Creating a new Service Account

K10 requires a newly created service account to contain the following roles:

roles/compute.storageAdmin

Note

Currently, the Google Service Account key needs to be created in the same GCP account as the GKE cluster.

The following steps should be used to create the service account and add the required permissions:

$ myproject=$(gcloud config get-value core/project)
$ gcloud iam service-accounts create k10-test-sa --display-name "K10 Service Account"
$ k10saemail=$(gcloud iam service-accounts list --filter "k10-test-sa" --format="value(email)")
$ gcloud iam service-accounts keys create --iam-account=${k10saemail} k10-sa-key.json
$ gcloud projects add-iam-policy-binding ${myproject} --member serviceAccount:${k10saemail} --role roles/compute.storageAdmin

Installing K10 with the new Service Account

Use the base64 tool to encode the k10-sa-key.json file generated above and install K10 with the newly created credentials.

$ sa_key=$(base64 -w0 k10-sa-key.json)
$ helm install k10 kasten/k10 --namespace=kasten-io --set secrets.googleApiKey=$sa_key

Using a custom Project ID

If the Google Service Account belongs to a project other than the one in which the cluster is located, then the project's ID of the cluster must be also provided during the installation.

$ sa_key=$(base64 -w0 k10-sa-key.json)
$ helm install k10 kasten/k10 \
      --namespace=kasten-io \
      --set secrets.googleApiKey=$sa_key \
      --set secrets.googleProjectId=<project-id>