Setup a Google Cloud Platform project

Required input
<base domain>

The base domain used to make the cluster accessible.

<cluster name>

The name of the cluster. This name will be used as identifier or as part of identifiers. It also will become a subdomain to the base domain.

<project name>

The name of the GCP project.

If the project and region names are too long, node provisioning won’t work. See Name length on GCP.

  1. Create Project

    gcloud projects create <project name> \ (1)
      --organization <organization ID> (2)
    1 The project name from the input.
    2 Optional: The numerical ID of an Organization.

    Projects on Google Cloud can be attached to an organization or stand on its own. Whether or not to do this needs to be negotiated with the owner of the Google Account used to create the project.

    Organization ID

    The following organization IDs shall be used when nothing else is provided.



  2. Configure Billing

    There seems to be no way to do this using gcloud and thus has to be done in the Web Console. Visit<project name>

    One might want to use free tier without setting up billing. This is possible but only when the default quotas are sufficient.

  3. Enable services

    gcloud --project <project name> services enable \ \ \ \ \ \ \ \ \ \
  4. Create DNS zone

    gcloud --project <project name> dns managed-zones create <zone name> \ (1)
      --dns-name=<base domain> \ (2)
      --description="<zone description>" (3)
    1 Name used within GCP to identify/address the zone.
    2 The base domain from the inputs above.
    3 Short description to give humans more context about the zone.
  5. Extract name servers and ensure domain gets properly delegated at the registrar or the parent zone

    gcloud --project <project name> dns managed-zones describe <zone name> --format json | jq -r '.nameServers[]' (1)
    1 Zone name used when creating the zone
  6. Check GCP account limits

    For region europe-west6 (Zürich), CPU quota might be too low. Other regions are also affected (see

    For the other regions, the default account quotas are sufficient for an OpenShift cluster. This might not be the case when using an account already containing resources.

    Raising quotas can be done at

    Plan ahead as this can take up to two days. It usually takes only seconds though.

    Use the OpenShift Limits Calculator to calculate your needs. This is especially handy when it’s planned to setup several clusters within one project. It doesn’t take regions into consideration and some regions have different defaults. Take the column "Service Limit increase necessary?" with a grain of salt and double check.

  7. Create a GCP service account

    gcloud --project <project name> iam service-accounts create openshift4-installer-<cluster name> \ (1)
      --display-name="OpenShift 4 Installer of cluster `<cluster name>`" (1)
    1 Use cluster name from the inputs.

    And give it the required permissions:

    read -d '' roles <<EOF
    while IFS= read -r role; do
      gcloud projects add-iam-policy-binding <project name> \ (1)
        --member serviceAccount:openshift4-installer-<cluster name>@<project name> \ (2)
    done <<< ${roles}
    1 The project name from the inputs.
    2 The cluster name from the inputs. The service account email must match the one previously created.

    The documentation suggests to give the Service Account the roles/owner role. It also gives advice which roles to use if one does want to work with less privileges. The given list might not be complete or is ambiguous (name vs description). The first attempt with the above role set failed. The worker nodes didn’t come up.

  8. Create Service Account Key

    gcloud iam service-accounts keys create key.json \
      --iam-account openshift4-installer-<cluster name>@<project name> (1)
    1 The cluster name from the inputs. The service account email must match the one previously created.
  9. Ensure firewall settings

    By default, no firewall is configured within a project. When using a project created by a third party, we need to check if the firewall settings meet the requirements from