GCP & Kubernetes

Get Started. It's Free
or sign up with your email address
GCP & Kubernetes by Mind Map: GCP & Kubernetes

1. Google Cloud Platform

1.1. Networking

1.1.1. https://cloud.google.com/compute/docs/networking

1.1.2. Different networks - even in the same project - cannot communicate directly with each other - they must communicate through the internet (or possibly through a common VPN)

1.1.3. Each network can have different subnets. Subnets can communicate with each other - given appropriate firewall rules

1.1.4. Even hosts on the same subnet can not communicate without a firewall rule allowing it, creating much greater granularity than available with traditional networks.

1.1.5. Tags can be used for creating firewall rules, greatly simplifying granular firewall rule creation. The same tags can be used in multiple networks, however, Tags are not recognized across networks. E.G., If I tag server A as "ping-from" on network X and server B as "ping-to" on network Y, and attempt to ping from A to B's external IP, it won't work if my rule on network Y is to allow ping-from to ping ping-to. But, I can create a rule on network Y to allow A's external IP to ping any ping-to systems, and A will be able to ping B.

1.1.6. commands gcloud compute networks create <network_name> --mode auto creates new network w auto subnets

1.2. regions & zones

1.2.1. gcloud config set compute/zone us-east1-d

1.3. Container Engine

1.3.1. built on Kubernetes Kubernetes clusters gcloud container clusters create <cluster-name> --network <network> --scopes "https://www.googleapis.com/auth/projecthosting,storage-rw" gcloud container clusters delete <cluster-name> gcloud container clusters list gcloud container clusters get-credentials <cluster>

1.3.2. Docker gcloud docker -- <docker command> EG:

1.3.3. Container Registry gcr.io/<project-name> gcloud container images list

1.3.4. Good Intro

1.4. Compute Engine

1.4.1. gcloud compute images list list all the images available

1.5. Cloud Shell

1.5.1. appears to be one instance per user - same instance across multiple projects

1.5.2. Appears to be independent of project (my k8s config shows clusters in multiple projects)

1.6. Cook Books

1.6.1. Take a standard image, add an application, make an image, deploy in a pod

1.7. Tutorials

1.7.1. Jenkins in GKE See also

1.8. Projects

1.8.1. gcloud projects list

1.8.2. Guide to projects, permissions, & accounts

1.9. AAA

1.9.1. 2FA Enforcement After turning on enforcement, all new users need to be placed into an exception group to they can set up 2FA

1.9.2. Google Cloud Directory Sync best practices

1.10. to authenticate in SDK:

1.10.1. gcloud auth application-default login

1.11. Documentation

1.11.1. Google Cloud Compute Tips

1.12. gcloud

1.12.1. config gcloud config configurations list lists all your configurations gcloud config configurations activate <configuration-name> change configurations

1.12.2. --format table format, no labels --format 'table(zone:label="")' json format --format json

2. Kubernetes (K8s)

2.1. Documentation

2.1.1. what is kubernetes

2.1.2. User Guide

2.1.3. Xoriant Blog - K Building Blocks

2.1.4. Network Design

2.1.5. Tutorials

2.1.6. Security Best Practices good, only slightly TwistLock biased

2.1.7. 4-Day Docker & Kubernetes Training

2.1.8. KubeWeekly TONS of K8s relevant info

2.2. has

2.2.1. Cluster - a group of nodes Node - a physical or virtual machine has is allow isolation between pods within a cluster - perhaps for different teams, perhaps by environment (dev, test, prod) Default: within a namespace, all pods can talk to each other DefaultDeny: Pods in the namespace will be inaccessible from any source except the pod's local Node A production cluster should have at least 3 nodes disks

2.2.2. Master Controller (typically 1) has Deployments Discovery Service Replication Controller Scheduling Manager Heapster GCE only: GLBC - GCE Load Balance Controller KubeDNS dashboard API

2.2.3. command line utility kubectl has

2.2.4. Services integrate w HashiCorp Vault? single endpoint to multiple pods to provide consistent point of entry for service consumer LoadBalancer NodePort

2.2.5. Networking IP-per-Pod model: IP addresses applied at a Pod level All containers within a Pod use different ports on same IP Pod's single IP is the same inside and outside the pod. Google Compute Engine Each VM Service pod load balancing virtual IP for client access

2.2.6. namespaces create subdomains for services. <service-name>.<namespace-name>.svc.cluster.local. See https://kubernetes.io/docs/admin/namespaces/

2.2.7. Labels

2.2.8. Secrets implemented in etcd not encrypted available to all containers in cluster Secrets Management (more here than just K8s)

2.2.9. contexts seems to be

2.2.10. console GUI can be used to explore API

2.3. kubectl commands

2.3.1. kubectl cheat sheet

2.3.2. kubectl cluster-info gets info about the cluster

2.3.3. kubectl get lists the objects in the cluster kubectl get nodes kubectl get services kubectl get deployments kubectl get pods -l <label-name>=<label-value>

2.3.4. kubectl proxy create a route between the terminal and K8s cluster - allows access to the API open a browser to http://localhost:8001/ui for the K8s GUI

2.3.5. kubectl expose exposes deployment as a service externally EG kubectl expose deployment/kubernetes-bootcamp --type="NodePort" --port 8080 how to determine if an exposed service requires authentication or not? How to require auth?

