Kubernetes/GCP GKE Aspects

From Federal Burro of Information
Revision as of 14:26, 14 November 2022 by David (talk | contribs) (→‎Authenticating to k8s with gcp creds in python)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Show nodes in each node pool:


gcloud container clusters list

export CLUSTERNAME=mycluster
export LOCATION=us-central1

for i in `gcloud container node-pools list --cluster ${CLUSTERNAME} --region ${LOCATION} | grep -v NAME | awk '{print $1}'`
 do
 echo $i ;
 kubectl get node -l cloud.google.com/gke-nodepool=$i
 done

cordon one node pool:

for i in `kns get no -l cloud.google.com/gke-nodepool=production-gcp-env-blue -o name`
do
 echo $i
 #kubectl node cordon $i
done


GKE Ingress Features

How do you get access to GCP Load Balancer features via kubernetes?

Via annotation and two CRDs:

  • FrontEndConfig
  • BackEndConfig

THIS IS ALWAYS CHANGING!!!  :

https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features


Script to check all ingresses for tls policy

#!/bin/sh

for namespace in `kubectl get ns -o name | cut -d \/ -f 2`
do
  echo "namespace: $namespace"
  for ingress in `kubectl get ingress -n $namespace -o name`
    do
    echo "  ingress: $ingress"
    for frontendconfig in `kubectl get $ingress -n $namespace -o json | jq -r '.metadata.annotations."networking.gke.io/v1beta1.FrontendConfig"'`
      do
      echo "  frontendconfig: $frontendconfig"
      if [[ $frontendconfig != "null" ]]
        then
        policy=`kubectl get frontendconfig $frontendconfig -n $namespace -o json | jq -r '.spec.sslPolicy'`
        echo "  sslPolicy: $policy"
        fi
      done
    done
done

Authenticating to k8s with gcp creds in python

reference: https://github.com/googleapis/python-container/issues/6

so useful:

pip install kubernetes
pip install google-api-python-client
pip install google-cloud-container
from google.cloud import container_v1
import google.auth
import google.auth.transport.requests
from kubernetes import client as kubernetes_client
from tempfile import NamedTemporaryFile
import base64

def check_k8s_client():
    project_id = 'your-project-name'
    zone = 'us-central1-b'
    cluster_id = 'your-cluster-name'
    print('Attempting to init k8s client from cluster response.')
    container_client = container_v1.ClusterManagerClient()
    response = container_client.get_cluster(project_id, zone, cluster_id)
    credentials, project = google.auth.default(
        scopes=['https://www.googleapis.com/auth/cloud-platform'])
    creds, projects = google.auth.default()
    auth_req = google.auth.transport.requests.Request()
    creds.refresh(auth_req)
    configuration = kubernetes_client.Configuration()
    configuration.host = f'https://{response.endpoint}'
    with NamedTemporaryFile(delete=False) as ca_cert:
        ca_cert.write(
            base64.b64decode(response.master_auth.cluster_ca_certificate))
    configuration.ssl_ca_cert = ca_cert.name
    configuration.api_key_prefix['authorization'] = 'Bearer'
    configuration.api_key['authorization'] = creds.token

    k8s_client = kubernetes_client.BatchV1Api(
        kubernetes_client.ApiClient(configuration))
    ret = k8s_client.list_job_for_all_namespaces()
    print(ret)
check_k8s_client()