Difference between revisions of "GCP/gcloud cli"

From Ever changing code
< GCP
Jump to navigation Jump to search
 
(30 intermediate revisions by the same user not shown)
Line 5: Line 5:


# Add the Cloud SDK distribution URI as a package source
# Add the Cloud SDK distribution URI as a package source
echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | \
echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" \
   sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
   | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list


# Import the Google Cloud Platform public key
# Import the Google Cloud Platform public key
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg \
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg \
   | sudo apt-key --keyring /usr/share/keyrings/cloud.google.gpg add -
   | sudo apt-key --keyring /usr/share/keyrings/cloud.google.gpg add -
# > Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).


# Update the package list and install the Cloud SDK
# Update the package list and install the Cloud SDK
Line 41: Line 43:
config_sentinel
config_sentinel
configurations
configurations
# Show current configuration
gcloud config list
</source>
</source>


= Initialize =
= Initialize and authenticate =
== Authenticate as a user ==
<source lang=bash>
<source lang=bash>
# Verify SDK version and connected account & project
# Verify SDK version and connected account & project
$> gcloud info | grep '\(Google\|Account\|Project\)'
gcloud info | grep '\(Google\|Account\|Project\)'
Google Cloud SDK [315.0.0]
Google Cloud SDK [315.0.0]
Account: [None]
Account: [None]
Line 52: Line 58:


# Initialize
# Initialize
$> gcloud init
gcloud init --console-only # console interactive mode
Welcome! This command will take you through the configuration of gcloud.
gcloud init
(...)Go to the following link in your browser:
    https://accounts.google.com/o/oauth2/auth?client_id=32555940559.apps.googleusercontent.com&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&scope=openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fappengine.admin+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcompute+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Faccounts.reauth&code_challenge=cjLaWdeXW6fY2ux3RITtb4JkOPW477aQsfV_qKhHGDU&code_challenge_method=S256&access_type=offline&response_type=code&prompt=select_account


Your current configuration has been set to: [default]
# Set the project defaults
## Compute Engine zone, [17] europe-west1-b
gcloud config set compute/zone europe-west1-b


You can skip diagnostics next time by using the following flag:
## Compute Engine region
  gcloud init --skip-diagnostics
gcloud config set compute/region europe-west1
</source>


Network diagnostic detects and fixes local network connection issues.
== Authenticate as serviceaccount ==
Checking network connection...done.                                                                                                                                                                                                                                   
* [https://cloud.google.com/docs/authentication/production GCP Authentication in production] using '''Application Default Credentials (ADC)'''
Reachability Check passed.
Network diagnostic passed (1/1 checks passed).


You must log in to continue. Would you like to log in (Y/n)?  y


Go to the following link in your browser:
Google recommends to use Google Cloud Client Libraries (GCCL) for the applications. Google Cloud Client Libraries use a library called Application Default Credentials (ADC) to automatically find your service account credentials. ADC looks for service account credentials in the following order:
# If the environment variable GOOGLE_APPLICATION_CREDENTIALS is set, ADC uses the service account key or configuration file that the variable points to.
# If the environment variable GOOGLE_APPLICATION_CREDENTIALS isn't set, ADC uses the service account that is attached to the resource that is running your code.


    https://accounts.google.com/o/oauth2/auth?client_id=32555940559.apps.googleusercontent.com&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&scope=openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fappengine.admin+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcompute+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Faccounts.reauth&code_challenge=cjLaWdeXW6fY2ux3RITtb4JkOPW477aQsfV_qKhHGDU&code_challenge_method=S256&access_type=offline&response_type=code&prompt=select_account


Enter verification code: *****
;Create SA credentials for the default `App Engine default service account` and authenticate from gcloud
<source lang=bash>
## Get current project_id
export GCP_PROJECT_ID=$(gcloud info --format='value(config.project)'); echo $GCP_PROJECT_ID


You are logged in as: [example.email@gmail.com].
## Get the default `App Engine default service account` email
export GCP_SA_EMAIL=$(gcloud iam service-accounts list --filter="displayName:App Engine default service account" --format='value(email)'); echo $GCP_SA_EMAIL


