Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Integrate Oracle Cloud Infrastructure Container Engine for Kubernetes with Google Anthos

Introduction

Oracle Cloud Infrastructure Container Engine for Kubernetes (OKE) is a powerful solution for organizations looking to modernize their infrastructure and adopt a cloud-native approach to application development and deployment. With automatic scaling, upgrades, and security patching, OKE ensures reliable operations for both the control plane and worker nodes, further reducing the management burden. On the other hand, Google Anthos is a hybrid and multicloud platform that enables organizations to manage and deploy applications across different environments seamlessly.

The integration of OKE and Google Anthos brings together the best of both worlds, allowing users to leverage the benefits of both services to achieve a highly scalable, secure, flexible container orchestration solution, and reduce costs. With this integration, users can easily deploy and manage containerized applications across multiple clouds and on-premises environments.

Objectives

Integrate OKE with Google Anthos.

Prerequisites

• Sign up or Sign in to your Oracle Cloud Infrastructure (OCI) account.
• Sign up or Sign in to a Google Cloud Platform (GCP) account.
• Google Anthos enabled in the GCP account.

Task 1: Create a Kubernetes cluster in OCI

1. Click the navigation menu near the upper left corner of the web console.

2. Go to Developer Services and then click Kubernetes Clusters (OKE).

3. Select the Create cluster option.

4. Select the Quick create option and click Submit.

   Note: This will create all the necessary resources to deploy an OKE cluster.

5. Enter the name, select the compartment for this cluster, and select the Node Type as Managed.

6. (Optional) You can also choose the shape, image and number of Nodes.

7. Click Next twice and then click Create.

Task 2: Register the cluster in OCI Cloud Shell

• After the cluster is created, you must register this cluster in the ~/.kube/config file inside the OCI Cloud Shell.

• Go to the cluster and select the Access Cluster option.

• This will open a new window with the steps about how to access the cluster from the OCI Cloud Shell. Follow the steps.

Task 3: Create a service account

• Once the cluster has been registered to your OCI Cloud Shell, you can access and interact with this cluster.

• To create the service account, follow steps 2-4 from this documentation: Adding a Service Account Authentication Token to a Kubeconfig File.

Task 4: Register the cluster again in OCI Cloud Shell

After the service account is created, you must again register the cluster in OCI Cloud Shell. To keep things easier and cleaner, create a backup of the current config before proceeding to the next steps.

1. To create a backup of the ~/.kube/config, open the OCI Cloud Shell.

2. Execute the following command:

   mv ~/.kube/config ~/.kube/config.bkp

3. Follow the steps from Task 2: Register the cluster in OCI Cloud Shell.

Task 5: Copy the ~/.kube/config from OCI to GCP

Copy the ~/.kube/config file recreated in Task 4: Register the cluster again in OCI Cloud Shell to the GCP Cloud Shell.

1. Copy the contents of the cat ~/.kube/config file, select all content in the OCI Cloud Shell and press ctrl+c (copy).

2. Go to the GCP Cloud Shell and execute the vim ~/.kube/config command, go to the bottom of the config file, and press ctrl+v (paste).

Task 6: Verify the connection in GCP

• Once you have the config file entry in place, verify if the connection is working. Execute the following command in both GCP and OCI Cloud Shell.

  kubectl get nodes

• If the IPs match then everything is in order, if they do not, try repeating Task 5: Copy the ~/.kube/config from OCI to GCP again.

Task 7: Obtain the TOKEN from OCI

Obtain the TOKEN generated in Task 3: Create a service account.

1. Execute the following command in OCI Cloud Shell:

   TOKEN=`kubectl -n kube-system get secret oke-kubeconfig-sa-token -o jsonpath='{.data.token}' | base64 --decode

2. After you obtain the code, execute the following command.

   echo $TOKEN and copy the token.

3. Go to the GCP Cloud Shell and create a variable named token.

   TOKEN="|the token you copied|"

4. Execute steps 6-7 from this documentation: Adding a Service Account Authentication Token to a Kubeconfig File in the GCP Cloud Shell.

   Note: For the remaining tasks, we will only use GCP.

Task 8: Create a service account in GCP and obtain the JSON key

1. Open the GCP Cloud Shell.

2. Execute the following command to create a service account named connect-register-sa.

   gcloud iam service-accounts create connect-register-sa --project PROJECT_ID

   Note: Replace PROJECT_ID with the ID of the Cloud project in GCP that you want to be the parent of your connect-register-sa service account.

3. Execute the following command to create the JSON key.

   gcloud iam service-accounts keys create connect-register-key.json --iam-account SERVICE_ACCOUNT_EMAIL

   Note: Replace SERVICE_ACCOUNT_EMAIL with the email address of your connect-register-sa service account.

Task 9: Grant the required permissions to the service account

For the gpc-cloud-agent, that will be installed in the OKE cluster, to communicate with GCP Anthos, we need to grant some additional permissions to the service account we just created.

1. Execute the following command to grant the gkehub.editor permission.

   gcloud projects add-iam-policy-binding FLEET_HOST_PROJECT_ID --member "serviceAccount:SERVICE_ACCOUNT_EMAIL" --role "roles/gkehub.editor"

   Note: Replace FLEET_HOST_PROJECT_ID with your GCP PROJECT_ID and SERVICE_ACCOUNT_EMAIL with the email of your connect-register-sa service account.

2. Execute the following command to grant the gkehub.connect permission.

   gcloud projects add-iam-policy-binding PROJECT_ID --member serviceAccount:SERVICE_ACCOUNT_EMAIL --role "roles/gkehub.connect"

   Note: Replace PROJECT_ID with your GCP PROJECT_ID and SERVICE_ACCOUNT_EMAIL with the email of your connect-register-sa service account.

Task 10: Register the OKE cluster in GCP Anthos

Once we have all permissions in place, we can proceed with the registration of the OKE cluster in Google Anthos.

1. Go to Google Anthos.

2. Select Clusters and then select the REGISTER EXISTING CLUSTER option.

3. Click ADD EXTERNAL CLUSTER.

4. Select a cluster name, location, provider, and click GENERATE REGISTRATION COMMAND.

5. Copy the command and replace the cluster-context with the OKE cluster-context (this can be found in the ~/.kube/config file), replace the service-account-key-file path with the path to the JSON file created at Task 8: Create a service account in GCP and obtain the JSON key(connect-register-key.json), and finally replace the kubeconfig file path (usually it is ~/.kube/config).

6. Execute the command in the GCP Cloud Shell.

Task 11: Log in to the OKE cluster

• After the registration of the OKE cluster in Anthos is complete, you need to login into the cluster from Anthos.

• You can log in to the cluster by using the TOKEN generated in Task 3: Create a service account.

Related Links

• Overview of Container Engine for Kubernetes

• Adding a Service Account Authentication Token to a Kubeconfig File

Acknowledgments

• Author - Dragos Nicu (Senior Cloud Engineer)

• Contributor - Andrei Ilas (Principal Cloud Architect)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Integrate Oracle Cloud Infrastructure Container Engine for Kubernetes with Google Anthos

F80662-01

April 2023

Copyright © 2023, Oracle and/or its affiliates.