How to install the Google Config Connector

In order to bind the Service Account from Kubernetes with the Service Account from Google Cloud Platform, you need to install the Google Config Connector on your cluster.

Here is the documentation from Google on Installing, upgrading, and uninstalling Config Connector, but we’ll also take all the steps one by one on this tutorial.

We will install Config Connector with a GKE Workload Identity.

Prerequisites

  1. You need to have installed on your local computer the gcloud command-line tool and kubectl.

  2. Go to the Google Cloud Console and ensure that you have enabled the Google Kubernetes Engine API.

  3. Go to see your cluster’s details and note down the project ID where the cluster was created and the region. Get your project ID

  4. Set your default project ID:

    gcloud config set project [PROJECT_ID]
  5. If you are working with regional clusters, set your default compute region:

    gcloud config set compute/region [COMPUTE_REGION]
  6. Update gcloud to the latest version:

    gcloud components update
  7. Configure kubectl to connect to your clusters. Follow the steps for GKE clusters or GKE On-Prem clusters.

Create an Identity

Setting up the identity includes:

  1. Create the cnrm-system Service Account with gcloud:

    gcloud iam service-accounts create cnrm-system
  2. Give the IAM Service Account elevated permissions on your project:

    gcloud projects add-iam-policy-binding [PROJECT_ID] \
    --member="serviceAccount:cnrm-system@[PROJECT_ID].iam.gserviceaccount.com" \
    --role="roles/owner"
  3. Create a Cloud IAM policy binding between the IAM Service Account and the predefined Kubernetes service account run by KCC:

    gcloud iam service-accounts add-iam-policy-binding cnrm-system@[PROJECT_ID].iam.gserviceaccount.com \
    --member="serviceAccount:[PROJECT_ID].svc.id.goog[cnrm-system/cnrm-controller-manager]" \
    --role="roles/iam.workloadIdentityUser"

Deploying Config Connector

  1. Download the latest installation bundle tarball:

    curl -X GET -sLO \
    -H "Authorization: Bearer $(gcloud auth print-access-token)" \
    --location-trusted \
    https://us-central1-cnrm-eap.cloudfunctions.net/download/latest/infra/install-bundle-with-workload-identity.tar.gz
  2. Extract the tar file:

    tar zxvf install-bundle-with-workload-identity.tar.gz
  3. Replace ${PROJECT_ID?} with your project ID in the installation manifest:

    sed -i 's/${PROJECT_ID?}/[PROJECT_ID]/' install-bundle/0-cnrm-system.yaml
  4. Apply the manifests to your cluster:

    kubectl apply -f install-bundle/

You might need to connect to the cluster before you apply the manifests to your cluster. In your cluster details, simply press «Connect», then copy and run the command line from here:

Connect to the cluster

Verify Your Installation

Config Connector runs a single system process named cnrm-system. You can verify the pod for this process has a STATUS of Running, by executing the following command:

kubectl wait -n cnrm-system \
 --for=condition=Initialized pod \
 cnrm-controller-manager-0

If Config Connector is installed correctly, the output is similar to the following:

pod/cnrm-controller-manager-0 condition met

Now you can continue with the other prerequisites before installing the Presslabs Dashboard.