Pick cloud project to use:
## Create a secret key
[1] kinetic-physics-111111
gcloud iam service-accounts keys create ${GCP_SA_EMAIL}.json --iam-account $GCP_SA_EMAIL --project $GCP_PROJECT_ID
[2] Create a new project
Please enter numeric choice or text value (must exactly match list
item):  1


Your current project has been set to: [kinetic-physics-293121].
## Set SA as a account to be used as a identity when connecting with gcloud cli
ACCOUNT=$GCP_SA_EMAIL # inpersonalization
gcloud config set account $ACCOUNT


Not setting default zone/region (this feature makes it easier to use
# Add SA to gcloud auth
[gcloud compute] by setting an appropriate default value for the
export GOOGLE_APPLICATION_CREDENTIALS="KEY_PATH"
--zone and --region flag).
export GOOGLE_APPLICATION_CREDENTIALS=~/.config/gcloud/legacy_credentials/${GCP_PROJECT_ID}@appspot.gserviceaccount.com/google-service-account.json
See https://cloud.google.com/compute/docs/gcloud-compute section on how to set
GCP_SA=$(jq -r .client_email $GOOGLE_APPLICATION_CREDENTIALS); echo $GCP_SA # => "px-platform-dev@appspot.gserviceaccount.com"
default compute region and zone manually. If you would like [gcloud init] to be
able to do this for you the next time you run it, make sure the
Compute Engine API is enabled for your project on the
https://console.developers.google.com/apis page.


Created a default .boto configuration file at [/home/vagrant/.boto]. See this file and
## Add/activate SA to be used with gcloud auth
[https://cloud.google.com/storage/docs/gsutil/commands/config] for more
gcloud auth activate-service-account $GCP_SA --key-file=$GOOGLE_APPLICATION_CREDENTIALS --project=$GCP_PROJECT_ID
information about configuring Google Cloud Storage.
Your Google Cloud SDK is configured and ready to use!


* Commands that require authentication will use kapitanpiotrek@gmail.com by default
# Piotr's secret key path convention
* Commands will reference project `kinetic-physics-293121` by default
export GOOGLE_APPLICATION_CREDENTIALS=~/.config/gcloud/legacy_credentials/${GCP_SA_EMAIL}/${GCP_SA_EMAIL}.json
Run `gcloud help config` to learn how to change individual settings
export GOOGLE_APPLICATION_CREDENTIALS=~/.config/gcloud/legacy_credentials/${GCP_SA_EMAIL}/google-service-account.json
</source>


This gcloud configuration is called [default]. You can create additional configurations if you work with multiple accounts and/or projects.
Run `gcloud topic configurations` to learn more.


Some things to try next:
== Asossiate ServiceAccount with a role ==
* [https://stackoverflow.com/questions/47006062/how-do-i-list-the-roles-associated-with-a-gcp-service-account/50485552#50485552 how-do-i-list-the-roles-associated-with-a-gcp-service-account]
* [https://stackoverflow.com/questions/42564112/adding-roles-to-service-accounts-on-google-cloud-platform-using-rest-api adding-roles-to-service-accounts-on-google-cloud-platform-using-rest-api]


* Run `gcloud --help` to see the Cloud Platform services you can interact with. And run `gcloud help COMMAND` to get help on any gcloud command.
* Run `gcloud topic --help` to learn about advanced features of the SDK like arg files and output formatting
</source>
Set defaults
<source lang=bash>
<source lang=bash>
# Set project default Compute Engine zone, [17] europe-west1-b
# Filter - get roles of a specific service account
$> gcloud config set compute/zone europe-west1-b
GCP_PROJECT_ID=acme-dev
GCP_SA=serviceaccount-1@${GCP_PROJECT_ID}.iam.gserviceaccount.com
gcloud projects get-iam-policy $GCP_PROJECT_ID \
--flatten="bindings[].members" \
--format="table(bindings.role)" \
--filter="bindings.members:$GCP_SA"


