Skip to content
/
GCP K8s Deployment Exampl...

Google Kubernetes Services (GCP) Deployment Example

This how-to guide is an example GCP Kubernetes deployment. This is not the only way to deploy a Kubernetes cluster.

Security

Follow your organization's security requirements for Kubernetes clusters.

Setup Summary

The following Azure resources are used in this example deployment.

  • GCP Authentication

  • GCP Service Account

  • Google Cloud Storage

  • Google Kubernetes Engine

    Enable GKE

    Google Kubernetes Engine must be enabled for the project you want to use.

Other tools needed

To deploy a HiddenLayer product to a Kubernetes cluster, you may need the following:

GCP Authentication

  1. Authenticate the GCP CLI to your GCP tenant.

    gcloud init

    a. If you want to authorize the gcloud CLI on a machine that doesn't have a browser, use the following command. It provides a URL to copy and paste to get a verification code.

    gcloud init --console-only

  2. A web browser opens, and you need to verify your log in. After logging in, you may need to select a project to use.

    gcloud auth login

    a. If you want to use gcloud Auth Login on a machine that doesn't have a browser, use the following command. It provides a URL to copy and paste to get a verification code.

    gcloud auth login --no-launch-browser

  3. You can change the project for the GCP CLI at any point by using the following command

    gcloud config set project <project_id>

  4. Find the GCP Compute Zone. Note: This should be a zone the model scanner should be deployed to, you will provide the zone name in the following steps.

    gcloud compute zones list

  5. Replace <zone> with your desired compute zone.

    gcloud config set compute/zone <zone>

Service Account

Select OS

Select your operating system to view installation instructions. Note: Instructions for Windows systems will be available soon.

  1. Create a Service Account (SA). The command below will create a service account with the name hl-modelscanner-sa and the display name of “HL Model Scanner Service Account”

    gcloud iam service-accounts create hl-modelscanner-sa --display-name "HL Model Scanner Service Account"
    JSON File Output

    This command will output JSON file containing your key.

  2. Download the JSON key for your Service Account created above. Replace <your-project-id> with your GCP Project ID.

    gcloud iam service-accounts keys create ~/gcs.json --iam-account hl-modelscanner-sa@<your-project-id>.iam.gserviceaccount.com
    File Download

    Pay attention where this file is downloaded as it will be needed later in set up as <pathtocredentialfile>.

  3. Assign the following roles and permissions to the SA. Replace <your-project-id> with your GCP Project ID in each role assignment.

    gcloud projects add-iam-policy-binding <your-project-id> \
    --member "serviceAccount:hl-modelscanner-sa@<your-project-id>.iam.gserviceaccount.com" \
    --role "roles/storage.objectUser"

gcloud projects add-iam-policy-binding <your-project-id> \
    --member "serviceAccount:hl-modelscanner-sa@<your-project-id>.iam.gserviceaccount.com" \
    --role "roles/storage.objectViewer"

gcloud projects add-iam-policy-binding <your-project-id> \
    --member "serviceAccount:hl-modelscanner-sa@<your-project-id>.iam.gserviceaccount.com" \
    --role "roles/storage.objectCreator"
    IAM Policy Binding

    In each IAM policy binding (there are three bindings), there are two places to replace <your-project-id>.

Google Cloud Storage (GCS)

  1. Create a GCS bucket, if one doesn’t exist. Replace <project-id> with your designated project, <region> with the preferred region of your bucket, and <bucket-name> with the chosen name of your bucket.

    a. Remember GCS Bucket names must be globally unique across all of Google Cloud.

    gsutil mb -p <project-id> -l <region> gs://<bucket-name>/

Google Kubernetes Engine (GKE)

Select OS

Select your operating system to view installation instructions. Note: Instructions for Windows systems will be available soon.

  1. Create an GKE Cluster, if one doesn’t exist.

    • Replace <zone> with a compute zone and <cluster-name> with the preferred name of your container .
    • If you’ve never activated Kubernetes service in GCP before, this step will error with a message to ERROR: (gcloud.container.clusters.create) ResponseError: code=403, message=Kubernetes Engine API has not been used in project <projectid> before or it is disabled.
    • Enable it by visiting https://console.developers.google.com/apis/api/container.googleapis.com/overview?project=<projectid> then retry.
    • If this happens, follow the provided link and enable Kubernetes, and retry.
    gcloud container clusters create <cluster-name> \
    --zone <zone> \
    --num-nodes 2 \
    --enable-autoupgrade \
    --enable-autorepair

  2. Fetch the kubeconfig for the GKE cluster.

    Replace <cluster-name> with the name of the GKE cluster, the <zone> with your compute zone of the cluster, and <your-project-id> with your Project ID.

    gcloud container clusters get-credentials <cluster-name> --zone <zone> --project <your-project-id>
    Update Kubeconfig

    This command updates your kubeconfig file to work with the GKE cluster.

  3. Create modelscanner namespace and add your auth file to GKE

    kubectl create namespace modelscanner --dry-run=client -o yaml | kubectl apply -f -
kubectl create secret generic google-application-credentials --from-file=<pathtocredentialfile> -n modelscanner
Previous page
Next page