This page describes how to set up a Kubernetes cluster on GKE to be used with Spinnaker’s Kubernetes provider. The process is very simple, but you need to do some specific things to allow Spinnaker to authenticate against your cluster.
Note: To manage and create clusters in a given project, you need the
roles/container.adminrole as described here .
If you don’t already have a cluster for this purpose, you can create a Kubernetes cluster on GKE using either gcloud or the the Cloud Console as shown in the official documentation . Third party tools like Terraform work too, and can be used to automate provisioning your clusters.
Follow the instructions shown in the official documentation to download credentials.
Warning! The credentials you’ve downloaded probably rely on calling
gcloud to generate a token and authenticate against your cluster. This means
that the user (e.g.
email@example.com) you’ve configured
authenticate as is making requests against the cluster, instead of a fixed
making these requests.
This is a good thing because it prevents authenticating from a different
machine that hasn’t already authenticated with
gcloud. But it also
complicates configuring Spinnaker because each machine running Spinnaker needs
its own service account.
gcloud checks the permissions of that service
account in order to generate an authentication token.
Given that all pods on GKE share the same service account, granting Spinnaker on GKE permission also grants permission to all pods running alongside Spinnaker. For this reason, we recommend configuring a Kubernetes service account for Spinnaker to authenticate as.
TL;DR Use the credentials you’ve downloaded to create a Kubernetes service account for Spinnaker to authenticate as.