Google Cloud

Posted on | Edited on | In

From PluralSight Google Cloud path. 下载的配套slides 讲得很详细,可以参考,特别是讲解了如何选择资源组合, 每个课时中有Quick Labs.

The best way to learn is to read official document along with operating on glcoud console.

Some useful GCP projects:

Commands

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
## after install gcloud SDK
## init
gcloud init --console-only

## can login multiple user accounts
gcloud auth login
## it is ADC(application default credential)
## for code to interact with GCP, such as terraform CLI
gcloud auth application-default login [--project]

## same as gcloud auth login but using SA credential
## and roles
gcloud auth activate-service-account [--key-file]

## list auth accounts or service account
gcloud auth list
## switch account
gcloud config set account <account name>
## revoke account
gcloud auth revoke <account name>


## show and install components, i.e alpha, beta, kubectl...
gcloud components list
gcloud components install [beta]


## all projects under my account, not the used one
gcloud projects list 


## set which project to use
gcloud config set project <project name>
## current project in use
gcloud config list project
## get project ID
gcloud config get-value project

## list service account in project
gcloud iam service-accounts list [--project <project ID>]
## create service-account after auth login and set project
gcloud iam service-accounts create <SA name>  [--display-name=<"description">] [--project <project id>]
## can update display name and description
gcloud iam service-accounts update ...
## disable service account
gcloud iam service-accounts enable/disable ... 
## delete: When a service account is deleted, its role bindings 
## are not immediately removed; they are automatically purged from 
## the system after a maximum of 60 days.
gcloud iam service-accounts delete ... 
## generate credentials json file for terrform
## can also delete it
gcloud iam service-accounts keys create ~/key.json \
  --iam-account <SA name>@<project ID>.iam.gserviceaccount.com
## see the roles bind to service account
gcloud iam service-accounts get-iam-policy <SA>



## see available context
## -o name: show context name
kubectl config get-contexts [-o name]
## switch context
kubectl config use-context <context name>
## rename context to human readable
kubectl config rename-context <old> <new>

## export current configuration to yaml file
kubectl config view --minify --flatten > cluster.yaml
## the same as this gcloud command
## KUBECONFIG=clusters.yaml: specify cluster.yaml to store the credentials
KUBECONFIG=clusters.yaml gcloud container clusters \
get-credentials <cluster name> --zone=<cluster zone>


## current enabled API list
gcloud services list [--porject <project ID>]
gcloud services enable <API>
gcloud services disable <API>


## create default VPC network
gcloud compute networks create default


## create K8s cluster in default network
gcloud container clusters create gke-eu --zone europe-west1-c \
  --release-channel stable --enable-ip-alias
## list cluster
gcloud container clusters list
gcloud container clusters list \
  --project <project name> \
  --filter "name:cluster-name" \
  --format "get(location)"
## describe
gcloud container clusters describe <cluster name> --region <region/zone>
## delete cluster
## -q: quiet
gcloud container clusters delete gke-eu --zone=europe-west1-cd [-q]


## grant IAM roles to end user in project
## member can be serviceAccount:email
gcloud projects add-iam-policy-binding <project ID> \
 --member user:<member> \
 --role=roles/gkehub.admin \
 --role=roles/resourcemanager.projectIamAdmin

Terms

Cloud SDK commands:

  • gcloud
  • kubectl
  • gsutil (google storage)
  • bq (big query)

Cloud shell is acutally running on a ephemeral compute engine instance. 其实command line 操作创建各种资源 比UI 更方便 (这也是Terraform的基础)

Zone is under Region, you can think of a zone as data center in a region.

Anthos is google’s morden solution for hybird and multi-cloud systems and services management. (下面一章会专门总结一下)

GCP cloud functions: serverless execution environment for building and connecting cloud services. With Cloud Functions you write simple, single-purpose functions that are attached to events emitted from your cloud infrastructure and services. Your Cloud Function is triggered when an event being watched is fired. Your code executes in a fully managed environment. There is no need to provision any infrastructure or worry about managing any servers.

GCP deployment manager: like Terraform, infrastructure as code.

GCP Dataproc for running Apache Spark and Apache Hadoop clusters. GCP Dataflows offers managed data pipelines, serverless fully managed data processing. GCP Dataprep visually explore, clean and prepare data for analysis and machine learning.

BigQuery is fully managed data warehouse. Pub/Sub (publisher/subscriber) is scalable, reliable messaging. DataLab offers interactive data exploration. Build on Jupyter.

Kubernetes Architecting

Build on top of compute engine. Container is isolated in user space to running application code, lightweight, represent as a process:

  • process
  • linux namespace
  • cgroups
  • nuion file systems

GKE abstracts away the master, only show the worker nodes on dashboard. Use Node Pool to manage different kinds of nodes. Google maintains a container registry: gcr.io Cloud Run: build on Knative, for serverless workloads.

Cloud Build: Build, test, and deploy on serverless CI/CD platform.

Private Cluster, google products and authorized networks can access.

Fundations

Compute Engine let you run virtual machine. In GCP, K8s nodes are actually virtual machine running in Compute Engine, just like IBM Fyre, you can see them in Compute Engine dashboard.

