Kubernetes/GCP GKE Aspects: Difference between revisions

From Federal Burro of Information
Jump to navigationJump to search
No edit summary
 
(4 intermediate revisions by the same user not shown)
Line 14: Line 14:
  kubectl get node -l cloud.google.com/gke-nodepool=$i
  kubectl get node -l cloud.google.com/gke-nodepool=$i
  done
  done
</pre>
cordon one node pool:
<pre>
for i in `kns get no -l cloud.google.com/gke-nodepool=production-gcp-env-blue -o name`
do
echo $i
#kubectl node cordon $i
done
</pre>
== GKE Ingress Features ==
How do you get access to GCP Load Balancer features via kubernetes?
Via annotation and two CRDs:
* FrontEndConfig
* BackEndConfig
THIS IS ALWAYS CHANGING!!!  :
https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features
== Script to check all ingresses for tls policy ==
<pre>
#!/bin/sh
for namespace in `kubectl get ns -o name | cut -d \/ -f 2`
do
  echo "namespace: $namespace"
  for ingress in `kubectl get ingress -n $namespace -o name`
    do
    echo "  ingress: $ingress"
    for frontendconfig in `kubectl get $ingress -n $namespace -o json | jq -r '.metadata.annotations."networking.gke.io/v1beta1.FrontendConfig"'`
      do
      echo "  frontendconfig: $frontendconfig"
      if [[ $frontendconfig != "null" ]]
        then
        policy=`kubectl get frontendconfig $frontendconfig -n $namespace -o json | jq -r '.spec.sslPolicy'`
        echo "  sslPolicy: $policy"
        fi
      done
    done
done
</pre>
== Authenticating to k8s with gcp creds in python ==
reference: https://github.com/googleapis/python-container/issues/6
so useful:
<pre>
pip install kubernetes
pip install google-api-python-client
pip install google-cloud-container
from google.cloud import container_v1
import google.auth
import google.auth.transport.requests
from kubernetes import client as kubernetes_client
from tempfile import NamedTemporaryFile
import base64
def check_k8s_client():
    project_id = 'your-project-name'
    zone = 'us-central1-b'
    cluster_id = 'your-cluster-name'
    print('Attempting to init k8s client from cluster response.')
    container_client = container_v1.ClusterManagerClient()
    response = container_client.get_cluster(project_id, zone, cluster_id)
    credentials, project = google.auth.default(
        scopes=['https://www.googleapis.com/auth/cloud-platform'])
    creds, projects = google.auth.default()
    auth_req = google.auth.transport.requests.Request()
    creds.refresh(auth_req)
    configuration = kubernetes_client.Configuration()
    configuration.host = f'https://{response.endpoint}'
    with NamedTemporaryFile(delete=False) as ca_cert:
        ca_cert.write(
            base64.b64decode(response.master_auth.cluster_ca_certificate))
    configuration.ssl_ca_cert = ca_cert.name
    configuration.api_key_prefix['authorization'] = 'Bearer'
    configuration.api_key['authorization'] = creds.token
    k8s_client = kubernetes_client.BatchV1Api(
        kubernetes_client.ApiClient(configuration))
    ret = k8s_client.list_job_for_all_namespaces()
    print(ret)
check_k8s_client()
</pre>
</pre>

Latest revision as of 14:26, 14 November 2022

Show nodes in each node pool: 


gcloud container clusters list

export CLUSTERNAME=mycluster
export LOCATION=us-central1

for i in `gcloud container node-pools list --cluster ${CLUSTERNAME} --region ${LOCATION} | grep -v NAME | awk '{print $1}'`
 do
 echo $i ;
 kubectl get node -l cloud.google.com/gke-nodepool=$i
 done

cordon one node pool: 

for i in `kns get no -l cloud.google.com/gke-nodepool=production-gcp-env-blue -o name`
do
 echo $i
 #kubectl node cordon $i
done


GKE Ingress Features

How do you get access to GCP Load Balancer features via kubernetes?

Via annotation and two CRDs:

  • FrontEndConfig
  • BackEndConfig

THIS IS ALWAYS CHANGING!!!  :

https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features


Script to check all ingresses for tls policy

#!/bin/sh

for namespace in `kubectl get ns -o name | cut -d \/ -f 2`
do
  echo "namespace: $namespace"
  for ingress in `kubectl get ingress -n $namespace -o name`
    do
    echo "  ingress: $ingress"
    for frontendconfig in `kubectl get $ingress -n $namespace -o json | jq -r '.metadata.annotations."networking.gke.io/v1beta1.FrontendConfig"'`
      do
      echo "  frontendconfig: $frontendconfig"
      if [[ $frontendconfig != "null" ]]
        then
        policy=`kubectl get frontendconfig $frontendconfig -n $namespace -o json | jq -r '.spec.sslPolicy'`
        echo "  sslPolicy: $policy"
        fi
      done
    done
done

Authenticating to k8s with gcp creds in python

reference: https://github.com/googleapis/python-container/issues/6

so useful: 

pip install kubernetes
pip install google-api-python-client
pip install google-cloud-container
from google.cloud import container_v1
import google.auth
import google.auth.transport.requests
from kubernetes import client as kubernetes_client
from tempfile import NamedTemporaryFile
import base64

def check_k8s_client():
    project_id = 'your-project-name'
    zone = 'us-central1-b'
    cluster_id = 'your-cluster-name'
    print('Attempting to init k8s client from cluster response.')
    container_client = container_v1.ClusterManagerClient()
    response = container_client.get_cluster(project_id, zone, cluster_id)
    credentials, project = google.auth.default(
        scopes=['https://www.googleapis.com/auth/cloud-platform'])
    creds, projects = google.auth.default()
    auth_req = google.auth.transport.requests.Request()
    creds.refresh(auth_req)
    configuration = kubernetes_client.Configuration()
    configuration.host = f'https://{response.endpoint}'
    with NamedTemporaryFile(delete=False) as ca_cert:
        ca_cert.write(
            base64.b64decode(response.master_auth.cluster_ca_certificate))
    configuration.ssl_ca_cert = ca_cert.name
    configuration.api_key_prefix['authorization'] = 'Bearer'
    configuration.api_key['authorization'] = creds.token

    k8s_client = kubernetes_client.BatchV1Api(
        kubernetes_client.ApiClient(configuration))
    ret = k8s_client.list_job_for_all_namespaces()
    print(ret)
check_k8s_client()
Retrieved from "https://wiki.quadratic.net/index.php?title=Kubernetes/GCP_GKE_Aspects&oldid=31488"