Tidbits | Feb. 3, 2019

Pro-Tip – GKE: part 1

by Stephen Spencer |   More posts by Stephen

The Cluster


This series is a journal of how we currently configure our GKE clusters. It should not be construed, necessarily, as a best-practices guide but as a written account that will be augmented as knowledge is gained (or perhaps as a series of internal memos that has boundary issues).


The following is a list of values used with a brief explanation where the key's purpose is not obvious:

  • Name (of cluster): prod-cluster-deux
  • Location Type: Zonal (default)
    • This field affects how the cluster is laid out within the chosen availability zone
  • Region: us-central1
  • Master Version: 1.11.6-gke.6
    • latest release as of 02/02/2019

NOTE: Access to the following config keys require clicking the Advanced Configuration widget


  • Availability
    • Additional Node Locations: clear (default)
    • Maintenance Window (beta): 3:00 AM
  • Networking
    • VPC-Native: check
    • Network: default
    • Subnet: default
    • Pod Address Range: blank (default)
    • Maximum Pods-Per-Node (beta): 110 (default)
    • Enable HTTP Load Balancing: clear
    • Network Security
    • Private Cluster: check
    • Enable Master Authorized Networks: check
      • add a reasonably stable source IP (echo -en $( curl -s api.ipify.org )/32)
    • Enable Network Policy: check
      • There is reason why having a UI toggle for a standard part of the Kube API is provided. There are people, somewhere, that know this reason. I am not among them.
  • Security
    • Enable Basic Authentication: uncheck
    • Issue a Client Certificate: uncheck
    • Enable Legacy Authorization: uncheck
    • Enable Binary Authorization (beta): uncheck
    • Enable Application Layer Secrets Encryption (beta): check
    • Unlike AWS, GCP does not generate default cypto keys for this sort of thing.
    • GCP crypto keys are filed under the IAM & admin heading.
    • Create a keyring
    • Create a Symmetric encrypt/decrypt key
    • Copy the key's (not the keyring's) resource ID
      • available from the key's hamburger menu
    • paste the RID into the Select a Customer-Managed Key box (GKE UI)
  • Additional Features
    • Enable Stackdriver Logging Service: check (default)
    • Enable Stackdrive Monitoring Service: check (default)
    • Try the new Stackdriver beta Monitoring and Logging Experience: check (what the hell, right?)
    • Enable Cloud TPU (beta): uncheck (default)
    • Enable Kubernetes Alpha Features: uncheck (default)
    • Enable Kubernetes Dashboard: uncheck
    • Enable Istio: uncheck
    • Enable Node Auto-Provisioning (beta): uncheck

Egress NAT

Without a NAT, private clusters cannot establish connections external to GCP networks

  • Navigate to the GCP Network Services -> Cloud NAT
  • Create
    • Gateway Name: prod-cluster-nat
    • Select Cloud Router
      • VPC Network: default
      • Region: us-central1
      • Cloud Router: create new cloud router
    • NAT mapping
      • Source (internal): Primary and secondary ranges for all subnets
      • NAT IP Addresses: Automatic (default)

Epilogue

The next part in this series will cover setting up a local environment to communicate with the new cluster.

Thanks for Reading!

-Stephen


gcp   kubernetes   GKE  

Beyond wet feet...

2019-02-03T07:26:53.414030 2019-02-03T22:34:20.347323 2019 gcp,kubernetes,GKE