  • Fully customized virtual machines
  • Persistent disk/SSD or optional local SSDs
  • Global load balancing and autoscaling
  • Per-second billing

VM has built-in SDK commands. A vCPU is equal to 1 hardware hyper-thread.

Preemptible VM: can be terminated by GCP if the resources is needed in other places. Cloud storage is binary large-object storage. 不同的storage针对不同的对象.

VPC: virtual private cloud, VPC is global scope, subnet is regional, can have different zone on the same subnet. Each VPC network is contained in a GCP project. VPC make componets connect to each other or isolated from each other.

You control the VPC network, use its route table to forward traffic within network, even across subnets.

VPC: 3 types:

  • default mode
  • auto mode
  • custom mode (for production)

VPN can connect the on-premises network to GCP network.

VMs can be on the same subnet but different zones. Every subnet has four reserved IP addresses in its primary IP range: .0 for subnet network itself, .1 for subnet gateway, second-to-last address in the range and the last address.

The external IP is transparent to VM, managed by VPC. You will not see it by ip a s command. In /etc/hosts:

1
2
3
10.128.0.2 instance-1.us-central1-a.c.terraform-k8s-282804.internal instance-1  # Added by Google
## internal DNS reslover
169.254.169.254 metadata.google.internal  # Added by Google

For example:

1
2
3
4
5
6
7
8
nslookup instance-1

Server:         169.254.169.254
Address:        169.254.169.254#53

Non-authoritative answer:
Name:   instance-1.us-central1-a.c.terraform-k8s-282804.internal
Address: 10.128.0.2

Setup VPC peering or VPN to allow internal network connection between VPCs.

You can delete the whole default network setting, and create your own, for example, auto or custom mode network.

Private google access (for example to access cloud storage) and Cloud NAT (only outbound is allowed) help VM without external IP to access internet.

RAM Disk: tmpfs, fast scratch disk or cache, faster then disk but slower then memory.

VM comes with a single root persistent disk, can attach additional disk to VM, it is network storage! The extended disk needs to be formated and mounted by yourself, for example:

1
2
3
4
5
sudo mkfs.ext4 -F -E lazy_itable_init=0 \
                     lazy_journal_init=0,discard \
                     /dev/disk/by_id/<disk name>

sudo mount -o discard,defaults /dev/disk/by_id/<disk name> /home/<target directory>

App engine is not like Compute engine, it does not comprise of virtual machines, instead get access a family of services that application needs. Container(K8s, hybird) is in the middle of Compute engine (IssA) and App engine (PaaS). You don’t want to focus on the infrastructure at all, just want to focus on your application code. Especially suited for for building scalable web application/web site and mobile backends, RESTful API.

App engine flexible environment is rely on container running in virtual machine in compute engine.

Core Services

IAM

除了GCP, 其他public cloud也采取同样的RBAC策略。

忘了就多看几遍: Regulating Resource Usage Using Google Cloud IAM

首先理解RBAC,在很多场合都有应用: 分为3个部分: identity, roles and resources. Identity 可以是google account, google group and service account(not human). Role 有几种分类,比如primitive role, predefined role, custom role.

IAM: identity and access management, who can do what on which resources. user of IAM can be person, group and application. Always select the least privilege to reduce the exposure to risk.

IAM add new member中 GCP 和 G suite 是共享用户(human)信息的。

Identities:

  • google accounts
  • service accounts, belongs to your applications
  • google groups (collection of google accounts and service accounts)
  • G suite domains
  • Cloud identity domains

Service Account: used by application or virtual machine running code on your behalf, can have IAM policies attach to it:

  • user-managed SA: for example service-account-name@project-id.iam.gserviceaccount.com, you choose the service account name.
  • default SA: 常见的比如使用App engine, compute engine时自动创建的service account.
  • google-managed SA: GCP 内部使用,不用管。

IAM roles:

  • primitive role: Owner, Editor, Viewer.
  • predefined role: 针对不同资源的roles,比如compite, gke, network等等.
  • custom role: 自定义的, user maintain, for more granular access.

Bindings 就是把Identity 和 roles结合起来,形成一个policy. IAM把policy 赋予不同的对象, 比如: IAM hierarchy: Organization -> folder -> project -> resource.

Project level policy operations (or organiation level),意思是在project level上,这些member可以做规定的事情。

1
2
3
4
5
6
7
8
9
10
11
12
## add and revoke
## member can be user:xx or serviceAccount:xx
gcloud projects add-iam-policy-binding <project ID> \
  --member=member \
  --role=<role ID>
gcloud projects remove-iam-policy-binding <project ID> \
  --member=member \
  --role=<role ID>

## batch operation, role bindings 都在yaml file中
gcloud projects set-iam-policy <project id> <file path>
gcloud projects get-iam-policy <project id> [--format=json/yaml] > [file path]

注意这2个命令,这里service account被当做了resource而不是identity, 所以这里设置了其他identity去操作这个service account:

1
gcloud iam service-accounts set/get-iam-policy <service account>

Storage and Database

Storage access control has many options, IAM is one of them and usually is enough. others like ACLs, signed URL and Signed policy document.