# Set project default Compute Engine region
# Filter - get members of a specific role
$> gcloud config set compute/region europe-west1
ROLE=logging.logWriter
</source>
gcloud projects get-iam-policy $GCP_PROJECT_ID \
--flatten="bindings[].members" \
--format="table(bindings.members)" \
--filter="bindings.role:$ROLE"


= Install kubectl from Google =
# Add IAM policy binding for a project (bind a serviceaccount and a project)
<source lanag=bash>
gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
$> gcloud components install kubectl
--member=serviceAccount:$GCP_SA \
ERROR: (gcloud.components.install)  
--role=roles/$ROLE
You cannot perform this action because the Cloud SDK component manager
```
is disabled for this installation. You can run the following command
to achieve the same result for this installation:  
 
sudo apt-get install kubectl
</source>


= Verify =
= Verify =
Line 163: Line 167:
</source>
</source>


= Create cluster =
= Kubernetes =
== Install <code>kubectl</code> from Google ==
<source lanag=bash>
gcloud components install kubectl # Cloud SDK component manager must be enabled
</source>
 
== [https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke Kubectl authentication in GKE] ==
<source lang=bash>
# Install using "gcloud components install"
gcloud components install gke-gcloud-auth-plugin
 
# Install using "apt-get install" for DEB based systems
sudo apt-get install google-cloud-sdk-gke-gcloud-auth-plugin
 
## Pre-reqs
sudo apt-get install apt-transport-https ca-certificates gnupg
echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key --keyring /usr/share/keyrings/cloud.google.gpg add -
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo tee /usr/share/keyrings/cloud.google.gpg
sudo apt-get update && sudo apt-get install google-cloud-cli
 
# Verify installation
gke-gcloud-auth-plugin --version
 
# Run kubectl with the new plugin prior to the release of v1.26
# Set `export USE_GKE_GCLOUD_AUTH_PLUGIN=True` in `~/.bashrc`
 
# Re-create kubeconfig file that uses the auth-plugin
gcloud components update
gcloud container clusters get-credentials CLUSTER_NAME
</source>
 
 
Example
<source lang=yaml>
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    proxy-url: http://proxy.example.com:8123
    server: https://10.10.10.2
  name: gke_projectname_europe-west1_cluster-name
contexts:
- context:
    cluster: gke_projectname_europe-west1_cluster-name
    user: gke_projectname_europe-west1_cluster-name
  name: gke_projectname_europe-west1_cluster-name
current-context: gke_projectname_europe-west1_cluster-name
kind: Config
preferences: {}
users:
- name: gke_projectname_europe-west1_cluster-name
  user:
    exec: # this auth part has been updated to use the plugin
      apiVersion: client.authentication.k8s.io/v1beta1
      args: null
      command: gke-gcloud-auth-plugin
      env: null
      installHint: Install gke-gcloud-auth-plugin for use with kubectl by following
        https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke
      interactiveMode: IfAvailable
      provideClusterInfo: true
</source>
 
 
;Issues with the new gke-gcloud-auth-plugin: (started with k8s 1.22, required in 1.26)
This is caused by <code>gcloud auth activate-service-account --key-file=path/to/key</code> impersonation of GSA, and it's cached token. Switch to a correct account with:
* <code>gcloud config set ACCOUNT [PROJECT]</code>
* if the token has not expired yet delete the authentication cache at <code>rm ~/.kube/gke_gcloud_auth_plugin_cache</code>
 
== Create GKE cluster ==
{{Note|Do not enable cluster-autoscaler <code>--enable-autoscaling</code> option if you plan to size to zero}}
{{Note|Do not enable cluster-autoscaler <code>--enable-autoscaling</code> option if you plan to size to zero}}


