Kubernetes Engine

.https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/

.https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-usage-metering#create_the_cost_breakdown_table

.https://github.com/j143/solutions-gke-autoprovisioning

Creating roles with kubectl

kubectl create role pod-reader \
> --resource=pods --verb=watch --verb=get --verb=list

Labs

Name of the lab

Quest link

Deploy Kubernetes to cloud

https://google.qwiklabs.com/quests/116

Optimize costs for GKE

https://google.qwiklabs.com/quests/157

GKE best practices: security

https://google.qwiklabs.com/quests/64

Google Cloud's operation suite on GKE

https://google.qwiklabs.com/quests/133

Kubernetes solutions

https://google.qwiklabs.com/quests/45

Options

Configuration

Cluster named bootcamp status:

Custom scheduler

.https://banzaicloud.com/blog/k8s-custom-scheduler/

Secrets

Builtin Type

Usage

Opaque

arbitrary user-defined data

kubernetes.io/service-account-token

service account token

kubernetes.io/dockercfg

serialized ~/.dockercfg file

kubernetes.io/dockerconfigjson

serialized ~/.docker/config.json file

kubernetes.io/basic-auth

credentials for basic authentication

kubernetes.io/ssh-auth

credentials for SSH authentication

kubernetes.io/tls

data for a TLS client or server

bootstrap.kubernetes.io/token

bootstrap token data

Container Hub

.https://cloud.google.com/sdk/gcloud/reference/container/hub/memberships

kubectl config view

Deployment docs

.https://kubernetes.io/docs/concepts/workloads/controllers/deployment/

Create Cluster

For creating basic nodal cluster

For node pools https://cloud.google.com/sdk/gcloud/reference/container/node-pools/create#--machine-type

to drain the node pool nodes use

.https://cloud.google.com/kubernetes-engine/docs/add-on/config-sync/how-to/namespace-scoped-objects

Draining node-pool https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/

StorageClass creation

Persistent Volume Claim

Cluster credentials

.https://cloud.google.com/sdk/gcloud/reference/container/clusters/get-credentials

K8s docs

.Understanding and Combining GKE Autoscaling Strategies - https://www.qwiklabs.com/focuses/15636?parent=catalog

Kubernetes Security

Grafeas - API spec for managing metadata about software resources such as container images, virtual machines, Jar files, scripts.

Kritis - API for ensuring the deployment is prevented unless the artifact is conformant to central policy.

.https://google.qwiklabs.com/focuses/5154?parent=catalog Binary Authorization

.https://cloud.google.com/solutions/binary-auth-with-cloud-build-and-gke

.https://cloud.google.com/binary-authorization/docs/configuring-policy-cli

.https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/

Persistent volume claim resize

Metadata endpoint protections

--metadata=disable-legacy-endpoints=true

Federate multiple gke clusters with Anthos Service Mesh

.https://github.com/GoogleCloudPlatform/professional-services/tree/main/examples/anthos-service-mesh-multicluster

Shared VPC

Anthos service mesh 1.8 can be used for a single shared VPC, even across multiple projects.

SSL/TLS termination

TLS termination for external requests is supported with Anthos Service Mesh 1.0. Doing so requires modifying the Anthos Service Mesh setup files.

Anthos Service Mesh can be setup with https://cloud.google.com/service-mesh/docs/scripted-install/gke-asm-onboard-1-7#install_asm. A custom istio-operator.yaml file can be used by running install_asm with the --custom_overlay option.

In order for Istio (i.e., Anthos Service Mesh) to allow access to external services, change the egress policy to REGISTRY_ONLY. https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#change-to-the-blocking-by-default-policy

Security

Anthos Service Mesh has inherent security features (and limitations).

ASM inherently implements istio security best practices, such as namespaces and limited service accounts. Workload identity is an optional GKE-specific service account, limited to a namespace.

The Istio ingress gateway needs to be secured manually.

Container workload security

GKE cluster network policies allow you to define workload access across pods and namespaces. This is built on top of Kubernetes NetworkPolicy API.

Securing container workloads in GKE - involves a layered approach to node security, pod/container security contexts and pod security policies.

Container runtime (Containerd)

Use cos_containerd runtime for GKE clusters using Anthos Service Mesh.

External databases with Google Cloud SQL for PostgreSQL

Cloud SQL is external to GKE, thus requiring GKE to do SSL termination for external services. With Anthos Service Mesh, you can use an Istio ingress gateway, which allow SSL passthrough, so that the server certificates can reside in a container.

PostgreSQL uses application-level protocol negotiation for SSL connections. The Istio proxy currently uses TCP-level protocol negotiation. This causes the Istio proxy sidecar to error out during the SSL handshake, when it tries to auto-encrypt the connection with PostgreSQL.

Towards federated clusters

Anthos Service Mesh 1.8 can federate multiple GKE clusters. Taken as managed Istio in a single VPC, this container orchestration model takes GKE to its full potential, and can be configured using tools like terraform and shell scripts.

k8s

DaemonSet

.https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/#writing-a-daemonset-spec

.https://kubernetes.io/docs/tasks/run-application/run-stateless-application-deployment/

.https://kubernetes.io/docs/concepts/overview/working-with-objects/object-management/

Updating host file system

PreviousKubeflowNextIstio

Last updated

Was this helpful?