Google Kubernetes Engine
Fusion streamlines the deployment of Nextflow pipelines in Kubernetes because it replaces the need to configure and maintain a shared file system in your cluster.
Platform Google Kubernetes Engine compute environments
Seqera Platform supports Fusion in Google Kubernetes Engine (GKE) compute environments.
See Google Kubernetes Engine for Platform instructions to enable Fusion.
Nextflow CLI
This feature requires Nextflow 23.02.1-edge or later.
To use Fusion directly in Nextflow with a GKE cluster, you must configure a cluster, namespace, and service account, and update your Nextflow configuration.
Kubernetes configuration
-
Create a GKE "standard" cluster ("Autopilot" is not supported). See Creating a zonal cluster for more information.
-
Use instance types with 2 or more CPUs and SSD storage (families:
n1
,n2
,c2
,m1
,m2
,m3
). -
Enable the Workload identity feature when creating (or updating) the cluster:
- Enable Workload Identity in the cluster Security settings.
- Enable GKE Metadata Server in the node group Security settings.
-
See Authenticate to Google Cloud APIs from GKE workloads to configure the cluster.
-
Replace the following example values with values corresponding to your environment:
CLUSTER_NAME
: the GKE cluster name —cluster-1
COMPUTE_REGION
: the GKE cluster region —europe-west1
NAMESPACE
: the GKE namespace —fusion-demo
KSA_NAME
: the GKE service account name —fusion-sa
GSA_NAME
: the Google service account —gsa-demo
GSA_PROJECT
: the Google project id —my-nf-project-261815
PROJECT_ID
: the Google project id —my-nf-project-261815
ROLE_NAME
: the role to grant access permissions to the Google Storage bucket —roles/storage.admin
-
Create the K8s role and rolebinding required to run Nextflow by applying the following Kubernetes config:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: fusion-demo
name: fusion-role
rules:
- apiGroups: [""]
resources: ["pods", "pods/status", "pods/log", "pods/exec"]
verbs: ["get", "list", "watch", "create", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
namespace: fusion-demo
name: fusion-rolebind
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: fusion-role
subjects:
- kind: ServiceAccount
name: fusion-sa
---
apiVersion: v1
kind: Secret
metadata:
namespace: fusion-demo
name: fusion-sa-token
annotations:
kubernetes.io/service-account.name: fusion-sa
type: kubernetes.io/service-account-token
...
Nextflow configuration
-
Add the following to your
nextflow.config
file:process.executor = 'k8s'
process.scratch = false
wave.enabled = true
fusion.enabled = true
tower.accessToken = '<PLATFORM_ACCESS_TOKEN>'
k8s.context = '<GKE-CLUSTER-CONTEXT>'
k8s.namespace = 'fusion-demo'
k8s.serviceAccount = 'fusion-sa'
k8s.pod.nodeSelector = 'iam.gke.io/gke-metadata-server-enabled=true'Replace the following:
<PLATFORM_ACCESS_TOKEN>
: your Platform access token.<GKE_CLUSTER_CONTEXT>
: your Kubernetes configuration context name.
-
Run the pipeline with the Nextflow run command:
nextflow run <PIPELINE_SCRIPT> -w gs://<GCS_BUCKET>/work
Replace the following:
<PIPELINE_SCRIPT>
: your pipeline Git repository URI.<GCS_BUCKET>
: your Google Cloud Storage bucket.
When using Fusion, pods will run as privileged by default.
To use Fusion without the need for escalating privileges, install the Nextflow FUSE device plugin on your Kubernetes cluster and add set fusion.privileged
to false
in your nextflow.config
file:
fusion.privileged = false
To use a custom FUSE device plugin, specify it via the k8s.fuseDevicePlugin
configuration option. See Kubernetes configuration options for details.