GCP GKE - ghdrako/doc_snipets Wiki

# Add cluster credentials to $HOME/.config/config
gcloud container  clusters \
get-credentials [CLUSTER_NAME] \
--zone [ZONE_NAME]

kubectl - tool to administer inside cluster. But is not for create cluster, change cluster shape

gcloud container clusters resize #  increase the number of nodes in the

GKE Autopilot

GKE Autopilot is a new mode of operation for GKE clusters next to the standard one. . In the case of GKE Autopilot, it is GKE itself that provisions and manages the cluster, nodes, and node pools, providing you with an optimized cluster and a fully managed experience. You no longer need to worry about the health of your nodes or Pods. Those are monitored and managed by Google. The SLA covers both the control plane as well as the Pods. Another important aspect is you don't need to worry about the capacity required to host your Pods as this is taken care of for you by the service.

: https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-overview

Node pool

Node pools is subset of node clusters that share configuration ex ammout of memory,cpu generation

Node pools might be useful if your workloads have special resource requirements. You can use the concept of node taints and Pod tolerances to allow your workload to be scheduled on a particular node.

Node pools are managed with the gcloud container node-pools command.

Cluster autoscaler

GKE's cluster autoscaler automatically resizes the number of nodes in a given node pool, based on the demands of your workloads.

gcloud container clusters create example-cluster \
  --num-nodes 2 \
  --zone us-central1-a \
  --node-locations us-central1-a,us-central1-b,us-central1-f \
  --enable-autoscaling --min-nodes 1 --max-nodes 4

Binary Authorization

Binary Authorization is a Google Cloud managed service that works closely with GKE to enforce deploy-time security controls to ensure that only trusted container images are deployed. With Binary Authorization you can allowlist container registries, require images to be signed by trusted authorities, and centrally enforce those policies. By enforcing this policy, you can gain tighter control over your container environment by ensuring only approved and/or verified images are integrated into the build-and-release process.

  1. To access the Binary Authorization Policy configuration via gcloud
gcloud beta container binauthz policy export > policy.yaml 
  1. Make the necessary edits to policy.yaml
  2. Run
gcloud beta container binauthz policy import policy.yaml

The policy you are editing is the “default” policy, and it applies to all GKE clusters in the Google Cloud project unless a cluster-specific policy is in place. The recommendation is to create policies specific to each cluster and achieve successful operation (allowlisting registries as needed), and then set the default project-level policy to “Deny All Images”. Any new cluster in this project will then need its own cluster-specific policy.

Release channel

  • Rapid channel: Used by early adopters. Allows you to use the newest features in a couple of weeks from the General Availability (GA) release of the Kubernetes minor version. Note that Google does not provide any SLA for this option.
  • Regular channel: Provides a compromise between the reliability and available features. Available after 2-3 months after the rapid channel's release.
  • Stable channel: This is the most stable and well tested. Available after 2-3 months after the regular channel's release. Use this version when reliability is a priority for you.