Spring Boot on GCP
  • Introduction
  • Getting Started
    • Google Cloud Platform
    • Cloud Shell
    • gcloud CLI
    • Hello World!
      • Cloud Shell
      • App Engine
      • Cloud Run
      • Kubernetes Engine
      • Compute Engine
      • Cloud Functions
  • Application Development
    • Development Tools
    • Spring Cloud GCP
    • Cloud Services
      • Databases
        • Cloud SQL
        • Cloud Spanner
        • Cloud Firestore
          • Datastore Mode
          • Native Mode
      • Messaging
        • Cloud Pub/Sub
        • Kafka
      • Secret Management
      • Storage
      • Cache
        • Memorystore Redis
        • Memorystore Memcached (beta)
      • Other Services
    • Observability
      • Trace
      • Logging
      • Metrics
      • Profiling
      • Debugging
    • DevOps
      • Artifact Repository
  • Deployment
    • Runtime Environments
    • Container
      • Container Image
      • Secure Container Image
      • Container Awareness
      • Vulnerability Scanning
      • Attestation
    • Kubernetes
      • Kubernetes Cluster
      • Deployment
      • Resources
      • Service
      • Health Checks
      • Load Balancing
        • External Load Balancing
        • Internal Load Balancing
      • Scheduling
      • Workload Identity
      • Binary Authorization
    • Istio
      • Getting Started
      • Sidecar Proxy
  • Additional Resources
    • Code Labs
    • Presentations / Videos
    • Cheat Sheets
Powered by GitBook
On this page
  • Enable API
  • Create Cluster
  • Credentials
  • Node Pool and Nodes

Was this helpful?

  1. Deployment
  2. Kubernetes

Kubernetes Cluster

Learn how to create a production-grade Kubernetes cluster to deploy your application.

PreviousKubernetesNextDeployment

Last updated 4 years ago

Was this helpful?

This section requires basic understanding of Docker and container images - make sure you do the tutorial in sequence.

Enable API

gcloud services enable compute.googleapis.com
gcloud services enable container.googleapis.com

Create Cluster

While it's easy to create a Kubernetes Engine cluster, it takes a bit more to provision a production-grade cluster. This cluster will enable many features for production use:

Feature

Description

Workload Identity is the recommended way to access Google Cloud services from within GKE, so you can securely associate specific service account to a workload.

Allow Kubernetes Pod IP addresses to be natively routable on a VPC. Most importantly, it allows one-hop from Google Cloud Load Balancer to the Kubernetes Pod without unnecessary intermediary routing.

Network policy enforcement to control the communication between your cluster's Pods and Services.

Allows you to monitor your running Google Kubenetes Engine clusters, manage your system and debug logs, and analyze your system's performance using advanced profiling and tracing capabilities.

Binary Authorization is a deploy-time security control that ensures only trusted container images are deployed on Google Kubernetes Engine.

Shielded GKE Nodes provide strong, verifiable node identity and integrity to increase the security of GKE nodes.

Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails.

Automatically repair a Google Kubernetes Engine node if it becomes unhealthy.

Automatically upgrade Google Kubernetes Engine nodes version to keep up to date with the cluster control plane version.

PROJECT_ID=$(gcloud config get-value project)
gcloud container clusters create demo-cluster \
  --num-nodes 4 \
  --machine-type n1-standard-4 \
  --network=default \
  --workload-pool=${PROJECT_ID}.svc.id.goog \
  --enable-ip-alias \
  --enable-network-policy \
  --enable-stackdriver-kubernetes \
  --enable-binauthz \
  --enable-shielded-nodes \
  --shielded-secure-boot \
  --enable-autorepair \
  --enable-autoupgrade \
  --scopes=cloud-platform

Credentials

Kubernetes credentials are automatically retrieved and stored in your $HOME/.kube/config file. If you need to re-retrieve the credential:

gcloud container clusters get-credentials demo-cluster

Node Pool and Nodes

The Kubernetes cluster is composed of multiple Nodes - each node is a Compute Engine Virtual Machine. When you deploy a container image into Kubernetes, a container instance is ultimately scheduled and ran on one of the Nodes.

In Kubernetes Engine, theses nodes are managed by a Node Pool, which is a set of homogenous Compute Engine Virtual Machines (i.e., they have exactly the same configuration, such as machine type, disk, operation system, etc).

You can add different machine types to your Kubernetes Engine cluster, by creating a new Node Pool with the configuration you want.

You can see a list of Virtual Machines using gcloud:

gcloud compute instances list

You can also use kubectl to list the nodes that belong to the current cluster:

kubectl get nodes

You can also SSH into the node directly if needed, by specifying the name of the node:

gcloud compute ssh gke-demo-cluster-default-pool-...

Once you are in the Compute Engine Virtual Machine, you can also see the containers that are running inside of the Node:

docker ps
exit

These nodes will still have a public IP, and be able to access the public Internet. For most production clusters, you'll want to consider creating a , and control egress via .

Container Image
Private Cluster
Cloud NAT
Workload Identity
VPC Native Cluster
Network Policy
Cloud Operations
Binary Authorization
Shielded Nodes
Secure Boot
Auto Repair
Auto Upgrade