Installing the infrastructure

This page is for infrastructure operators.

Anthos private mode is a version of Anthos that can run fully isolated from the internet in an air-gapped environment. You can use Anthos private mode to run highly regulated workloads on your premises while still benefiting from many of the advantages of a cloud-native infrastructure.


The architecture of Anthos private mode is similar to the architecture of the connected version of Anthos on bare metal: there is an admin cluster that you use to create and manage user clusters. Your workloads run on the user clusters. You also have an admin workstation which is a single machine containing the tools necessary to install and manage your Anthos private mode deployment.

Compared to the connected version of Anthos on bare metal, Anthos private mode comes with three additional components:

  • An optional container registry running on the admin workstation to store all the Anthos container images (necessary in a scenario where you don't have access to a container registry).
  • An actl command-line tool that helps install Anthos private mode and perform other administrative tasks.
  • A Anthos private mode Management Center that helps you manage authorization and authentication, observability, and multi-cluster Anthos feature management. Management Center includes a web-based Console running on the admin cluster. Management Center Console's user interface lets you manage all of the resources that make up the Anthos deployment, including machines, address pools, and user clusters. You can also use the Console to manage the Anthos features and monitor your workloads.

Diagram describing Anthos private mode's architecture

Figure: Anthos private mode architecture figure.

Prepare the environment

Obtain access to the product release, download the latest version, and install any dependencies.

Before you begin

Before you go through the instructions in this page, make sure that you meet the technical requirements for Anthos private mode.

Getting access to Anthos private mode

Google must grant you access to Anthos private mode releases. Provide your Google point of contact with an email address for each tester so that we can grant them access to the download repository. These email addresses must be Google accounts.

After your Google point of contact confirms that you have access to the Anthos private mode releases, check that you have the permissions to download the Anthos private mode releases by running the following command:

gsutil ls gs://anthos-private-mode-release/

If you get an error, verify that gsutil is using the same Google account that you have provided your Google point of contact by running the gcloud auth list command.

Alternatively, you can visit the latest release bucket to verify that you have the correct permissions. You must be logged in with the Google account that you provided earlier.

If you have issues accessing the Anthos private mode releases, contact your Google point of contact for help.

Download Anthos private mode

In this section, you download the Anthos private mode release, which is contained in multiple files of several gigabytes each. Depending on your Internet connection, it might take a long time to download.

Download Anthos private mode

On your admin workstation, run the following commands:

# Login with the account granted access to Anthos private mode
gcloud auth login

# Download the script which helps download all the latest components
export VERSION=1.8.2-gke.X

# Please use official 'INSTALLER_DIGEST' value from
export INSTALLER=get-anthos-private-mode-$
gsutil cp gs://anthos-private-mode-release/$VERSION/$INSTALLER .
if [[ -n "$INSTALLER_DIGEST" ]]; then echo "$INSTALLER_DIGEST $INSTALLER" | sha256sum -c; fi && chmod +x $INSTALLER && ./$INSTALLER

# If you are working on a workstation shared with other users,
# we recommend that you revoke your credentials after downloading the release.
gcloud auth revoke YOUR_EMAIL_ADDRESS

Install remaining dependencies

After the Anthos private mode download completes, run the following commands:

cd anthos-baremetal-private-mode

# Add actl command line tool and tools directory to the PATH
export PATH=$PWD/bin:$PATH

# Download Harbor offline installer
curl -SL \ \
  --output "local-registry/harbor-offline-installer.tgz"

# Install docker-compose
curl -SL \ \
  --output "local-registry/docker-compose"

These are the only two steps of the process that require an internet connection. If you are installing Anthos private mode in an environment that is fully isolated from the Internet, you can either:

  • First, connect your admin workstation to the internet, and download the release as shown above. Then, disconnect your workstation from the Internet, and connect it to the air-gapped environment.
  • Download the release from an internet-connected developer workstation, copy it on a portable storage device, and move this portable storage device to your air-gapped admin workstation.

You can explore the content of the Anthos private mode release:

├── actl-workspace
│   └── admin
│       └── admin.yaml
├── baremetal
│   ├── images
│   └── package-spec.yaml
├── bin
│   ├── actl
│   ├── istioctl
│   └── nomos
├── local-registry
│   ├──
│   ├── docker-compose
│   ├──
│   ├── harbor-offline-installer.tgz
│   └──
├── managementcenter
│   ├── images
│   └── management-center.yaml
├── services
│   ├── anthos-config-management
│   ├── anthos-service-mesh
│   └── images
├── third_party
└── updatecenter
    └── images
  • The local-registry directory contains the resources for setting up a local container registry.
  • Other directories like managementcenter, services, and baremetal contain everything needed to install the admin cluster and Anthos Management Center.

Optional: Enable actl shell autocompletion

The actl command-line tool supports shell auto completion for Bash, Zsh and Fish. You can set up completion in your shell by following the instructions in actl help completion, for example in Ubuntu/Debian, bash:

# One time setup: install bash-completion
sudo apt update && sudo apt install bash-completion

# In ~/.bashrc
source /etc/profile.d/
source <(actl completion bash)

Set up your container registry

Anthos private mode works by storing the Anthos container images in a local container registry. You can either use your own existing container registry or use the Anthos private mode bundled container registry.

Export the following environment variables.


# By default, a public project called 'library' is created,
# and you can also create other public or private projects with the container registry portal.

Replace the following:

  • REGISTRY_HOST is your registry IP address. If you want to install and use the Anthos private mode container registry on the admin workstation, use your admin workstation IP address here.

  • REGISTRY_PASSWORD is the value you set for your registry password.

If you decide to use your own container registry, skip to the Upload images into the container registry section.

Set up the Anthos private mode container registry

In this section, you set up a private container registry on the admin workstation. Run all the commands below from the admin workstation.

  1. If you don't have your own private container registry, install the Anthos private mode container registry.

    cd ~/anthos-baremetal-private-mode
    # Move it to a path under $PATH
    chmod a+x local-registry/docker-compose
    sudo cp local-registry/docker-compose /usr/bin
    # Install local registry
  2. Log into the registry to verify that you have access. You might need to wait a few seconds if you receive an error.

    docker login ${REGISTRY_HOST} -u admin -p ${REGISTRY_PASSWORD}


  • The Anthos private mode container registry is used for installing Anthos private mode only. It's not suitable for production use yet.
  • The default public registry project is library and it can be used by default, however, you can login to the registry and create a new project if desired.
  • The container registry is available at https://REGISTRY_HOST/ after the service is started. The login credentials are username admin and REGISTRY_PASSWORD for the password.
  • The credentials are stored unencrypted in /home/<USER>/.docker/config.json.

Upload images into the container registry

In this section, you upload the Anthos private mode container images to your container registry.

Prepare and upload the Anthos private mode container images to your container registry. If prompted, choose the Use that credential option, or enter the new credentials.

actl images push --private-registry=${PRIVATE_REGISTRY} \
    --images ~/anthos-baremetal-private-mode

Note: If you use an HTTP proxy on your workstation, you may need to unset the following environment variables for the actl images push command to work:

unset http_proxy
unset https_proxy

What's next