Setup Managed inCloud with GCP

Intro

inCloud general overview

groundcover inCloud is a managed enterprise solution for installing groundcover’s observability infrastructure in a customer-owned cloud environment.

To set up groundcover inCloud, you need to create an isolated project within your GCP organization. groundcover's control plane will automatically manage these project resources, establishing, configuring, and maintaining the infrastructure and workloads within the account. These include GCP VPC, GCS, GKE, and LB services.

Security of groundcover Control-Plane

groundcover Control-Plane is a secure reconciliation controller designed to manage enterprise InCloud infrastructure environments. It is compliant with ISO-27001 and SOC-2 standards.

The control plane can securely access the isolated project’s service account within the customer organization using a cross-organization IAM delegation chain with the matching roles. It is important to note that groundcover inCloud setup does not require access to customer production data or workloads and is not granted such access.

Setup Guide

Chapter 1 - inCloud Backend

Step 1: Create a new GCP project under your organization

Create a new GCP project for groundcover deployment. We strongly suggest following Google’s guide and isolating this project using the right folder hierarchy and IAM rules: https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy

Finally, select the inCloud project in the project picker.

Step 2: Add a new project owner service account

To manage environment resources, we would need to have a dedicated project owner service account

Navigate to IAM & Admin > Service Accounts and create a new service account. You can choose any name for it, but we suggest naming it groundcover-managed.

Click on “CREATE AND CONTINUE”.

Under "Grant this service account access to project", open "Select a role" and choose Roles > Owner.

Then, press Done at the bottom (no need to fill the optional "Grant users access to this service account" field).

Step 3: Allow groundcover SA to create an access token to project’s admin

Click the service account created in the previous step:

Click on the "PERMISSIONS" tab

Click "GRANT ACCESS"

Under Add principals > New principals, add the following SA:

controlplane@groundcover-managed-prod.iam.gserviceaccount.com

Under Assign roles > Role, select "Service Account Token Creator" and press SAVE:

Step 4: Enable service usage API in this project

Search “Service Usage API” using the GCP search bar and click on "Service Usage API"

Click on ENABLE

Step 5: Share the control-plane SA with groundcover

After completing the previous steps, share with your dedicated groundcover integration manager the service account email (created in Step 2)

Chapter 2 - Backend Reconciliation

At this stage, our automation kicks in. Please allow approximately 2 hours for the initial reconciliation loop to stabilize.

Chapter 3 - Sensor Deployment

Once stabilized, your integration manager will share with you (using a private channel) the incloud-values.yaml that should be used during sensor deployment on production workload, in the following manner:

groundcover deploy -f incloud-values.yaml

Please see API Key Secret for additional information.

Start using groundcover Managed inCloud

You can now log in to app.groundcover.com to use groundcover Managed inCloud, with total data control and privacy.