Line 198: Line 273:


# Create/refresh kubeconfig new context entry
# Create/refresh kubeconfig new context entry
gcloud container clusters get-credentials $CLUSTER_NAME
REGION=europe-west1
gcloud container clusters get-credentials $CLUSTER_NAME --region $REGION


# Delete
# Delete
gcloud container clusters delete $CLUSTER_NAME
gcloud container clusters delete $CLUSTER_NAME --region $REGION
</source>
</source>


 
== [https://cloud.google.com/kubernetes-engine/docs/how-to/resizing-a-cluster Scale the cluster] ==
[https://cloud.google.com/kubernetes-engine/docs/how-to/resizing-a-cluster Scale cluster]
Worker nodes are controlled by one or more node-pools. Scaling it means configuring the min, max and num-nodes parameters.
<source lang=bash>
<source lang=bash>
CLUSTER_NAME=istio
CLUSTER_NAME=istio
Line 212: Line 288:
istio  europe-west1-b  1.17.12-gke.1504  104.199.53.112  n1-standard-2  1.17.12-gke.1504  3          RUNNING
istio  europe-west1-b  1.17.12-gke.1504  104.199.53.112  n1-standard-2  1.17.12-gke.1504  3          RUNNING


gcloud container clusters resize $CLUSTER_NAME --num-nodes 0 # --node-pool $NODE_POOL_NAME can be skipped of only it's one
gcloud container clusters resize $CLUSTER_NAME --num-nodes 0 --node-pool $NODE_POOL_NAME # --node-pool can be skipped if only one
</source>
</source>


= Update cluster setting =
== Update cluster setting ==
Network policy enforce, will cause rolling nodes update, [https://cloud.google.com/kubernetes-engine/docs/how-to/network-policy#using-gcloud-config read more...]
Network policy enforce, will cause rolling nodes update, [https://cloud.google.com/kubernetes-engine/docs/how-to/network-policy#using-gcloud-config read more...]
<source lang=bash>
<source lang=bash>
Line 222: Line 298:
</source>
</source>


= List available K8s versions for GKE =
== List available K8s versions for GKE ==
<source lang=bash>
<source lang=bash>
gcloud container get-server-config # --zone compute-zone
gcloud container get-server-config # --zone compute-zone
Line 249: Line 325:
</source>
</source>


= Compute - vm - GKE metadata service =
* https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#gke_mds
<source lang=yaml>
kubectl apply -f <(cat <<EOF
apiVersion: v1
kind: Pod
metadata:
  namespace: workload-identity
  name: gcloud-1
spec:
  containers:
  - command:
    - "sleep"
    - "infinity"
    #- "7200"
  #args:
  #- "bash"
    image: google/cloud-sdk:slim
    #image: google/cloud-sdk:370.0.0-debian_component_based
    #image: google/cloud-sdk:370.0.0-alpine
    #image: google/cloud-sdk:372.0.0
    #image: bitnami/google-cloud-sdk:0.372.0-debian-10-r0
    imagePullPolicy: IfNotPresent
    name: gcloud
  restartPolicy: Never
  serviceAccountName: vault
EOF
) --dry-run=server
# Test the metadata service (MDS) endpoint
curl http://metadata.google.internal/computeMetadata/v1/project/project-id -H "Metadata-Flavor: Google"
</source>


= Cheatsheet =
= Cheatsheet =
<source lang=bash>
<source lang=bash>
$> gcloud container clusters get-credentials mycluster
# Get credentials
gcloud container clusters get-credentials mycluster


$> kubectl get pods --all-namespaces
# Delete default limits
NAMESPACE    NAME                                                          READY  STATUS    RESTARTS  AGE
kubectl delete limits limits
kube-system  kube-dns-6cd7bbdf65-85nz5                                    4/4    Running  0          4m38s
</source>
kube-system  kube-dns-6cd7bbdf65-ffrtl                                    4/4    Running  0          4m12s
kube-system  kube-dns-autoscaler-bb58c6784-5bx65                          1/1    Running  0          4m16s
kube-system  kube-proxy-gke-cluster-2-jan2020-default-pool-3e5d4a20-ctdg  1/1    Running  0          4m26s
