This page describes how to set up a Kubernetes cluster on GKE to be used as a Spinnaker Kubernetes v2 provider. The process is very simple, but you need to do some specific things to allow Spinnaker to authenticate against your cluster.
Note: To manage and create clusters in a given project, you need the
roles.container/adminrole as described here.
Create a cluster
If you don’t already have a cluster for this purpose, you can create a
Kubernetes cluster on GKE using either
gcloud or the the Cloud
Console as shown in the official
Third party tools like
work too, and can be used to automate provisioning your clusters.
Follow the instructions shown in the official documentation to download credentials.
Warning! The credentials you’ve downloaded probably rely on calling
gcloud to generate a token and authenticate against your cluster. This means
that the user (e.g.
[email protected]) you’ve configured
authenticate as is making requests against the cluster, instead of a fixed
making these requests.
This is a good thing because it prevents authenticating from a different
machine that hasn’t already authenticated with
gcloud. But it also
complicates configuring Spinnaker because each machine running Spinnaker needs
its own service account.
gcloud checks the permissions of that service
account in order to generate an authenication token.
Given that all pods on GKE share the same service account, granting Spinnaker on GKE permission also grants permission to all pods running alongside Spinnaker. For this reason, we recommend configuring a Kubernetes service account for Spinnaker to authenticate as.
TL;DR Use the credentials you’ve downloaded to create a Kubernetes service account for Spinnaker to authenticate as.