GCP cluster prerequisites
Make sure the following prerequisites are met before you add a GCP cluster in Portworx Backup:
-
Installation prerequisites are met
-
Stork is on all application clusters
-
In GCP console, create a GCP role with the following permissions:
compute.disks.addResourcePolicies
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.disks.removeResourcePolicies
compute.disks.resize
compute.disks.setIamPolicy
compute.disks.setLabels
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.setIamPolicy
compute.snapshots.setLabels
compute.snapshots.useReadOnly
container.apiServices.get
container.apiServices.getStatus
container.apiServices.list
container.auditSinks.get
container.auditSinks.list
container.backendConfigs.get
container.backendConfigs.list
container.bindings.get
container.bindings.list
container.certificateSigningRequests.get
container.certificateSigningRequests.list
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoles.get
container.clusterRoles.list
container.clusters.get
container.clusters.list
container.componentStatuses.get
container.componentStatuses.list
container.configMaps.get
container.configMaps.list
container.controllerRevisions.get
container.controllerRevisions.list
container.cronJobs.get
container.cronJobs.getStatus
container.cronJobs.list
container.csiDrivers.get
container.csiDrivers.list
container.csiNodeInfos.get
container.csiNodeInfos.list
container.csiNodes.get
container.csiNodes.list
container.customResourceDefinitions.get
container.customResourceDefinitions.getStatus
container.customResourceDefinitions.list
container.daemonSets.get
container.daemonSets.getStatus
container.daemonSets.list
container.deployments.get
container.deployments.getScale
container.deployments.getStatus
container.deployments.list
container.endpointSlices.get
container.endpointSlices.list
container.endpoints.get
container.endpoints.list
container.events.get
container.events.list
container.frontendConfigs.get
container.frontendConfigs.list
container.horizontalPodAutoscalers.get
container.horizontalPodAutoscalers.getStatus
container.horizontalPodAutoscalers.list
container.ingresses.get
container.ingresses.getStatus
container.ingresses.list
container.initializerConfigurations.get
container.initializerConfigurations.list
container.jobs.get
container.jobs.getStatus
container.jobs.list
container.leases.get
container.leases.list
container.limitRanges.get
container.limitRanges.list
container.localSubjectAccessReviews.list
container.managedCertificates.get
container.managedCertificates.list
container.mutatingWebhookConfigurations.get
container.mutatingWebhookConfigurations.list
container.namespaces.create
container.namespaces.get
container.namespaces.getStatus
container.namespaces.list
container.namespaces.update
container.namespaces.updateStatus
container.networkPolicies.get
container.networkPolicies.list
container.nodes.get
container.nodes.getStatus
container.nodes.list
container.operations.list
container.persistentVolumeClaims.get
container.persistentVolumeClaims.getStatus
container.persistentVolumeClaims.list
container.persistentVolumes.get
container.persistentVolumes.getStatus
container.persistentVolumes.list
container.petSets.get
container.petSets.list
container.podDisruptionBudgets.create
container.podDisruptionBudgets.delete
container.podDisruptionBudgets.get
container.podDisruptionBudgets.getStatus
container.podDisruptionBudgets.list
container.podDisruptionBudgets.update
container.podDisruptionBudgets.updateStatus
container.podPresets.get
container.podPresets.list
container.podSecurityPolicies.get
container.podSecurityPolicies.list
container.podTemplates.get
container.podTemplates.list
container.pods.get
container.pods.getLogs
container.pods.getStatus
container.pods.list
container.priorityClasses.get
container.priorityClasses.list
container.replicaSets.get
container.replicaSets.getScale
container.replicaSets.getStatus
container.replicaSets.list
container.replicationControllers.get
container.replicationControllers.getScale
container.replicationControllers.getStatus
container.replicationControllers.list
container.resourceQuotas.get
container.resourceQuotas.getStatus
container.resourceQuotas.list
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
container.runtimeClasses.get
container.runtimeClasses.list
container.scheduledJobs.get
container.scheduledJobs.list
container.secrets.get
container.secrets.list
container.selfSubjectAccessReviews.list
container.serviceAccounts.get
container.serviceAccounts.list
container.services.get
container.services.getStatus
container.services.list
container.statefulSets.get
container.statefulSets.getScale
container.statefulSets.getStatus
container.statefulSets.list
container.storageClasses.get
container.storageClasses.list
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.subjectAccessReviews.list
container.thirdPartyObjects.create
container.thirdPartyObjects.delete
container.thirdPartyObjects.get
container.thirdPartyObjects.list
container.thirdPartyObjects.update
container.thirdPartyResources.get
container.thirdPartyResources.list
container.updateInfos.get
container.updateInfos.list
container.validatingWebhookConfigurations.get
container.validatingWebhookConfigurations.list
container.volumeAttachments.get
container.volumeAttachments.getStatus
container.volumeAttachments.list
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshots.get
container.volumeSnapshots.getStatus
container.volumeSnapshots.list
containeranalysis.notes.list
containeranalysis.notes.listOccurrences
containeranalysis.occurrences.list
resourcemanager.projects.get
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.buckets.setIamPolicy
storage.buckets.update
storage.hmacKeys.create
storage.hmacKeys.delete
storage.hmacKeys.get
storage.hmacKeys.list
storage.hmacKeys.update
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.setIamPolicyAssociate this new GCP role to a service account used on the cluster where you want to install Portworx Backup. Save the JSON key for this service account for future reference. Also, select this service account in the node security settings while deploying the cluster where you want to install Portworx Backup.
-
Generate Kubeconfig for GCP clusters
-
GCP cloud account is added in Portworx Backup
Generate Kubeconfig for GCP clusters
To add a GCP cluster in Portworx Backup, you need kubeconfig details. You can fetch kubeconfig details either through Cloud Shell or gcloud CLI.
Kubeconfig with Cloud Shell
Run the below commands in Cloud Shell to get kubeconfig data:
-
Disable the new binary plugin for authentication:
export USE_GKE_GCLOUD_AUTH_PLUGIN=False
For more information, refer kubectl authentication in GCP.
-
Connect to your GCP cluster:
gcloud container clusters get-credentials <gcp-clustername> --zone <zone-name> --project <project-name>
-
Get the kubeconfig for your GCP cluster:
kubectl config view –-flatten –-minify
Above steps fetch the required kubeconfig information. In the kubeconfig details, please make sure the user section holds data related to
auth-provider
and not that ofexec
.A sample output (fragment from kubeconfig details) from users section with auth-provider related data:
users:
- name: <GCP-cluster-name>
user:
auth-provider:
config:
access-token: <access-token>
cmd-args: config config-helper --format=json
cmd-path: /root/gcloud/google-cloud-sdk/bin/gcloud
expiry: "2023-03-28T13:05:32Z"
expiry-key: '{.credential.token_expiry}'
token-key: '{.credential.access_token}'
name: gcp
Kubeconfig with gcloud CLI
-
Install the gcloud CLI, refer installation instructions for more details.
-
Initialize gcloud CLI:
gcloud init
-
Run the commands listed in step 1, 2, and 3 in Kubeconfig with Cloud Shell topic on your gcloud CLI to obtain kubeconfig details.
Related topic: