# Google Kubernetes Services (GCP) Deployment Example This how-to guide is an example GCP Kubernetes deployment. This is not the only way to deploy a Kubernetes cluster. Security Follow your organization's security requirements for Kubernetes clusters. ## Setup Summary The following Azure resources are used in this example deployment. - GCP Authentication - GCP Service Account - Google Cloud Storage - Google Kubernetes Engine Google Kubernetes Engine must be enabled for the project you want to use. ### Other tools needed To deploy a HiddenLayer product to a Kubernetes cluster, you may need the following: - Google Cloud SDK - Google Cloud Configure Cluster Access ## GCP Authentication 1. Authenticate the GCP CLI to your GCP tenant. ``` gcloud init ``` a. If you want to authorize the gcloud CLI on a machine that doesn't have a browser, use the following command. It provides a URL to copy and paste to get a verification code. ``` gcloud init --console-only ``` 2. A web browser opens, and you need to verify your log in. After logging in, you may need to select a project to use. ``` gcloud auth login ``` a. If you want to use gcloud Auth Login on a machine that doesn't have a browser, use the following command. It provides a URL to copy and paste to get a verification code. ``` gcloud auth login --no-launch-browser ``` 3. You can change the project for the GCP CLI at any point by using the following command ``` gcloud config set project ``` 4. Find the GCP Compute Zone. Note: This should be a zone the model scanner should be deployed to, you will provide the zone name in the following steps. ``` gcloud compute zones list ``` 5. Replace `` with your desired compute zone. ``` gcloud config set compute/zone ``` ## Service Account Select OS Select your operating system to view installation instructions. **Note**: Instructions for Windows systems will be available soon. macOS 1. Create a Service Account (SA). The command below will create a service account with the name hl-modelscanner-sa and the display name of “HL Model Scanner Service Account” ``` gcloud iam service-accounts create hl-modelscanner-sa --display-name "HL Model Scanner Service Account" ``` This command will output JSON file containing your key. 2. Download the JSON key for your Service Account created above. Replace `` with your GCP Project ID. ``` gcloud iam service-accounts keys create ~/gcs.json --iam-account hl-modelscanner-sa@.iam.gserviceaccount.com ``` Pay attention where this file is downloaded as it will be needed later in set up as ``. 3. Assign the following roles and permissions to the SA. Replace `` with your GCP Project ID in each role assignment. ``` gcloud projects add-iam-policy-binding \ --member "serviceAccount:hl-modelscanner-sa@.iam.gserviceaccount.com" \ --role "roles/storage.objectUser" gcloud projects add-iam-policy-binding \ --member "serviceAccount:hl-modelscanner-sa@.iam.gserviceaccount.com" \ --role "roles/storage.objectViewer" gcloud projects add-iam-policy-binding \ --member "serviceAccount:hl-modelscanner-sa@.iam.gserviceaccount.com" \ --role "roles/storage.objectCreator" ``` In each IAM policy binding (there are three bindings), there are two places to replace ``. Windows 1. Create a Service Account (SA). The command below will create a service account with the name hl-modelscanner-sa and the display name of “HL Model Scanner Service Account” ``` gcloud iam service-accounts create hl-modelscanner-sa --display-name "HL Model Scanner Service Account" ``` This command will output JSON file containing your key. 2. Download the JSON key for your Service Account created above. Replace `` with your GCP Project ID. ``` gcloud iam service-accounts keys create ./gcs.json --iam-account hl-modelscanner-sa@.iam.gserviceaccount.com ``` Pay attention where this file is downloaded as it will be needed later in set up as ``. 3. Assign the following roles and permissions to the SA. Replace `` with your GCP Project ID in each role assignment. ``` gcloud projects add-iam-policy-binding --member "serviceAccount:hl-modelscanner-sa@.iam.gserviceaccount.com" --role "roles/storage.objectUser" gcloud projects add-iam-policy-binding --member "serviceAccount:hl-modelscanner-sa@.iam.gserviceaccount.com" --role "roles/storage.objectViewer" gcloud projects add-iam-policy-binding --member "serviceAccount:hl-modelscanner-sa@.iam.gserviceaccount.com" --role "roles/storage.objectCreator" ``` In each IAM policy binding (there are three bindings), there are two places to replace ``. Ubuntu 1. Create a Service Account (SA). The command below will create a service account with the name hl-modelscanner-sa and the display name of “HL Model Scanner Service Account” ``` gcloud iam service-accounts create hl-modelscanner-sa --display-name "HL Model Scanner Service Account" ``` This command will output JSON file containing your key. 2. Download the JSON key for your Service Account created above. Replace `` with your GCP Project ID. ``` gcloud iam service-accounts keys create ~/gcs.json --iam-account hl-modelscanner-sa@.iam.gserviceaccount.com ``` Pay attention where this file is downloaded as it will be needed later in set up as ``. 3. Assign the following roles and permissions to the SA. Replace `` with your GCP Project ID in each role assignment. ``` gcloud projects add-iam-policy-binding \ --member "serviceAccount:hl-modelscanner-sa@.iam.gserviceaccount.com" \ --role "roles/storage.objectUser" gcloud projects add-iam-policy-binding \ --member "serviceAccount:hl-modelscanner-sa@.iam.gserviceaccount.com" \ --role "roles/storage.objectViewer" gcloud projects add-iam-policy-binding \ --member "serviceAccount:hl-modelscanner-sa@.iam.gserviceaccount.com" \ --role "roles/storage.objectCreator" ``` In each IAM policy binding (there are three bindings), there are two places to replace ``. ## Google Cloud Storage (GCS) 1. Create a GCS bucket, if one doesn’t exist. Replace `` with your designated project, `` with the preferred region of your bucket, and `` with the chosen name of your bucket. a. Remember GCS Bucket names must be globally unique across all of Google Cloud. ``` gsutil mb -p -l gs:/// ``` ## Google Kubernetes Engine (GKE) Select OS Select your operating system to view installation instructions. **Note**: Instructions for Windows systems will be available soon. macOS 1. Create an GKE Cluster, if one doesn’t exist. - Replace `` with a compute zone and `` with the preferred name of your container . - If you’ve never activated Kubernetes service in GCP before, this step will error with a message to ERROR: (gcloud.container.clusters.create) ResponseError: code=403, message=Kubernetes Engine API has not been used in project `` before or it is disabled. - Enable it by visiting `https://console.developers.google.com/apis/api/container.googleapis.com/overview?project=` then retry. - If this happens, follow the provided link and enable Kubernetes, and retry. ``` gcloud container clusters create \ --zone \ --num-nodes 2 \ --enable-autoupgrade \ --enable-autorepair ``` 2. Fetch the kubeconfig for the GKE cluster. Replace `` with the name of the GKE cluster, the `` with your compute zone of the cluster, and `` with your Project ID. ``` gcloud container clusters get-credentials --zone --project ``` This command updates your kubeconfig file to work with the GKE cluster. 3. Create modelscanner namespace and add your auth file to GKE ``` kubectl create namespace modelscanner --dry-run=client -o yaml | kubectl apply -f - kubectl create secret generic google-application-credentials --from-file= -n modelscanner ``` Windows 1. Create an GKE Cluster, if one doesn’t exist. - Replace `` with a compute zone and `` with the preferred name of your container . - If you’ve never activated Kubernetes service in GCP before, this step will error with a message to ERROR: (gcloud.container.clusters.create) ResponseError: code=403, message=Kubernetes Engine API has not been used in project `` before or it is disabled. - Enable it by visiting `https://console.developers.google.com/apis/api/container.googleapis.com/overview?project=` then retry. - If this happens, follow the provided link and enable Kubernetes, and retry. ``` gcloud container clusters create --zone --num-nodes 2 --enable-autoupgrade --enable-autorepair ``` 2. Fetch the kubeconfig for the GKE cluster. Replace `` with the name of the GKE cluster, the `` with your compute zone of the cluster, and `` with your Project ID. ``` gcloud container clusters get-credentials --zone --project ``` This command updates your kubeconfig file to work with the GKE cluster. 3. Create modelscanner namespace and add your auth file to GKE ``` kubectl create namespace modelscanner --dry-run=client -o yaml | kubectl apply -f - kubectl create secret generic google-application-credentials --from-file= -n modelscanner ``` Ubuntu 1. Create an GKE Cluster, if one doesn’t exist. - Replace `` with a compute zone and `` with the preferred name of your container . - If you’ve never activated Kubernetes service in GCP before, this step will error with a message to ERROR: (gcloud.container.clusters.create) ResponseError: code=403, message=Kubernetes Engine API has not been used in project `` before or it is disabled. - Enable it by visiting `https://console.developers.google.com/apis/api/container.googleapis.com/overview?project=` then retry. - If this happens, follow the provided link and enable Kubernetes, and retry. ``` gcloud container clusters create \ --zone \ --num-nodes 2 \ --enable-autoupgrade \ --enable-autorepair ``` 2. Fetch the kubeconfig for the GKE cluster. Replace `` with the name of the GKE cluster, the `` with your compute zone of the cluster, and `` with your Project ID. ``` gcloud container clusters get-credentials --zone --project ``` This command updates your kubeconfig file to work with the GKE cluster. 3. Create modelscanner namespace and add your auth file to GKE ``` kubectl create namespace modelscanner --dry-run=client -o yaml | kubectl apply -f - kubectl create secret generic google-application-credentials --from-file= -n modelscanner ```