Code
https://github.com/cloud-quickstart/gcp-landing-zone
https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding
Corporate
https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/tree/main/docs
Prerequisites
For cloud interconnect https://cloud.google.com/network-connectivity/docs/interconnect make sure to open the on prem firewall to 35.199.192.0/19 used by Cloud DNS in managed zones https://cloud.google.com/dns/docs/zones
Setup GCP Account for Landing Zone Deployment
Following https://cloud.google.com/anthos-config-management/docs/tutorials/landing-zone
Repo https://github.com/GoogleCloudPlatform/blueprints/search?q=anthos
Organization Policies at
Using workspace account containerized.org
Login to your admin user for your organization in a separate chrome window and navigate to the "manage resources" pane.
Create GCP folder and project
Navigate/Select project drop dropdown
CLI
GCP Cloud Shell
Start your Cloud Shell instance via the browser top left bar.
As of this writing 20220119 - gcloud shell has the following versions
michael@cloudshell:~ (landingzone-stg)$ gcloud --version Google Cloud SDK 368.0.0 alpha 2022.01.07 app-engine-go 1.9.72 app-engine-java 1.9.93 app-engine-python 1.9.98 app-engine-python-extras 1.9.96 beta 2022.01.07 bigtable bq 2.0.72 cbt 0.10.2 cloud-build-local 0.5.2 cloud-datastore-emulator 2.1.0 core 2022.01.07 datalab 20190610 gsutil 5.6 kind 0.7.0 kpt 1.0.0-beta.9 local-extract 1.3.2 minikube 1.24.0 pubsub-emulator 0.6.0 skaffold 1.35.1 michael@cloudshell:~ (landingzone-stg)$ terraform --version Terraform v1.1.3 on linux_amd64
Verify cloud billing is enabled for the project
https://cloud.google.com/billing/docs/how-to/modify-project#confirm_billing_is_enabled_on_a_project
Verify billing for a project either via the console or the shell. Use the alpha billing cli at https://cloud.google.com/sdk/gcloud/reference/alpha/billing/projects/describe
michael@cloudshell:~ (landingzone-stg)$ gcloud alpha billing projects describe landingzone-stg | grep billingEnabled billingEnabled: true
Gcloud Local CLI
You may have an existing gcloud configuration or need a new one - run gcloud init to start.
gcloud init
Settings from your current configuration [default] are:
core:
account: f...com
disable_usage_reporting: 'False'
project: biometric-...
Pick configuration to use:
[1] Re-initialize this configuration [default] with new settings
[2] Create a new configuration
Please enter your numeric choice: 2
Enter configuration name. Names start with a lower case letter and contain only lower case letters a-z, digits 0-9, and hyphens '-': c...g
Your current configuration has been set to: [co...g]
Choose the account you would like to use to perform operations for this configuration:
[1] f...m
[2] Log in with a new account
Please enter your numeric choice: 2
Your browser has been opened to visit:
https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=32.....6
You are logged in as: [m...g].
Pick cloud project to use:
[1] biometric-dev
[2] biometric-prd
[3] biometric-sbx
[4] landingzone-stg
[5] Create a new project
Please enter numeric choice or text value (must exactly match list item): 4
Your current project has been set to: [landingzone-stg].
Do you want to configure a default Compute Region and Zone? (Y/n)? y
Which Google Compute Engine zone would you like to use as project default?
If you do not specify a zone via a command line flag while working with Compute Engine resources, the default is assumed.
[7] us-central1-c
[50] asia-northeast3-a
Did not print [39] options.
Too many options [89]. Enter "list" at prompt to print choices fully.
Please enter numeric choice or text value (must exactly match list item): us-central1-a
Your project default Compute Engine zone has been set to [us-central1-a].
You can change it by running [gcloud config set compute/zone NAME].
Your project default Compute Engine region has been set to [us-central1].
You can change it by running [gcloud config set compute/region NAME].
Your Google Cloud SDK is configured and ready to use!