2.3.6. kubectl describe describes object w a lot of details kubectl describe deployment kubectl describe services kubectl describe services/kubernetes-bootcamp

2.3.7. kubectl run creates a deployment

2.3.8. kubectl config kubectl config get-contexts list all the contexts available in the k8s config kubectl config use-context <context-name> sets current context

2.3.9. kubectl exec run a command on container. Often used to get to a shell kubectl exec <pod-name> -it -- "bash"

2.3.10. kubectl attach (look this up) kubectl attach nettools-3282871191-3m089 -c nettools -ti

2.3.11. kubectl top pods show top pods by CPU load

2.4. k8s runs

2.4.1. deployments

2.4.2. jobs if a job fails, it will try again check to see if this is really true or if there is a setting to control

2.4.3. bare pod if you want something to just terminate if it fails (eg, building new infrastructure)

2.4.4. Replication Controllers

2.5. DNS

2.5.1. creates its own dns service.namespace.svc.cluster.local

2.6. deployments

2.6.1. deployment YAML resources limits requests

3. Docker

3.1. sample Dockerfiles

3.2. Dockerfile commands

3.2.1. FROM


3.2.3. RUN


3.3. commands

3.3.1. docker pull pull an image from another repo docker pull <tag>

3.3.2. docker push push an image to a repo

3.3.3. docker images list all images

3.3.4. docker ps show currently running docker processes -a show current and finished processes

3.3.5. docker build docker build -t <tag> <Dockerfile location> EG docker build -t user/nmap .

3.3.6. docker run docker run <tag> <params> -it interactive -v <from>:<to>:<permissions> share a volume or file

3.3.7. docker logs docker logs <container name>

3.3.8. docker inspect docker inspect <container name>

3.3.9. docker rm docker rm <container name> remove container

3.3.10. docker rmi remove image <tag>

3.3.11. docker cp docker cp <from> <to>

3.4. cookbooks

3.4.1. delete all images with <none> tag (find a better way) docker images | grep '<none>' | cut -c 72-83 | xargs -n1 docker image rm

3.5. tools

3.5.1. container diff GoogleContainerTools/container-diff

4. cookbooks

4.1. Download docker image & put in in my Google Cloud Repository (GCR)

4.1.1. find image on dockerhub docker search <search-text>

4.1.2. pull from dockerhub docker pull <tag> EG docker pull hello-world

4.1.3. check the list of images, get a tag docker images

4.1.4. tag the image with my GCR info docker tag <current-tag> <new-repo-specific-tag-and-version> EG docker tag 48b5124b2768 gcr.io/my-project/hello-world:v1

4.1.5. push the image to my GCR 1. gcloud auth configure-docker 2. docker push <new-repo-specific-tag-and-version> EG docker push gcr.io/my-project/hello-world:v1 DEPRECATED: gcloud docker -- push <new-repo-specific-tag-and-version> EG gcloud docker -- push gcr.io/my-project/hello-world:v1 IMPORTANT: use gcloud to use your gcloud authentication

4.2. delete all exited & dead containers in docker

4.2.1. docker ps -f status=exited -f status=dead --format "{{.ID}}" | xargs docker rm

4.3. create a cluster

4.3.1. use the gui. Look at command line if you want it.

4.3.2. then, add the cluster to your kubectl config gcloud container clusters get-credentials <cluster-name> --zone <zone> --project <project-name>

4.4. add a container to the cluster, creating a pod along the way

4.4.1. make sure the image is in your local repository first! docker images

4.4.2. use kubectl run to add the container kubectl run <image-name> --image=<image-tag>

4.5. delete all clusters in your kubectrl config (eg, the clusters have been deleted in GKE)

4.5.1. kubectl config get-clusters | grep -v NAME | xargs -n 1 kubectl config delete-cluster

4.6. get to a command line in a container. Replace "bash"with "sh" if bash not supported in container

4.6.1. If its the only container in the pod kubectl exec -it <pod-name> -- "bash"

4.6.2. If there are multiple containers in the pod first find the container name for the container you want kubectl describe pod <pod-name> then exec the shell kubectl exec -it -p <pod-name> -c <container-name> -- "bash"

4.7. list all the containers in all your clusters (close, but not working yet)

4.7.1. kubectl get pods --all-namespaces -o jsonpath="{.items[*].spec.containers[*].name}"

4.7.2. kubectl get pods --all-namespaces -o=jsonpath='{range .items[*]}{"\n"}{.metadata.name}{":\t"}{range .spec.containers[*]}{.name}{", "}{end}{end}' |\ sort

4.8. list all your clusters

4.8.1. kubectl config view and then look in the contexts section

4.9. delete a pod/deployment

4.9.1. kubectl get pods list the pods to see your pod is there

4.9.2. kubectl get deployments get the name of your pod's deployment

4.9.3. kubectl delete deployment <deployment-name> you need to delete the deployment. If you delete the pod, kubernetes will recreate it

4.9.4. kubectl get deployments make sure your deployment is gone

4.9.5. kubectl get pods make sure your pod is gone

4.10. show all gke instances by name, zone, tags, & status

4.10.1. gcloud compute instances list --filter 'name~gke.*' --format "table(name:sort=1,zone,tags.items.list():label=TAGS,status)"

4.11. scaling

4.11.1. scale pods up and down kubectl scale deploy <deployment> -n <namespace> --replicas <replica count>

4.11.2. scale nodes up and down gcloud container clusters resize <cluster> --size <number of nodes per zone> --project <project> --zone <master zone>

4.12. restart a container without killing a pod

4.12.1. exec into the container and run kill -HUP 1

4.12.2. eg, exec in to the sidecar to restart nginx to pick up a new cert

4.13. check a certificate

4.13.1. in a running pod openssl s_client -connect <domain-name>:<port> | openssl x509 -noout -text add | grep DNS if you only care about the DNS names (common name + subject alternative names)

4.13.2. in the secret for a pod list all the certs first kubectl get cert then describe the cert kubectl describe cert <cert-name>