This assumes you are running in Cloud Shell which has all of the prerequisites installed.
If you are not the following resources are required.
- Google Cloud SDK version >= 325.0.0
- kpt
- kubectl ( >= v1.20)
CLUSTER=<cluster-name>
REGION=<supported-region>
PROJECT_ID=<project-id>
NETWORK=<vpc-name>
SUBNET=<subnet-name>
ORG_ID=<your_org_id>
BILLING_ID=<your_billing_id>
gcloud projects create $PROJECT_ID --name="Config Controller" --labels=type=infrastructure-automation --set-as-default
gcloud beta billing projects link $PROJECT_ID --billing-account $BILLING_ID
gcloud config set project $PROJECT_ID
gcloud services enable krmapihosting.googleapis.com container.googleapis.com cloudresourcemanager.googleapis.com accesscontextmanager.googleapis.com
gcloud compute networks create $NETWORK --subnet-mode=custom
gcloud compute networks subnets create $SUBNET \
--network $NETWORK \
--range 192.168.0.0/16 \
--region $REGION
Fully managed cluster
gcloud anthos config controller create $CLUSTER --location $REGION --network $NETWORK --subnet $SUBNET --full-management
gcloud anthos config controller create $CLUSTER --location $REGION --network $NETWORK --subnet $SUBNET
gcloud anthos config controller get-credentials $CLUSTER --location $REGION
kubens config-control
Note: ORG_ID will be set from step
export ORG_ID=$ORG_ID
export SA_EMAIL="$(kubectl get ConfigConnectorContext -n config-control \
-o jsonpath='{.items[0].spec.googleServiceAccount}' 2> /dev/null)"
gcloud organizations add-iam-policy-binding "${ORG_ID}" \
--member "serviceAccount:${SA_EMAIL}" \
--role "roles/resourcemanager.folderAdmin"
gcloud organizations add-iam-policy-binding "${ORG_ID}" \
--member "serviceAccount:${SA_EMAIL}" \
--role "roles/resourcemanager.projectCreator"
gcloud organizations add-iam-policy-binding "${ORG_ID}" \
--member "serviceAccount:${SA_EMAIL}" \
--role "roles/resourcemanager.projectDeleter"
gcloud organizations add-iam-policy-binding "${ORG_ID}" \
--member "serviceAccount:${SA_EMAIL}" \
--role "roles/iam.securityAdmin"
gcloud organizations add-iam-policy-binding "${ORG_ID}" \
--member "serviceAccount:${SA_EMAIL}" \
--role "roles/orgpolicy.policyAdmin"
gcloud organizations add-iam-policy-binding "${ORG_ID}" \
--member "serviceAccount:${SA_EMAIL}" \
--role "roles/serviceusage.serviceUsageConsumer"
gcloud organizations add-iam-policy-binding "${ORG_ID}" \
--member "serviceAccount:${SA_EMAIL}" \
--role "roles/billing.user"