kube-system  kube-proxy-gke-cluster-2-jan2020-default-pool-3e5d4a20-d2d8  1/1    Running  0          4m24s
kube-system  kube-proxy-gke-cluster-2-jan2020-default-pool-3e5d4a20-vn76  1/1    Running  0          4m30s
kube-system  metrics-server-v0.3.1-57c75779f-ctz4h                        2/2    Running  0          4m9s


Delete default limits
== [https://cloud.google.com/sdk/gcloud/reference/topic/filters Filters] ==
$> kubectl delete limits limits
<source>
# Flatten the output to get resource-key
gcloud compute regions list --format=flattened
</source>
 
= Troubleshooting =
[https://github.com/GoogleCloudPlatform/gcpdiag gcpdiag] is a command-line diagnostics tool for GCP customers.
<source lang=bash>
# Install or run in the Cloud Shell
curl https://gcpdiag.dev/gcpdiag.sh >gcpdiag
chmod +x gcpdiag
./gcpdiag lint --project=MYPROJECT
./gcpdiag lint --project=MYPROJECT --include gke
./gcpdiag lint --project=MYPROJECT --include gke --include-extended # may generate false positives
</source>
</source>


= References =
= References =
* [https://cloud.google.com/sdk/docs/quickstart-debian-ubuntu quickstart-debian-ubuntu] Google Docs
* [https://cloud.google.com/sdk/docs/quickstart#deb Getting started with Cloud SDK] Google Docs
* [https://cloud.google.com/blog/products/it-ops/filtering-and-formatting-fun-with Filter, format, and transform data with gcloud, Google Cloud's command line interface]
* [[Google_GKE]]
* [[Google_GKE]]

Latest revision as of 11:20, 20 January 2023

Install gcloud cli

# Ubuntu 18.04 LTS, 20.04; Dec 2021
sudo apt-get install apt-transport-https ca-certificates gnupg

# Add the Cloud SDK distribution URI as a package source
echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" \
  | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list

# Import the Google Cloud Platform public key
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg \
  | sudo apt-key --keyring /usr/share/keyrings/cloud.google.gpg add -

# > Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).

# Update the package list and install the Cloud SDK
sudo apt-get update && sudo apt-get install google-cloud-sdk

# Additional packages are available:
#  google-cloud-sdk-app-engine-python
#  google-cloud-sdk-app-engine-python-extras
#  google-cloud-sdk-app-engine-java
#  google-cloud-sdk-app-engine-go
#  google-cloud-sdk-bigtable-emulator
#  google-cloud-sdk-cbt
#  google-cloud-sdk-cloud-build-local
#  google-cloud-sdk-datalab
#  google-cloud-sdk-datastore-emulator
#  google-cloud-sdk-firestore-emulator
#  google-cloud-sdk-pubsub-emulator
#  kubectl   # <- interesting YEAH!

# Update your installation
gcloud components update

sudo apt-get update && sudo apt-get --only-upgrade install google-cloud-sdk-pubsub-emulator google-cloud-sdk-bigtable-emulator google-cloud-sdk-app-engine-grpc google-cloud-sdk-kind google-cloud-sdk-cbt google-cloud-sdk-skaffold google-cloud-sdk-app-engine-java google-cloud-sdk-cloud-build-local google-cloud-sdk-anthos-auth google-cloud-sdk-datastore-emulator google-cloud-sdk-kpt google-cloud-sdk-app-engine-python google-cloud-sdk kubectl google-cloud-sdk-datalab google-cloud-sdk-app-engine-python-extras google-cloud-sdk-minikube google-cloud-sdk-spanner-emulator google-cloud-sdk-firestore-emulator google-cloud-sdk-app-engine-go

# gcloud configuration location
ls -la ~/.config/gcloud
active_config
application_default_credentials.json
cache
config_sentinel
configurations

# Show current configuration
gcloud config list

Initialize and authenticate

Authenticate as a user

# Verify SDK version and connected account & project
gcloud info | grep '\(Google\|Account\|Project\)'
Google Cloud SDK [315.0.0]
Account: [None]
Project: [None]

