Set up Anyscale on GKE

View Markdown

Set up Anyscale on GKE

This page describes how to set up an Anyscale cloud on Google Kubernetes Engine (GKE) using the anyscale cloud setup command. This flow creates a working baseline so you can run jobs and services. You can customize networking, node pools, and security after setup.

important

The anyscale cloud setup CLI flow for Kubernetes is in beta. Anyscale recommends this flow for self-service onboarding. Clouds deployed with this flow are production-ready and eligible for support. All features available for Anyscale on GKE are available whether you use anyscale cloud setup or anyscale cloud register.

By default, this flow prompts you to install ingress-nginx. You can skip this and configure your own ingress or gateway controller. To fully customize the ingress setup, use anyscale cloud register and configure your Helm chart manually. See Anyscale on Kubernetes.

Contact Anyscale support for configuration and customization help.

Prerequisites

Before you start, ensure the following:

• You are an Anyscale organization owner.
• You have an existing GKE cluster with Workload Identity enabled. The cloud setup command uses this to bind a Google Cloud service account to the Anyscale operator's Kubernetes service account. To create a cluster, see Create a zonal GKE cluster in the Google Cloud docs or use the Anyscale Terraform module for GKE. To enable Workload Identity on an existing cluster, see Use Workload Identity Federation for GKE in the Google Cloud docs.
• You have sufficient Google Cloud permissions to create GCS buckets, service accounts, and IAM bindings in your project.
• The Anyscale CLI is installed with Google Cloud support: pip install -U "anyscale[gcp]". Run anyscale login to authenticate.
• The following CLI tools are installed: gcloud, gsutil, kubectl, helm. Run gcloud auth login and gcloud auth application-default login to authenticate.

Cluster and cloud details

Enter the following values. You'll use them when connecting with kubectl and running cloud setup.

Google Cloud project ID

Google Cloud region

GKE cluster name

Anyscale cloud name

Connect to your GKE cluster

Configure kubectl to use your cluster:

gcloud container clusters get-credentials <cluster-name> --region <region> --project <project-id>

Verify the connection:

kubectl get nodes

Run cloud setup

Run the cloud setup command:

anyscale cloud setup \
  --stack k8s \
  --cluster-name <cluster-name> \
  --project-id <project-id> \
  --functional-verify

The CLI prompts you for additional values to complete your cloud setup.

• The --functional-verify runs a post-setup check to confirm the cloud can run a workload.

When prompted for a namespace, press Enter to use the default anyscale-operator or type a different namespace. Anyscale recommends a dedicated namespace per Anyscale cloud. See Anyscale on Kubernetes.

What the CLI does

The CLI runs the following steps:

1. Discovery: Validates the GKE cluster, retrieves cluster details and availability zones, and configures your kubeconfig.
2. Google Cloud resource creation: Creates a GCS bucket for workload storage and a service account for the Anyscale operator. The CLI sets up a Workload Identity binding so the operator's Kubernetes service account can impersonate the Google Cloud service account, and grants the service account storage access to the bucket.
3. Cloud registration: Registers the Anyscale cloud with the control plane using the new bucket and service account.
4. Operator install: Generates a Helm values file and installs the Anyscale operator in your chosen namespace. The CLI prompts you to install ingress-nginx as the ingress controller for dashboards and Anyscale services. You can skip this step and configure your own ingress controller.
5. Verification: If you used --functional-verify, runs a check to confirm the cloud is usable.

warning

If setup fails, the CLI doesn't automatically remove resources created in earlier steps. For troubleshooting and cleanup steps, contact Anyscale support and provide the CLI output. You need sufficient Google Cloud permissions to clean up or retry.

Verify your cloud

If you didn't use --functional-verify, verify the cloud manually:

anyscale cloud verify --name <cloud-name>

You can also submit a small job to confirm the cloud works:

anyscale job submit --cloud <cloud-name> --working-dir https://github.com/anyscale/docs_examples/archive/refs/heads/main.zip -- python hello_world.py

Next steps

• Customize the operator: See Configure the Helm chart for the Anyscale operator.
• Manage IAM permissions: See Configure service accounts for clusters on Anyscale on GKE.
• Access GCS buckets from workloads: See Access Google Cloud Storage buckets.
• Use Google Secret Manager: See Configure access to Google Secret Manager.