gcloud config set compute/zone us-east1-b
vim roles.yaml
...
title: "Orca Storage Update"
description: "Add and update objects in Google Cloud Storage buckets"
includedPermissions:
- storage.buckets.get
- storage.objects.get
- storage.objects.list
- storage.objects.update
- storage.objects.create
...
gcloud iam roles create orca_storage_update \
--project $DEVSHELL_PROJECT_ID \
--file roles.yaml
gcloud iam service-accounts create orca-private-cluster-sa \
--display-name "Orca Private Cluster Service Account"
gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
--member serviceAccount:orca-private-cluster-sa@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com \
--role roles/monitoring.viewer
gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
--member serviceAccount:orca-private-cluster-sa@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com \
--role roles/monitoring.metricWriter
gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
--member serviceAccount:orca-private-cluster-sa@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com \
--role roles/logging.logWriter
gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
--member serviceAccount:orca-private-cluster-sa@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com \
--role projects/$DEVSHELL_PROJECT_ID/roles/orca_storage_update
JUMPHOST_IP=$(gcloud compute instances describe orca-jumphost \
--format='get(networkInterfaces[0].networkIP)')
SUBNET_IP_RANGE="10.142.0.0/28"
gcloud beta container clusters create orca-test-cluster \
--network orca-build-vpc \
--subnetwork orca-build-subnet \
--service-account orca-private-cluster-sa@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com \
--enable-master-authorized-networks \
--master-authorized-networks $JUMPHOST_IP/32 \
--enable-private-nodes \
--master-ipv4-cidr $SUBNET_IP_RANGE \
--enable-ip-alias \
--enable-private-endpoint
gcloud container clusters get-credentials orca-test-cluster --internal-ip
kubectl create deployment hello-server --image=gcr.io/google-samples/hello-app:1.0
kubectl expose deployment hello-server --name orca-hello-service \
--type LoadBalancer --port 80 --target-port 8080