Skip to content

Latest commit

 

History

History
80 lines (64 loc) · 2.58 KB

ccs-gcp-provisioned.adoc

File metadata and controls

80 lines (64 loc) · 2.58 KB

Provisioned GCP Infrastructure

This is an overview of the provisioned Google Cloud Platform (GCP) components on a deployed {product-title} cluster. For a more detailed listing of all provisioned GCP components, see the {OCP} documentation.

Compute instances

GCP compute instances are required to deploy the control plane and data plane functions of {product-title} in GCP. Instance types might vary for control plane and infrastructure nodes depending on worker node count.

  • Single availability zone

    • 2 infra nodes (custom machine type: 4 vCPU and 32 GB RAM)

    • 3 control plane nodes (custom machine type: 8 vCPU and 32 GB RAM)

    • 2 worker nodes (custom machine type: 4 vCPU and 16 GB RAM)

  • Multiple availability zones

    • 3 infra nodes (custom machine type: 4 vCPU and 32 GB RAM)

    • 3 control plane nodes (custom machine type: 8 vCPU and 32 GB RAM)

    • 3 worker nodes (custom machine type: 4 vCPU and 16 GB RAM)

Storage

  • Infrastructure volumes:

    • 128 GB SSD persistent disk (deleted on instance deletion)

    • 110 GB Standard persistent disk (kept on instance deletion)

  • Worker volumes:

    • 128 GB SSD persistent disk (deleted on instance deletion)

  • Control plane volumes:

    • 128 GB SSD persistent disk (deleted on instance deletion)

VPC

  • Subnets: One master subnet for the control plane workloads and one worker subnet for all others.

  • Router tables: One global route table per VPC.

  • Internet gateways: One internet gateway per cluster.

  • NAT gateways: One master NAT gateway and one worker NAT gateway per cluster.

Services

The following services must be enabled on a GCP CCS cluster:

  • deploymentmanager

  • compute

  • cloudapis

  • cloudresourcemanager

  • dns

  • iamcredentials

  • iam

  • servicemanagement

  • serviceusage

  • storage-api

  • storage-component

  • orgpolicy

  • networksecurity

Permissions

The following roles must be added to the support service account:

  • compute.admin

  • dns.admin

  • orgpolicy.policyViewer

  • servicemanagement.admin

  • serviceusage.serviceUsageAdmin

  • storage.admin

  • compute.loadBalancerAdmin

  • viewer

  • iam.roleAdmin

  • iam.securityAdmin

  • iam.serviceAccountKeyAdmin

  • iam.serviceAccountAdmin

  • iam.serviceAccountUser