Go hybrid with Anthos (GKE)

Go hybrid with Anthos (GKE)

16 September 2020


  • Anthos is a multi cloud and hybrid platform.
  • Built on the top of Kubernetes, Istio, and Knative.

Core components

Anthos GKE:

  • It is a Kubernetes cluster present on the cloud environment and on premises.
  • For on prem it is GKE On-Prem (1.0).
  • Generally used for  storage and CICD solutions.
  • Supports Stackdriver components for monitoring and Logging.
  • Following features of Kubernetes are  supported in Anthos GKE.
    • Management of the node pools.
    • Node Auto-repair.
    • Scaling.
    • Automatic upgrades.
    • Support in Alpha and Beta versions.


Anthos Config Management:

  • Common configuration point for your hybrid workloads.
  • It reads the configuration from Git the git repository.
  • Cluster objects are stored in a cluster/ directory.
  • Namespace objects are stored in a Namespace/ directory.
  • System objects are stored in a system/ directory.
  • Sample config for the namespace in the production environment.
    apiVersion: v1
    kind: Namespace
    name: shipping-prod
    env: prod
    audit: "true"

Anthos Service Mesh:

  • It is an Istio-compatible framework.
  • It connects on prem services with the cloud GKE.
  • Pre integrated stackdriver.
  • Provide an extra layer of security with TLS.

Setting up Anthos:

  • Clone the repo.
    git clone https://github.com/GoogleCloudPlatform/anthos-workshop.git anthos-workshop
    cd anthos-workshop
    source ./env
  • Review the cluster in Kubernetes Engine → Clusters in GCP Console.
  • Set up the remote cluster.
    kubectx remote

    Assign the gkehub.connect Cloud IAM role to the anthos-connect service account.

    export PROJECT=$(gcloud config get-value project)
    export GKE_SA_CREDS=$WORK_DIR/$GKE_CONNECT_SA-creds.json
    gcloud projects add-iam-policy-binding $PROJECT \
    --member="serviceAccount:$GKE_CONNECT_SA@$PROJECT.iam.gserviceaccount.com" \
  • Create a private key and download it.
    gcloud iam service-accounts keys create $GKE_SA_CREDS \
    --iam-account=$GKE_CONNECT_SA@$PROJECT.iam.gserviceaccount.com \
  • Register on prem cluster.
    export REMOTE_CLUSTER_NAME_BASE="remote"
    export REMOTE_KUBECONFIG=$WORK_DIR/remote.context
    cloud beta container memberships register $REMOTE_CLUSTER_NAME_BASE \
    --context=$REMOTE_CLUSTER_NAME \
    --service-account-key-file=$GKE_SA_CREDS \
    --kubeconfig=$REMOTE_KUBECONFIG \
  • Create a service account for the remote cluster and use a token from it to login into the remote cluster.
  • Go to Kubernetes Engine > Clusters.
  • Click on the Login button of the remote cluster.
  • Use the auth method as a Token.
  • Paste the Token generated from the service account.
  • Now the remote cluster has been set up.



Apply the Config:

export REMOTE=remote
export CENTRAL=central

kubectx $REMOTE
# Replace variables and stream results to kubectl apply
cat $BASE_DIR/config-management/config_sync.yaml | \
sed 's|<REPO_URL>|'"$REPO_URL"'|g' | \
sed 's|<CLUSTER_NAME>|'"$REMOTE"'|g' | \
sed 's|none|ssh|g' | \
kubectl apply -f -

kubectx $CENTRAL
cat $BASE_DIR/config-management/config_sync.yaml | \
sed 's|<REPO_URL>|'"$REPO_URL"'|g' | \
sed 's|<CLUSTER_NAME>|'"$CENTRAL"'|g' | \
sed 's|none|ssh|g' | \
kubectl apply -f -

Push the Config:

mkdir namespaces/checkout

cat <<EOF > namespaces/checkout/namespace.yaml
apiVersion: v1
kind: Namespace
name: checkout

export EMAIL=$(gcloud config get-value account)
git config --global user.email "$EMAIL"
git config --global user.name "$USER"

git add . && git commit -m 'adding checkout namespace'
git push origin master


Hybrid or even Multi Cloud will soon be reality for many organizations. A strong hybrid cloud solution is needed to realize the advantages of the public cloud and to keep the (operating) effort and costs within reasonable limits.

Blog Categories
Request a quote