# Initialize
gcloud init --console-only # console interactive mode
gcloud init
(...)Go to the following link in your browser:
    https://accounts.google.com/o/oauth2/auth?client_id=32555940559.apps.googleusercontent.com&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&scope=openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fappengine.admin+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcompute+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Faccounts.reauth&code_challenge=cjLaWdeXW6fY2ux3RITtb4JkOPW477aQsfV_qKhHGDU&code_challenge_method=S256&access_type=offline&response_type=code&prompt=select_account

# Set the project defaults
## Compute Engine zone, [17] europe-west1-b
gcloud config set compute/zone europe-west1-b

## Compute Engine region
gcloud config set compute/region europe-west1

Authenticate as serviceaccount


Google recommends to use Google Cloud Client Libraries (GCCL) for the applications. Google Cloud Client Libraries use a library called Application Default Credentials (ADC) to automatically find your service account credentials. ADC looks for service account credentials in the following order:

  1. If the environment variable GOOGLE_APPLICATION_CREDENTIALS is set, ADC uses the service account key or configuration file that the variable points to.
  2. If the environment variable GOOGLE_APPLICATION_CREDENTIALS isn't set, ADC uses the service account that is attached to the resource that is running your code.


Create SA credentials for the default `App Engine default service account` and authenticate from gcloud
## Get current project_id
export GCP_PROJECT_ID=$(gcloud info --format='value(config.project)'); echo $GCP_PROJECT_ID

## Get the default `App Engine default service account` email
export GCP_SA_EMAIL=$(gcloud iam service-accounts list --filter="displayName:App Engine default service account" --format='value(email)'); echo $GCP_SA_EMAIL

## Create a secret key
gcloud iam service-accounts keys create ${GCP_SA_EMAIL}.json --iam-account $GCP_SA_EMAIL --project $GCP_PROJECT_ID

## Set SA as a account to be used as a identity when connecting with gcloud cli
ACCOUNT=$GCP_SA_EMAIL # inpersonalization
gcloud config set account $ACCOUNT

# Add SA to gcloud auth
export GOOGLE_APPLICATION_CREDENTIALS="KEY_PATH"
export GOOGLE_APPLICATION_CREDENTIALS=~/.config/gcloud/legacy_credentials/${GCP_PROJECT_ID}@appspot.gserviceaccount.com/google-service-account.json
GCP_SA=$(jq -r .client_email $GOOGLE_APPLICATION_CREDENTIALS); echo $GCP_SA # => "px-platform-dev@appspot.gserviceaccount.com"

## Add/activate SA to be used with gcloud auth
gcloud auth activate-service-account $GCP_SA --key-file=$GOOGLE_APPLICATION_CREDENTIALS --project=$GCP_PROJECT_ID

# Piotr's secret key path convention
export GOOGLE_APPLICATION_CREDENTIALS=~/.config/gcloud/legacy_credentials/${GCP_SA_EMAIL}/${GCP_SA_EMAIL}.json
export GOOGLE_APPLICATION_CREDENTIALS=~/.config/gcloud/legacy_credentials/${GCP_SA_EMAIL}/google-service-account.json


Asossiate ServiceAccount with a role

# Filter - get roles of a specific service account
GCP_PROJECT_ID=acme-dev
GCP_SA=serviceaccount-1@${GCP_PROJECT_ID}.iam.gserviceaccount.com
gcloud projects get-iam-policy $GCP_PROJECT_ID \
--flatten="bindings[].members" \
--format="table(bindings.role)" \
--filter="bindings.members:$GCP_SA"

# Filter - get members of a specific role
ROLE=logging.logWriter
gcloud projects get-iam-policy $GCP_PROJECT_ID \
--flatten="bindings[].members" \
--format="table(bindings.members)" \
--filter="bindings.role:$ROLE"

# Add IAM policy binding for a project (bind a serviceaccount and a project)
gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
--member=serviceAccount:$GCP_SA \
--role=roles/$ROLE
```

