Getting started

The following components are installed when leveraging KubePlatform.


  • Installed kustomize 2.0.1 or a version of kubectl that has kustomize already integrated.
  • Running GKE Kubernetes Cluster with at least 3 instances of n1-standard-2 worker nodes.


What you need to know now:

  • An email address for issuing TLS certificates
  • A DNS zone name (a domain or subdomain like
  • A GCP project ID (e.g., my-google-project-223304)

Own OAuth provider

KubePlatform comes with pre-configured Keycloak used for user management and oauth2 authentication. If you plan to use an own OAuth provider, collect these parameters:

  • An Issuer URL for OpenID Connect
  • Client ID and its client secret
  • Cookie Secret

Add these parameters to:

  • patches/oauth2-proxy-patch.yaml


The installation consists basically of these parts

  1. DNS configuration
  2. Overlay Configuration
  3. Applying yamls to Kubernetes

DNS configuration

  1. Create a new DNS Zone and a ServiceAccount to be used by external-dns to add hosts to:
export PROJECT_ID=my-google-project-223304

gcloud dns managed-zones create "${DOMAIN//./-}" \
    --dns-name "$DOMAIN." \
    --description "Automatically managed zone by" \
    --project $PROJECT_ID

gcloud iam service-accounts create ${DOMAIN//./-} \
    --display-name "${DOMAIN//./-} service account for external-dns" \
    --project $PROJECT_ID

gcloud iam service-accounts keys create ./google-credentials.json \
  --iam-account ${DOMAIN//./-}@$ \
  --project $PROJECT_ID

gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member serviceAccount:${DOMAIN//./-}@$ --role roles/dns.admin
  1. Ensure that the downloaded credentials file google-credentails.json is present in the google-overlay folder
  2. Make a note of the nameservers that were assigned to your new DNS zone:
gcloud dns record-sets list \
--zone "${DOMAIN//./-}" \
--name "$DOMAIN." \
--type NS \
--project $PROJECT_ID
  1. Enter the new nameservers in your domain configuration of your domain providers DNS.

Overlay Configuration

Use the provided KubePlatform Kustomize Overlay for GKE. The configuration is made in these three files:

  • Enter the desired domain (e.g.
  • Enter the GCE project (e.g. PROJECT=my-google-project-223304)


  • Enter two email addresses for Let’s Encrypt certificate. One for staging and one (or the same) for prod.


  • change the admin password for keycloak
  • Choose namePrefix, nameSuffix and namespace
  • If you plan to use Let’s Encrypt prod environment instead of staging, change var CLUSTER_ISSUER_NAME accordingly. Note: If you switch from staging to prod, delete already present staging certificates so that the cert-manager issues new certificates.

Applying YAMLs

  1. Create a Kubernetes cluster
export PROJECT_ID=my-google-project-223304
export GC_ZONE=europe-west4-a
export CLUSTER=kubeplatform
export NAMESPACE=kubeplatform

gcloud config set project $PROJECT_ID
gcloud config set compute/zone $GC_ZONE

gcloud container --project "$PROJECT_ID" clusters create "$CLUSTER" \
  --zone "$GC_ZONE" \
  --no-enable-basic-auth \
  --cluster-version "latest" \
  --machine-type "n1-standard-2" \
  --image-type "COS" \
  --disk-size "50" \
  --node-labels "cluster=$CLUSTER" \
  --num-nodes "3" \
  --enable-autoscaling \
  --min-nodes "1" \
  --max-nodes "5" \
  --metadata disable-legacy-endpoints=true \
  --addons HorizontalPodAutoscaling,HttpLoadBalancing \
  --no-enable-autoupgrade \
  1. Retrieve kubectl credentials
gcloud container clusters get-credentials "$CLUSTER"
  1. Create a clusterrolebinding for your account:
kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin
  1. Create the namespace you have chosen in the overlay configuration step.
kubectl create namespace ${NAMESPACE}
  1. Apply the template to the cluster
kubectl apply -k google-overlay


Wait until your Pods are running:

kubectl get pods --namespace $(NAMESPACE)

Setup a user in Keycloak:

  1. A call to https://keycloak.$(DOMAIN)/auth/admin/ should point you to your Keycloak instance (username is keycloak, for the password refer to your kustomization.yaml)
  2. Add a user of your choice in Manage/Users (must have an email address). Please refer to the respective Keycloak documentation

You should then be able to use this user to go to:

  • https://prometheus.$(DOMAIN)
  • https://kibana.$(DOMAIN)
  • https://grafana.$(DOMAIN)
  • https://argo.$(DOMAIN)

If you want to see the internal metrics collected by Prometheus, you can start by importing a Kubernetes dashboard into Grafana, e.g.

If you want to remove all KubePlatform resources from the cluster, simplly use the following command:

kubectl delete -k google-overlay

kubectl --namespace $NAMESPACE delete secret letsencrypt-staging
kubectl --namespace $NAMESPACE delete secret letsencrypt-prod

kubectl --namespace $NAMESPACE delete secret grafana-tls
kubectl --namespace $NAMESPACE delete secret keycloak-tls
kubectl --namespace $NAMESPACE delete secret kibana-logging-tls
kubectl --namespace $NAMESPACE delete secret prometheus-tls

kubectl --namespace $NAMESPACE delete secret cert-manager-webhook-tls
kubectl --namespace $NAMESPACE delete secret cert-manager-webhook-ca

kubectl --namespace $NAMESPACE delete cm cert-manager-controller
kubectl --namespace $NAMESPACE delete cm ingress-controller-leader-nginx