Go hybrid with Anthos (GKE)
Go hybrid with Anthos (GKE)
16 September 2020
Anthos
- Anthos is a multi cloud and hybrid platform.
- Built on the top of Kubernetes, Istio, and Knative.
Core components
Anthos GKE:
- It is a Kubernetes cluster present on the cloud environment and on premises.
- For on prem it is GKE On-Prem (1.0).
- Generally used for storage and CICD solutions.
- Supports Stackdriver components for monitoring and Logging.
- Following features of Kubernetes are supported in Anthos GKE.
- Management of the node pools.
- Node Auto-repair.
- Scaling.
- Automatic upgrades.
- Support in Alpha and Beta versions.
Anthos Config Management:
- Common configuration point for your hybrid workloads.
- It reads the configuration from Git the git repository.
- Cluster objects are stored in a cluster/ directory.
- Namespace objects are stored in a Namespace/ directory.
- System objects are stored in a system/ directory.
- Sample config for the namespace in the production environment.
apiVersion: v1 kind: Namespace metadata: name: shipping-prod labels: env: prod annotations: audit: "true"
Anthos Service Mesh:
- It is an Istio-compatible framework.
- It connects on prem services with the cloud GKE.
- Pre integrated stackdriver.
- Provide an extra layer of security with TLS.
Setting up Anthos:
- Clone the repo.
git clone https://github.com/GoogleCloudPlatform/anthos-workshop.git anthos-workshop cd anthos-workshop source ./env ./bootstrap-workshop.sh
- Review the cluster in Kubernetes Engine → Clusters in GCP Console.
- Set up the remote cluster.
kubectx remote
Assign the gkehub.connect Cloud IAM role to the anthos-connect service account.
export PROJECT=$(gcloud config get-value project) export GKE_CONNECT_SA=$PROJECT export GKE_SA_CREDS=$WORK_DIR/$GKE_CONNECT_SA-creds.json gcloud projects add-iam-policy-binding $PROJECT \ --member="serviceAccount:$GKE_CONNECT_SA@$PROJECT.iam.gserviceaccount.com" \ --role="roles/gkehub.connect"
- Create a private key and download it.
gcloud iam service-accounts keys create $GKE_SA_CREDS \ --iam-account=$GKE_CONNECT_SA@$PROJECT.iam.gserviceaccount.com \ --project=$PROJECT
- Register on prem cluster.
export REMOTE_CLUSTER_NAME_BASE="remote" export REMOTE_CLUSTER_NAME=$REMOTE_CLUSTER_NAME_BASE.k8s.local export REMOTE_KUBECONFIG=$WORK_DIR/remote.context cloud beta container memberships register $REMOTE_CLUSTER_NAME_BASE \ --context=$REMOTE_CLUSTER_NAME \ --service-account-key-file=$GKE_SA_CREDS \ --kubeconfig=$REMOTE_KUBECONFIG \ --project=$PROJECT
- Create a service account for the remote cluster and use a token from it to login into the remote cluster.
- Go to Kubernetes Engine > Clusters.
- Click on the Login button of the remote cluster.
- Use the auth method as a Token.
- Paste the Token generated from the service account.
- Now the remote cluster has been set up.
- Register the key using https://source.cloud.google.com/user/ssh_keys
- Click on “Register SSH key ”
- Type your GCP console password.
Apply the Config:
export REMOTE=remote
export CENTRAL=central
REPO_URL=ssh://${GCLOUD_ACCOUNT}@source.developers.google.com:2022/p/${PROJECT}/r/config-repo
kubectx $REMOTE
# Replace variables and stream results to kubectl apply
cat $BASE_DIR/config-management/config_sync.yaml | \
sed 's|<REPO_URL>|'"$REPO_URL"'|g' | \
sed 's|<CLUSTER_NAME>|'"$REMOTE"'|g' | \
sed 's|none|ssh|g' | \
kubectl apply -f -
kubectx $CENTRAL
cat $BASE_DIR/config-management/config_sync.yaml | \
sed 's|<REPO_URL>|'"$REPO_URL"'|g' | \
sed 's|<CLUSTER_NAME>|'"$CENTRAL"'|g' | \
sed 's|none|ssh|g' | \
kubectl apply -f -
Push the Config:
mkdir namespaces/checkout cat <<EOF > namespaces/checkout/namespace.yaml apiVersion: v1 kind: Namespace metadata: name: checkout EOF export EMAIL=$(gcloud config get-value account) git config --global user.email "$EMAIL" git config --global user.name "$USER" git add . && git commit -m 'adding checkout namespace' git push origin master
Conclusion:
Hybrid or even Multi Cloud will soon be reality for many organizations. A strong hybrid cloud solution is needed to realize the advantages of the public cloud and to keep the (operating) effort and costs within reasonable limits.