Google Kubernetes Engine (GKE) Setup

This page describes how to set up a Kubernetes cluster on GKE to be used as a Spinnaker Kubernetes v2 provider. The process is very simple, but you need to do some specific things to allow Spinnaker to authenticate against your cluster.

Note: To manage and create clusters in a given project, you need the roles.container/admin role as described here.

Create a cluster

If you don’t already have a cluster for this purpose, you can create a Kubernetes cluster on GKE using either gcloud or the the Cloud Console as shown in the official documentation. Third party tools like Terraform work too, and can be used to automate provisioning your clusters.

Download credentials

Follow the instructions shown in the official documentation to download credentials.

Warning! The credentials you’ve downloaded probably rely on calling gcloud to generate a token and authenticate against your cluster. This means that the user (e.g. [email protected]) you’ve configured gcloud to authenticate as is making requests against the cluster, instead of a fixed Kubernetes service account making these requests.

This is a good thing because it prevents authenticating from a different machine that hasn’t already authenticated with gcloud. But it also complicates configuring Spinnaker because each machine running Spinnaker needs its own service account. gcloud checks the permissions of that service account in order to generate an authenication token.

Given that all pods on GKE share the same service account, granting Spinnaker on GKE permission also grants permission to all pods running alongside Spinnaker. For this reason, we recommend configuring a Kubernetes service account for Spinnaker to authenticate as.

TL;DR Use the credentials you’ve downloaded to create a Kubernetes service account for Spinnaker to authenticate as.

Next Steps

Follow the setup instructions for adding a Kubernetes account in Spinnaker.