GCP GKE - ghdrako/doc_snipets GitHub Wiki

• https://cloud.google.com/anthos/clusters/docs/security-bulletins
• https://cloud.google.com/kubernetes-engine/docs/resources/security-patching

• https://cloud.google.com/kubernetes-engine/docs/release-notes
• https://cloud.google.com/kubernetes-engine/upgrades
• https://cloud.google.com/kubernetes-engine/versioning
• https://cloud.google.com/kubernetes-engine/docs/concepts/release-channels

• https://cloud.google.com/anthos/docs/version-and-upgrade-support

• https://cloud.google.com/service-mesh/docs/supported-platforms

# Add cluster credentials to $HOME/.config/config
gcloud container  clusters \
get-credentials [CLUSTER_NAME] \
--zone [ZONE_NAME]

kubectl - tool to administer inside cluster. But is not for create cluster, change cluster shape

gcloud container clusters resize #  increase the number of nodes in the
cluster

GKE Autopilot is a new mode of operation for GKE clusters next to the standard one. . In the case of GKE Autopilot, it is GKE itself that provisions and manages the cluster, nodes, and node pools, providing you with an optimized cluster and a fully managed experience. You no longer need to worry about the health of your nodes or Pods. Those are monitored and managed by Google. The SLA covers both the control plane as well as the Pods. Another important aspect is you don't need to worry about the capacity required to host your Pods as this is taken care of for you by the service.

: https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-overview

Node pools is subset of node clusters that share configuration ex ammout of memory,cpu generation

Node pools might be useful if your workloads have special resource requirements. You can use the concept of node taints and Pod tolerances to allow your workload to be scheduled on a particular node.

Node pools are managed with the gcloud container node-pools command.

GKE's cluster autoscaler automatically resizes the number of nodes in a given node pool, based on the demands of your workloads.

gcloud container clusters create example-cluster \
  --num-nodes 2 \
  --zone us-central1-a \
  --node-locations us-central1-a,us-central1-b,us-central1-f \
  --enable-autoscaling --min-nodes 1 --max-nodes 4

Binary Authorization is a Google Cloud managed service that works closely with GKE to enforce deploy-time security controls to ensure that only trusted container images are deployed. With Binary Authorization you can allowlist container registries, require images to be signed by trusted authorities, and centrally enforce those policies. By enforcing this policy, you can gain tighter control over your container environment by ensuring only approved and/or verified images are integrated into the build-and-release process.

1. To access the Binary Authorization Policy configuration via gcloud

gcloud beta container binauthz policy export > policy.yaml 

2. Make the necessary edits to policy.yaml
3. Run

gcloud beta container binauthz policy import policy.yaml

The policy you are editing is the “default” policy, and it applies to all GKE clusters in the Google Cloud project unless a cluster-specific policy is in place. The recommendation is to create policies specific to each cluster and achieve successful operation (allowlisting registries as needed), and then set the default project-level policy to “Deny All Images”. Any new cluster in this project will then need its own cluster-specific policy.

• Rapid channel: Used by early adopters. Allows you to use the newest features in a couple of weeks from the General Availability (GA) release of the Kubernetes minor version. Note that Google does not provide any SLA for this option.
• Regular channel: Provides a compromise between the reliability and available features. Available after 2-3 months after the rapid channel's release.
• Stable channel: This is the most stable and well tested. Available after 2-3 months after the regular channel's release. Use this version when reliability is a priority for you.

list existing pools

gcloud container node-pools list --cluster CLUSTER_NAME

Adding node pools

gcloud container node-pools create POOL_NAME --cluster CLUSTER_NAME --region=REGION_NAME

Modifing node pool

gcloud container clusters resize CLUSTER_NAME --node-pool NODE_POOL_NAME --num-nodes NUM_NODES

Delete

gcloud container node-pools delete NODE_POOL_NAME --cluster CLUSTER_
NAME –zone=ZONE_NAME

• https://cloud.google.com/kubernetes-engine/docs/best-practices/upgrading-clusters

1. Control Plane upgrade

kubectl version  # show cluster version
gcloud container get-server-config # list avaliable version
gcloud container clusters upgrade <CLUSTER_NAME> --master # to default version
gcloud container clusters upgrade <CLUSTER_NAME> --master --cluster-version <VERSION> # to specyfic version

2. Node Pool upgrade

• https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-upgrades

kubctl get nodes # show version nodes 
gcloud container node-pools describe [node-pool] --cluster=[cluster] --zone=[zone]# check current version
gcloud container clusters upgrade <CLUSTER_NAME> --node-pool=<NODE_POOL_NAME> --cluster-version <VERSION>
gcloud container operations list
gcloud container operations describe

3. ASM upgrade