Kubernetes/GCP GKE Aspects: Difference between revisions
From Federal Burro of Information
Jump to navigationJump to search
No edit summary |
|||
(4 intermediate revisions by the same user not shown) | |||
Line 14: | Line 14: | ||
kubectl get node -l cloud.google.com/gke-nodepool=$i | kubectl get node -l cloud.google.com/gke-nodepool=$i | ||
done | done | ||
</pre> | |||
cordon one node pool: | |||
<pre> | |||
for i in `kns get no -l cloud.google.com/gke-nodepool=production-gcp-env-blue -o name` | |||
do | |||
echo $i | |||
#kubectl node cordon $i | |||
done | |||
</pre> | |||
== GKE Ingress Features == | |||
How do you get access to GCP Load Balancer features via kubernetes? | |||
Via annotation and two CRDs: | |||
* FrontEndConfig | |||
* BackEndConfig | |||
THIS IS ALWAYS CHANGING!!! : | |||
https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features | |||
== Script to check all ingresses for tls policy == | |||
<pre> | |||
#!/bin/sh | |||
for namespace in `kubectl get ns -o name | cut -d \/ -f 2` | |||
do | |||
echo "namespace: $namespace" | |||
for ingress in `kubectl get ingress -n $namespace -o name` | |||
do | |||
echo " ingress: $ingress" | |||
for frontendconfig in `kubectl get $ingress -n $namespace -o json | jq -r '.metadata.annotations."networking.gke.io/v1beta1.FrontendConfig"'` | |||
do | |||
echo " frontendconfig: $frontendconfig" | |||
if [[ $frontendconfig != "null" ]] | |||
then | |||
policy=`kubectl get frontendconfig $frontendconfig -n $namespace -o json | jq -r '.spec.sslPolicy'` | |||
echo " sslPolicy: $policy" | |||
fi | |||
done | |||
done | |||
done | |||
</pre> | |||
== Authenticating to k8s with gcp creds in python == | |||
reference: https://github.com/googleapis/python-container/issues/6 | |||
so useful: | |||
<pre> | |||
pip install kubernetes | |||
pip install google-api-python-client | |||
pip install google-cloud-container | |||
from google.cloud import container_v1 | |||
import google.auth | |||
import google.auth.transport.requests | |||
from kubernetes import client as kubernetes_client | |||
from tempfile import NamedTemporaryFile | |||
import base64 | |||
def check_k8s_client(): | |||
project_id = 'your-project-name' | |||
zone = 'us-central1-b' | |||
cluster_id = 'your-cluster-name' | |||
print('Attempting to init k8s client from cluster response.') | |||
container_client = container_v1.ClusterManagerClient() | |||
response = container_client.get_cluster(project_id, zone, cluster_id) | |||
credentials, project = google.auth.default( | |||
scopes=['https://www.googleapis.com/auth/cloud-platform']) | |||
creds, projects = google.auth.default() | |||
auth_req = google.auth.transport.requests.Request() | |||
creds.refresh(auth_req) | |||
configuration = kubernetes_client.Configuration() | |||
configuration.host = f'https://{response.endpoint}' | |||
with NamedTemporaryFile(delete=False) as ca_cert: | |||
ca_cert.write( | |||
base64.b64decode(response.master_auth.cluster_ca_certificate)) | |||
configuration.ssl_ca_cert = ca_cert.name | |||
configuration.api_key_prefix['authorization'] = 'Bearer' | |||
configuration.api_key['authorization'] = creds.token | |||
k8s_client = kubernetes_client.BatchV1Api( | |||
kubernetes_client.ApiClient(configuration)) | |||
ret = k8s_client.list_job_for_all_namespaces() | |||
print(ret) | |||
check_k8s_client() | |||
</pre> | </pre> |
Latest revision as of 14:26, 14 November 2022
Show nodes in each node pool:
gcloud container clusters list export CLUSTERNAME=mycluster export LOCATION=us-central1 for i in `gcloud container node-pools list --cluster ${CLUSTERNAME} --region ${LOCATION} | grep -v NAME | awk '{print $1}'` do echo $i ; kubectl get node -l cloud.google.com/gke-nodepool=$i done
cordon one node pool:
for i in `kns get no -l cloud.google.com/gke-nodepool=production-gcp-env-blue -o name` do echo $i #kubectl node cordon $i done
GKE Ingress Features
How do you get access to GCP Load Balancer features via kubernetes?
Via annotation and two CRDs:
- FrontEndConfig
- BackEndConfig
THIS IS ALWAYS CHANGING!!! :
https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features
Script to check all ingresses for tls policy
#!/bin/sh for namespace in `kubectl get ns -o name | cut -d \/ -f 2` do echo "namespace: $namespace" for ingress in `kubectl get ingress -n $namespace -o name` do echo " ingress: $ingress" for frontendconfig in `kubectl get $ingress -n $namespace -o json | jq -r '.metadata.annotations."networking.gke.io/v1beta1.FrontendConfig"'` do echo " frontendconfig: $frontendconfig" if [[ $frontendconfig != "null" ]] then policy=`kubectl get frontendconfig $frontendconfig -n $namespace -o json | jq -r '.spec.sslPolicy'` echo " sslPolicy: $policy" fi done done done
Authenticating to k8s with gcp creds in python
reference: https://github.com/googleapis/python-container/issues/6
so useful:
pip install kubernetes pip install google-api-python-client pip install google-cloud-container from google.cloud import container_v1 import google.auth import google.auth.transport.requests from kubernetes import client as kubernetes_client from tempfile import NamedTemporaryFile import base64 def check_k8s_client(): project_id = 'your-project-name' zone = 'us-central1-b' cluster_id = 'your-cluster-name' print('Attempting to init k8s client from cluster response.') container_client = container_v1.ClusterManagerClient() response = container_client.get_cluster(project_id, zone, cluster_id) credentials, project = google.auth.default( scopes=['https://www.googleapis.com/auth/cloud-platform']) creds, projects = google.auth.default() auth_req = google.auth.transport.requests.Request() creds.refresh(auth_req) configuration = kubernetes_client.Configuration() configuration.host = f'https://{response.endpoint}' with NamedTemporaryFile(delete=False) as ca_cert: ca_cert.write( base64.b64decode(response.master_auth.cluster_ca_certificate)) configuration.ssl_ca_cert = ca_cert.name configuration.api_key_prefix['authorization'] = 'Bearer' configuration.api_key['authorization'] = creds.token k8s_client = kubernetes_client.BatchV1Api( kubernetes_client.ApiClient(configuration)) ret = k8s_client.list_job_for_all_namespaces() print(ret) check_k8s_client()