* Commands that require authentication will use m...g by default
* Commands will reference project `landingzone-stg` by default
* Compute Engine commands will use region `us-central1` by default
* Compute Engine commands will use zone `us-central1-a` by default
gcloud projects list
PROJECT_ID NAME PROJECT_NUMBER
biometric-dev biometric 40..1
biometric-prd biometric-prd 2..4
biometric-sbx biometric-sbx 8..0
landingzone-stg LandingZone-stg 4..2
https://cloud.google.com/sdk/auth_success
Add nomos, kubectl and kpt
biometric:wse_github michaelobrien$ sudo gcloud components install pkg
Password:
Your current Cloud SDK version is: 369.0.0
Installing components from version: 369.0.0
┌─────────────────────────────────────────────────────────────────────────┐
│ These components will be installed. │
├───────────────────────┬──────────────────────────┬──────────────────────┤
│ Name │ Version │ Size │
├───────────────────────┼──────────────────────────┼──────────────────────┤
│ Appctl │ 0.1.12 │ 18.5 MiB │
│ Kustomize │ 4.4.0 │ 7.6 MiB │
│ Nomos CLI │ 1.10.0-rc.8 │ 23.6 MiB │
│ kpt │ 1.0.0-beta.9 │ 12.2 MiB │
└───────────────────────┴──────────────────────────┴──────────────────────┘
For the latest full release notes, please visit:
https://cloud.google.com/sdk/release_notes
biometric:wse_github michaelobrien$ kubectl version
Client Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.4", GitCommit:"b695d79d4f967c403a96986f1750a35eb75e75f1", GitTreeState:"clean", BuildDate:"2021-11-17T15:48:33Z", GoVersion:"go1.16.10", Compiler:"gc", Platform:"darwin/amd64"}
biometric:wse_github michaelobrien$ kpt version
1.0.0-beta.9
Prepare the environment
Install gcloud Alpha Commands first
biometric:wse_github michaelobrien$ sudo gcloud alpha billing projects describe $PROJECT_ID Password: You do not currently have this command group installed. Using it requires the installation of components: [alpha] Your current Cloud SDK version is: 369.0.0 Installing components from version: 369.0.0 ┌──────────────────────────────────────────────┐ │ These components will be installed. │ ├───────────────────────┬────────────┬─────────┤ │ Name │ Version │ Size │ ├───────────────────────┼────────────┼─────────┤ │ gcloud Alpha Commands │ 2022.01.14 │ < 1 MiB │ └───────────────────────┴────────────┴─────────┘ For the latest full release notes, please visit: https://cloud.google.com/sdk/release_notes Do you want to continue (Y/n)? Restarting command: $ gcloud alpha billing projects describe landingzone-stg for some reason TBD billing was flagged as false - but it was true above API [cloudbilling.googleapis.com] not enabled on project [4033...2]. Would you like to enable and retry (this will take a few minutes)? (y/N)? y Enabling service [cloudbilling.googleapis.com] on project [4033...2]... Operation "operations/acf.p2-403373923652-306c9a12-d0d3-46df-8ec1-63bcbbe7a100" finished successfully. billingAccountName: billingAccounts/01..3B billingEnabled: true name: projects/landingzone-stg/billingInfo projectId: landingzone-stg
export PROJECT_ID=landingzone-stg
export CONFIG_CONTROLLER_NAME=config-controller-1
export BILLING_ACCOUNT=$(gcloud alpha billing projects describe $PROJECT_ID \
'--format=value(billingAccountName)' | sed 's/.*\///')
export ORG_ID=$(gcloud projects get-ancestors ${PROJECT_ID} --format='get(id)' | tail -1)
gcloud config set project ${PROJECT_ID}
Setup Config Controller
https://cloud.google.com/anthos-config-management/docs/tutorials/landing-zone#setting_up
biometric:wse_github michaelobrien$ gcloud services enable krmapihosting.googleapis.com container.googleapis.com
Operation "operations/acf.p2-403373923652-41504998-20c7-4d4e-8407-e4ba3376d3a8" finished successfully.