= Verify =
<source lang=bash>
# List accounts whose credentials are stored on the local system:
gcloud auth list
       Credentialed Accounts
ACTIVE             ACCOUNT
*                  user1@gmail.com

# List the properties in your active SDK configuration:
gcloud config list
[core]
account = user1@gmail.com
disable_usage_reporting = False
project = responsive-sun-123456

# List multiple so called 'named configurations' 
gcloud config configurations list
NAME     IS_ACTIVE  ACCOUNT           PROJECT                DEFAULT_ZONE    DEFAULT_REGION
default  True       user1@gmail.com   responsive-sun-123456  europe-west1-b  europe-west1

# View information about your Cloud SDK installation and the active SDK configuration:
gcloud info
Google Cloud SDK [253.0.0]
...

# Verify gcloud project context
$ gcloud info | grep '\(Google\|Account\|Project\)'
Google Cloud SDK [277.0.0]
Account: [user1@gmail.com]
Project: [kinetic-physics-111111]

Kubernetes

Install kubectl from Google

gcloud components install kubectl # Cloud SDK component manager must be enabled

Kubectl authentication in GKE

# Install using "gcloud components install"
gcloud components install gke-gcloud-auth-plugin

# Install using "apt-get install" for DEB based systems
sudo apt-get install google-cloud-sdk-gke-gcloud-auth-plugin

## Pre-reqs 
sudo apt-get install apt-transport-https ca-certificates gnupg
echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key --keyring /usr/share/keyrings/cloud.google.gpg add -
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo tee /usr/share/keyrings/cloud.google.gpg
sudo apt-get update && sudo apt-get install google-cloud-cli

# Verify installation
gke-gcloud-auth-plugin --version

# Run kubectl with the new plugin prior to the release of v1.26
# Set `export USE_GKE_GCLOUD_AUTH_PLUGIN=True` in `~/.bashrc`

# Re-create kubeconfig file that uses the auth-plugin
gcloud components update
gcloud container clusters get-credentials CLUSTER_NAME


Example 

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    proxy-url: http://proxy.example.com:8123
    server: https://10.10.10.2
  name: gke_projectname_europe-west1_cluster-name
contexts:
- context:
    cluster: gke_projectname_europe-west1_cluster-name
    user: gke_projectname_europe-west1_cluster-name
  name: gke_projectname_europe-west1_cluster-name
current-context: gke_projectname_europe-west1_cluster-name
kind: Config
preferences: {}
users:
- name: gke_projectname_europe-west1_cluster-name
  user:
    exec: # this auth part has been updated to use the plugin
      apiVersion: client.authentication.k8s.io/v1beta1
      args: null
      command: gke-gcloud-auth-plugin
      env: null
      installHint: Install gke-gcloud-auth-plugin for use with kubectl by following
        https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke
      interactiveMode: IfAvailable
      provideClusterInfo: true


Issues with the new gke-gcloud-auth-plugin
(started with k8s 1.22, required in 1.26)

This is caused by gcloud auth activate-service-account --key-file=path/to/key impersonation of GSA, and it's cached token. Switch to a correct account with:

  • gcloud config set ACCOUNT [PROJECT]
  • if the token has not expired yet delete the authentication cache at rm ~/.kube/gke_gcloud_auth_plugin_cache

Create GKE cluster

Note: Do not enable cluster-autoscaler --enable-autoscaling option if you plan to size to zero

Note: GCP GKE release versions 

gcloud services enable container.googleapis.com
CLUSTER_RELEASE_CHANNEL=regular # stable, rapid -> gcloud container get-server-config
CLUSTER_NAME=istio
#CLUSTER_VERSION=1.17.12
gcloud container clusters describe $CLUSTER_NAME || gcloud container clusters create $CLUSTER_NAME \
  --release-channel $CLUSTER_RELEASE_CHANNEL \
  --machine-type=n1-standard-2 \
  --min-nodes 3 \
  --max-nodes 6 \
  --enable-autoscaling \
  --enable-network-policy \
  --preemptible \
  --no-enable-autoupgrade \
  --no-enable-autoscaling
# --cluster-version=$CLUSTER_VERSION
# --preemptible        # aka as spot instances, much cheaper but can be terminated at any time
# --enable-autoupgrade # this is a default now 2020-11

# Optional. Create your specific 'cluster-admin' user
kubectl get    clusterrolebinding $(gcloud config get-value core/account)-cluster-admin ||
kubectl create clusterrolebinding $(gcloud config get-value core/account)-cluster-admin \
--clusterrole=cluster-admin \
--user="$(gcloud config get-value core/account)"

