentials Astra Trident needs to communicate with the storage cluster.
subjects: name: in the YAML file, you need to know the Cloud Manager Unique ID.
You can find the unique ID one of two ways:
Using the command:
gcloud iam service-accounts list gcloud iam service-accounts describe <service-account-email>
In the Service Account Details on the Cloud Console.
Create a cluster role and role binding.
Create a YAML file that includes the following text based on your authorization requirements. Replace the
subjects: kind:variable with your username and
subjects: user:with the unique ID for the authorized service account.Backup/restore
Add basic authorization to enable backup and restore for Kubernetes clusters.
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cloudmanager-access-clusterrole rules: - apiGroups: - '' resources: - namespaces verbs: - list - apiGroups: - '' resources: - persistentvolumes verbs: - list - apiGroups: - '' resources: - pods - pods/exec verbs: - get - list - apiGroups: - '' resources: - persistentvolumeclaims verbs: - list - create - apiGroups: - storage.k8s.io resources: - storageclasses verbs: - list - apiGroups: - trident.netapp.io resources: - tridentbackends verbs: - list - apiGroups: - trident.netapp.io resources: - tridentorchestrators verbs: - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: k8s-access-binding subjects: - kind: User name: apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: cloudmanager-access-clusterrole apiGroup: rbac.authorization.k8s.ioStorage classes
Add expanded authorization to add storage classes using Cloud Manager.
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cloudmanager-access-clusterrole rules: - apiGroups: - '' resources: - secrets - namespaces - persistentvolumeclaims - persistentvolumes - pods - pods/exec verbs: - get - list - create - delete - apiGroups: - storage.k8s.io resources: - storageclasses verbs: - get - create - list - delete - patch - apiGroups: - trident.netapp.io resources: - tridentbackends - tridentorchestrators - tridentbackendconfigs verbs: - get - list - create - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: k8s-access-binding subjects: - kind: User name: apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: cloudmanager-access-clusterrole apiGroup: rbac.authorization.k8s.ioInstall Trident
Use the command line to provide full authorization and enable Cloud Manager to install Astra Trident.
kubectl create clusterrolebinding test --clusterrole cluster-admin --user <Unique ID>
Apply the configuration to a cluster.
kubectl apply -f <file-name>