Cloud Storage: fully managed object store. In the demo, gsutil command can do versioning, acl, set restrictions, etc.

1
2
# if want to skip heep_proxy setting
gs='env -u http_proxy gsutil'

The slide has info about how to choose which service: SQL, NoSQL …?

Cloud SQL: a fully managed database service (MySQL or PostgreSQL), If the Cloud SQL located in the same VPC and the same region, connect it with private IP, otherwise using cloud SQL proxy connection (setup via a script).

Cloud Spanner: Cloud Spanner combines the benefits of relational database structure with non-relational horizontal scale. Used for financial and inventory applications.

Cloud Firestore: the next generation of Cloud Datastore. Cloud Firestore is a NoSQL document database

Cloud Bigtable: a fully managed, wide-column NoSQL database that offers low latency and replication for high availability.

Cloud Memorystore: creates and manages Redis instances on the Google Cloud Platform.

Resource Management

Resource manager, quotas, labels and billing.

Resource Monitor

From stackdriver collection.

Scaling and Automation

Interconnecting Networks

In the demo, Two VMs in differen region and subnet, setup the VPN tunnel they can ping each other via private IP.

理解了这部分,可以自己搭建VPN翻墙了. Cloud VPN: securely connect your infrastructure to GCP VPC network, useful for low-volume data connections.

Options: IPsec VPN tunnel, dedicated interconnect (for large traffic) and partner interconnect (via other service provider network)

Configure cloud VPN gateway and on-premises VPN gateway, setup VPN tunnel (encrypted traffic), must be paired.

Load Balancing and Auto Scaling

Managed instance groups, typically used with autoscaler.

HTTP(s) load balancing: level 7 application layer load balancer.

In the demo, create VM with detached disk, install apach2 then keep the disk to create custom image, use this image to create instance template then creating instance groups.

Infrastructure Automation

Deployment manager and Terraform, can also use Ansible, Chef, Puppet…

Terraform is integrated in Cloud Shell.

GCP marketplace, production-ready solutions.

External HTTP(S) Load Balancing

https://cloud.google.com/load-balancing/docs/https

Anthos

建议把这个系列的slides下载复习。 Qucik Labs and slides are from PluralSight Anthos special

Built on open source technologies pioneered by Google—including Kubernetes, Istio, and Knative—Anthos enables consistency between on-premises and cloud environments.

1
2
3
4
5
6
7
8
9
10
11
12
13
      On-premises                           Public Cloud
|----------------------|               |-----------------------|
|                       Config Management                      | Anthos Configuration Management
|      <==============================================>        |
|                       Service Mesh                           | Istio, communications &
|      <==============================================>        |        observability
|-----------|           |              |                       |
| Enterprise| |---------|              |-----------|           |
| workload  | |Containers              |Containers |           | Kubernetes, deployment &
|           | |---------|              |-----------|           |             run-time platform
|           |   K8s     |              |   GKE                 |
|           | on-premise|              |                       |
|-----------|-----------|              |-----------------------|

这个系列先讲了Anthos是什么,组成结构,然后讲了service mesh, 最后讲了anthos config management (ACM).

几个要点:

  1. on-premises cluster中安装运行有一个agent pod, 用来主动注册该cluster到anthos control plane.
  2. 所有注册过的cluster是统一管理和可视的,在同一个control plane,cluster中的资源也可见.
  3. Anthos中很重要的部分就是service mesh, 使用的是Istio,所以要理解这部分。见我的关于Istio的博客。
  4. config management is the single source of truth, 可以把所有的policies都放在一个git repo中,是为desired state, 使用时会传播到所有被managed的objects中,是否被managed 在object manifest中有annotation标记.
  5. multiple control planes DNS using Istio CoreDNS, not kube-dns (for local).

Ingress of Anthos

https://cloud.google.com/kubernetes-engine/docs/concepts/ingress-for-anthos 这里将ingress of anthos的概念,组成以及图示都列出来了,很清晰。 Ingress for Anthos is designed to meet the load balancing needs of multi-cluster, multi-regional environments. It’s a controller for the external HTTP(S) load balancer to provide ingress for traffic coming from the internet across one or more clusters.

Ingress for Anthos updates the load balancer, keeping it consistent with the environment and desired state of Kubernetes resources.

Ingress for Anthos uses a centralized Kubernetes API server to deploy Ingress across multiple clusters. This centralized API server is called the config cluster. Any GKE cluster can act as the config cluster. The config cluster uses two custom resource types: MultiClusterIngress and MultiClusterService. By deploying these resources on the config cluster, the Anthos Ingress Controller deploys load balancers across multiple clusters.

There can have multiple mcs and only one mci. mcs can select specific clusters with clusters field. mci can specify default backend and other backends with rules.

Clusters that you register to an environ(An environ is a domain that groups clusters and infrastructure, manages resources, and keeps a consistent policy across them) become visible to Ingress, so they can be used as backends for Ingress.

Environs possess a characteristic known as namespace sameness which assumes that resources with the identical names and same namespace across clusters are considered to be instances of the same resource.

0%