biometric:wse_github michaelobrien$ gcloud anthos config controller create ${CONFIG_CONTROLLER_NAME} \
> --location=us-central1
Create request issued for: [config-controller-1]
Waiting for operation [projects/landingzone-stg/locations/us-central1/operations/operation-1642620510039-5d5f464006ea9-1f52e35c-26d7e77a] to complete...⠼
15 min 1428-1447
Waiting for operation [projects/landingzone-stg/locations/us-central1/operations/operation-1642620510039-5d5f464006ea9-1f52e35c-26d7e77a] to complete...done.
Created instance [config-controller-1].
Fetching cluster endpoint and auth data.
kubeconfig entry generated for krmapihost-config-controller-1.
biometric:wse_github michaelobrien$ kubectl version
Client Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.4", GitCommit:"b695d79d4f967c403a96986f1750a35eb75e75f1", GitTreeState:"clean", BuildDate:"2021-11-17T15:48:33Z", GoVersion:"go1.16.10", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.5-gke.1302", GitCommit:"639f3a74abf258418493e9b75f2f98a08da29733", GitTreeState:"clean", BuildDate:"2021-10-21T21:35:48Z", GoVersion:"go1.16.7b7", Compiler:"gc", Platform:"linux/amd64"}
biometric:wse_github michaelobrien$ kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
cnrm-system cnrm-controller-manager-c7k6ilsgkgt5j1ikibtg-0 2/2 Running 0 8m2s
cnrm-system cnrm-deletiondefender-0 1/1 Running 0 7m44s
cnrm-system cnrm-resource-stats-recorder-6dfc78996c-cx8rc 2/2 Running 0 7m45s
cnrm-system cnrm-webhook-manager-778cdd84cb-26h9d 1/1 Running 0 7m25s
cnrm-system cnrm-webhook-manager-778cdd84cb-clnpz 1/1 Running 0 7m45s
config-management-system config-management-operator-7d5f54c74c-tjc7t 1/1 Running 0 8m19s
configconnector-operator-system configconnector-operator-0 1/1 Running 0 8m11s
gatekeeper-system gatekeeper-audit-6f46754545-bgpkb 1/1 Running 0 6m40s
gatekeeper-system gatekeeper-controller-manager-7f778d8b94-pdvv5 1/1 Running 0 6m40s
krmapihosting-monitoring krmapihosting-metrics-agent-2c2l9 1/1 Running 0 8m16s
krmapihosting-monitoring krmapihosting-metrics-agent-7flgl 1/1 Running 0 8m16s
krmapihosting-monitoring krmapihosting-metrics-agent-gc454 1/1 Running 0 8m16s
krmapihosting-system bootstrap-544688568b-zlmp9 1/1 Running 2 8m34s
kube-system event-exporter-gke-5479fd58c8-kl9jm 2/2 Running 0 14m
kube-system fluentbit-gke-44tpv 2/2 Running 0 9m5s
kube-system fluentbit-gke-4x5n5 2/2 Running 0 9m6s
kube-system fluentbit-gke-t6qz5 2/2 Running 0 9m13s
kube-system gke-metadata-server-4wq2m 1/1 Running 0 9m13s
kube-system gke-metadata-server-6n9wg 1/1 Running 0 9m4s
kube-system gke-metadata-server-fvtjr 1/1 Running 0 9m5s
kube-system gke-metrics-agent-hcqdz 1/1 Running 0 9m5s
kube-system gke-metrics-agent-v4kxf 1/1 Running 0 9m13s
kube-system gke-metrics-agent-zmfj2 1/1 Running 0 9m6s
kube-system kube-dns-697dc8fc8b-cxvsb 4/4 Running 0 14m
kube-system kube-dns-697dc8fc8b-m8m8m 4/4 Running 0 14m
kube-system kube-dns-autoscaler-844c9d9448-v7z9s 1/1 Running 0 14m
kube-system kube-proxy-gke-krmapihost-confi-krmapihost-confi-2e7c156a-r3ct 1/1 Running 0 9m12s
kube-system kube-proxy-gke-krmapihost-confi-krmapihost-confi-b263dd6a-m0ks 1/1 Running 0 9m5s
