Deploy AKKO on Google GKE¶

GKE 1.30+ is a supported AKKO target. Standard cluster recommended for production (Autopilot works for dev but has resource guardrails that may need tweaking for OpenMetadata).

Prerequisites¶

Requirement	Version
GKE	1.30+ (Standard cluster, 3 × e2-standard-4 minimum)
Persistent Disk CSI	enabled (default)
GCE Ingress	or cert-manager + ingress-nginx
Workload Identity	enabled at cluster creation
cert-manager	1.16+ (or GCP managed certs)
`kubectl` + `gcloud` CLI	configured
Helm	≥ 3.14

One-command install¶

AKKO_DOMAIN=akko.customer.example \
AKKO_VERSION=2026.04 \
AKKO_VALUES_EXTRA=helm/examples/values-gke.yaml \
  bash deploy-from-harbor.sh

GKE-specific notes¶

Storage¶

premium-rwo = pd-ssd (RWO, SSD). For balanced price/perf use standard-rwo (pd-balanced). Filestore for RWX is available but costly; not required by AKKO 2026.04.

Ingress¶

GKE Ingress (default) provisions a Cloud Load Balancer per Ingress. For shared LB group routes under a single Ingress. GKE managed certificates are supported:

ingressAnnotations:
  networking.gke.io/managed-certificates: "akko-cert"

Workload Identity¶

For pods that need GCP APIs (Cloud Storage, BigQuery, Vertex AI):

gcloud iam service-accounts create akko-platform \
  --project <project>

gcloud iam service-accounts add-iam-policy-binding \
  akko-platform@<project>.iam.gserviceaccount.com \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:<project>.svc.id.goog[akko/akko-minio]"

Annotate the SA:

akko-minio:
  serviceAccount:
    annotations:
      iam.gke.io/gcp-service-account: "akko-platform@<project>.iam.gserviceaccount.com"

Artifact Registry mirror¶

gcloud auth configure-docker <region>-docker.pkg.dev
for img in cockpit postgres spark notebook trino ai-service mlflow \
           airflow dbt mcp-trino mcp-openmetadata docs aden \
           catalog-manager; do
  skopeo copy \
    docker://harbor.akko-ai.com/akko/akko-${img}:2026.04 \
    docker://<region>-docker.pkg.dev/<project>/akko/akko-${img}:2026.04
done

Override global.image.registry: <region>-docker.pkg.dev/<project>/akko.

Autopilot caveats¶

If you target Autopilot: some sub-charts ask for securityContext fields that Autopilot denies (privileged, host ports, etc.). AKKO 2026.04 is restricted-PSS-safe everywhere except directory service + Dashboards (both disabled by default on cloud overlays — ADR-020 replaces them with Apache 2.0 alternatives).

Verify¶

kubectl -n akko get pods
kubectl -n akko get ingress
gcloud compute addresses list --global
kubectl -n akko exec svc/akko-trino -c trino -- trino --execute "SHOW CATALOGS"

Troubleshooting¶

Symptom	Cause	Fix
Ingress address empty for > 5 min	Managed cert still provisioning	`kubectl describe managedcertificate -n akko`
PVC `Pending`	PD quota exhausted in region	GCP Console → IAM → Quotas
Pod `Unauthorized` on GCS	Workload Identity binding missing	Re-run the `add-iam-policy-binding` for the SA
Pull from Artifact Registry 403	GKE node SA missing `roles/artifactregistry.reader`	`gcloud iam service-accounts add-iam-policy-binding <node-sa>`