# List
gcloud container clusters list
NAME   LOCATION        MASTER_VERSION   MASTER_IP       MACHINE_TYPE   NODE_VERSION     NUM_NODES  STATUS
istio  europe-west1-b  1.16.13-gke.401  104.155.45.246  n1-standard-2  1.16.13-gke.401  3          RUNNING

# Create/refresh kubeconfig new context entry
REGION=europe-west1
gcloud container clusters get-credentials $CLUSTER_NAME --region $REGION

# Delete
gcloud container clusters delete $CLUSTER_NAME --region $REGION

Scale the cluster

Worker nodes are controlled by one or more node-pools. Scaling it means configuring the min, max and num-nodes parameters. 

CLUSTER_NAME=istio
gcloud container clusters list
NAME   LOCATION        MASTER_VERSION    MASTER_IP       MACHINE_TYPE   NODE_VERSION      NUM_NODES  STATUS
istio  europe-west1-b  1.17.12-gke.1504  104.199.53.112  n1-standard-2  1.17.12-gke.1504  3          RUNNING

gcloud container clusters resize $CLUSTER_NAME --num-nodes 0 --node-pool $NODE_POOL_NAME # --node-pool can be skipped if only one

Update cluster setting

Network policy enforce, will cause rolling nodes update, read more... 

gcloud container clusters update istio2 --no-enable-network-policy
gcloud container clusters update istio2 --no-enable-stackdriver-kubernetes # default: no-enabled

List available K8s versions for GKE

gcloud container get-server-config # --zone compute-zone
Fetching server config for europe-west1-b
channels:
- channel: RAPID
  defaultVersion: 1.18.9-gke.2501
  validVersions:
  - 1.18.9-gke.2501
  - 1.18.9-gke.1501
- channel: REGULAR
  defaultVersion: 1.17.12-gke.1504
  validVersions:
  - 1.17.12-gke.1504
  - 1.17.12-gke.1501
- channel: STABLE
  defaultVersion: 1.16.13-gke.401
  validVersions:
  - 1.16.13-gke.403 +more...
defaultClusterVersion: 1.16.13-gke.401
defaultImageType: COS
validImageTypes:
- UBUNTU +more...
validMasterVersions:
- 1.17.12-gke.2502 +more...

Compute - vm - GKE metadata service


kubectl apply -f <(cat <<EOF
apiVersion: v1
kind: Pod
metadata:
  namespace: workload-identity
  name: gcloud-1
spec:
  containers:
  - command:
    - "sleep"
    - "infinity"
    #- "7200"
   #args:
   #- "bash"
    image: google/cloud-sdk:slim
    #image: google/cloud-sdk:370.0.0-debian_component_based
    #image: google/cloud-sdk:370.0.0-alpine
    #image: google/cloud-sdk:372.0.0
    #image: bitnami/google-cloud-sdk:0.372.0-debian-10-r0
    imagePullPolicy: IfNotPresent
    name: gcloud
  restartPolicy: Never
  serviceAccountName: vault
EOF
) --dry-run=server


# Test the metadata service (MDS) endpoint 
curl http://metadata.google.internal/computeMetadata/v1/project/project-id -H "Metadata-Flavor: Google"

Cheatsheet

# Get credentials
gcloud container clusters get-credentials mycluster

# Delete default limits
kubectl delete limits limits

Filters

# Flatten the output to get resource-key
gcloud compute regions list --format=flattened

Troubleshooting

gcpdiag is a command-line diagnostics tool for GCP customers. 

# Install or run in the Cloud Shell
curl https://gcpdiag.dev/gcpdiag.sh >gcpdiag
chmod +x gcpdiag
./gcpdiag lint --project=MYPROJECT
./gcpdiag lint --project=MYPROJECT --include gke
./gcpdiag lint --project=MYPROJECT --include gke --include-extended # may generate false positives

References

Retrieved from ‘http://wiki.ciscolinux.co.uk/index.php?title=GCP/gcloud_cli&oldid=6965