kube-system kube-proxy-gke-krmapihost-confi-krmapihost-confi-b34ca582-nqwq 1/1 Running 0 9m5s
kube-system l7-default-backend-865b4c8f8b-n5qpl 1/1 Running 0 14m
kube-system metrics-server-v0.4.4-857776bc9c-k28zq 2/2 Running 0 8m39s
kube-system netd-hpxw7 1/1 Running 0 9m4s
kube-system netd-tzfmn 1/1 Running 0 9m13s
kube-system netd-x4c4r 1/1 Running 0 9m5s
kube-system pdcsi-node-gbnxn 2/2 Running 0 9m6s
kube-system pdcsi-node-nhpxs 2/2 Running 0 9m5s
kube-system pdcsi-node-r8wfl 2/2 Running 0 9m13s
resource-group-system resource-group-controller-manager-5449bc55f4-w88rn 2/2 Running 0 6m40s
biometric:wse_github michaelobrien$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
gke-krmapihost-confi-krmapihost-confi-2e7c156a-r3ct Ready <none> 9m30s v1.21.5-gke.1302
gke-krmapihost-confi-krmapihost-confi-b263dd6a-m0ks Ready <none> 9m22s v1.21.5-gke.1302
gke-krmapihost-confi-krmapihost-confi-b34ca582-nqwq Ready <none> 9m23s v1.21.5-gke.1302
I see the cluster and VMs even though I have not enabled the 30 day trial - investigating and "Enable" Anthos as well to be able to receive a separate 30 day $800 US credit.
https://cloud.google.com/anthos-config-management/docs/overview?_ga=2.34170721.-156343137.1641500237
Pausing the anthos cluster
Cost without the 30 day trial is $70/3d = $23 CAD/day or a minimum of 700/month
biometric:wse_github michaelobrien$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
gke-krmapihost-confi-krmapihost-confi-2e7c156a-r3ct Ready <none> 6d3h v1.21.5-gke.1302
gke-krmapihost-confi-krmapihost-confi-b263dd6a-m0ks Ready <none> 6d3h v1.21.5-gke.1302
gke-krmapihost-confi-krmapihost-confi-b34ca582-nqwq Ready <none> 6d3h v1.21.5-gke.1302
biometric:wse_github michaelobrien$ gcloud anthos config controller list
NAME LOCATION STATE
projects/landingzone-stg/locations/us-central1/krmApiHosts/config-controller-1 us-central1 RUNNING
biometric:wse_github michaelobrien$ gcloud anthos config controller
ERROR: (gcloud.anthos.config.controller) Command name argument expected.
Available commands for gcloud anthos config controller:
create Create Anthos Config Controller instances.
delete Delete Anthos Config Controller instances.
describe Describe Anthos Config Controller instances.
get-credentials Fetch credentials for a running Anthos Config
Controller.
list List Anthos Config Controller instances.
biometric:wse_github michaelobrien$ gcloud anthos config controller delete config-controller-1 --location=us-central1
You are about to delete instance [config-controller-1]
Do you want to continue (Y/n)? y
Delete request issued for: [config-controller-1]
Waiting for operation [projects/landingzone-stg/locations/us-central1/operations/operation-1643151730836-5d670133a8272-66185ae0-de0c320e] to complete...⠼
Guardrails
Region Restriction
Use the local endpoints
https://northamerica-northeast1-run.googleapis.comhttps://northamerica-northeast2-run.googleapis.com
Links
https://github.com/GoogleCloudPlatform/gcp-fedramp-quickstart
1 Comment
Michael O'Brien
Notes:
projects that disable automatic role grants for default service accounts