Skip to main content
Version: 25.06

GCP Deployment

Requirements

The following systems must be in place before you begin.

  • Access to Google Cloud CLI, kubectl, helm
  • Existing GKE cluster with the default configuration
    • Nodes should have minimum 4 vCPUs and 16GB RAM each
  • Working Ingress controller installed in the cluster

Permissions

This setup requires the following permissions.

  • Create service accounts
  • Create and manage GCS buckets

Deployment

  1. In your GCP Console, create IAM service accounts.

    PROJECT_ID=$(gcloud config get-value project)
    NAMESPACE="default"

    for SA_NAME in ci-scanner dlp-tika dlp-coordinator; do
        SA_EMAIL="${SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com"

        gcloud iam service-accounts create "${SA_NAME}" \
            --display-name="${SA_NAME}"

        gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
            --member="serviceAccount:${SA_EMAIL}" \
            --role="roles/storage.objectViewer" # Required to access $CACHE_BUCKET bucket

        gcloud iam service-accounts add-iam-policy-binding "${SA_EMAIL}" \\
            --member="serviceAccount:${PROJECT_ID}.svc.id.goog[${NAMESPACE}/${SA_NAME}]" \
            --role="roles/iam.workloadIdentityUser"
    done

  2. Create a storage bucket to store the captured content and the content inspection reports.

    CACHE_BUCKET="files-cache"
    gcloud storage buckets create gs://$CACHE_BUCKET \
        --location=us-central1 \
        --uniform-bucket-level-access \
        --public-access-prevention \
        --default-storage-class=STANDARD

    # Note the name of $CACHE_BUCKET. It will be used in the chart configuration.

    NOTE

    As a security measure, limit access to the bucket only to the service accounts created in step 1, rather than using a project-level role.

  3. Verify that the Ingress controller is working. The deployment supports any generic ingress controller.

    Consider using native GKE Ingress: https://cloud.google.com/kubernetes-engine/docs/concepts/ingress

    To test the Ingress controller, follow the instructions in Test Ingress Controller.

  4. Install Custom Metrics Stackdriver Adapter in your cluster.

    kubectl apply -f https://raw.githubusercontent.com/GoogleCloudPlatform/k8s-stackdriver/master/custom-metrics-stackdriver-adapter/deploy/production/adapter_new_resource_model.yaml

  5. Make sure your “custom-metrics-sd-adapter” service account has monitoring.viewer IAM role.

    gcloud iam service-accounts create custom-metrics-sd-adapter \
        --description="Custom metrics Stackdriver adapter" \
        --display-name="custom-metrics-sd-adapter"

    gcloud iam service-accounts add-iam-policy-binding --role \
      roles/iam.workloadIdentityUser --member \
      "serviceAccount:PROJECT_ID.svc.id.goog[custom-metrics/custom-metrics-stackdriver-adapter]" \
      custom-metrics-sd-adapter@$PROJECT_ID.iam.gserviceaccount.com

  6. Annotate the Custom Metrics - Stackdriver Adapter service account.

    # Replace PROJECT_ID

    kubectl annotate serviceaccount --namespace custom-metrics \
      custom-metrics-stackdriver-adapter \
      iam.gke.io/gcp-service-account=custom-metrics-sd-adapter@$PROJECT_ID.iam.gserviceaccount.com

    Now you can verify that the custom-metrics-stackdriver-adapter pod is running in a healthy state.