Connect cluster

gcloud container clusters get-credentials {cluster-name} --region {region} --project {gcp-project-id}

# example
gcloud container clusters get-credentials ciao-gke --region asia-east1 --project foobar

取得container log

# 不指定container, 會顯示第一個container的log
kubectl logs -f {pod-name}

# 指定container
kubectl logs -f {pod-name} -c {container-name}

進入container

# 不指定container, 會直接進入第一個container
kubectl exec -it {pod-name} -- bash

# 指定container
kubectl exec -it {pod-name} -c {container-name} -- bash

Port forward

透過port forward的方式

即使沒對外公開的服務

我們也可以將k8s上的service port forward至local使用該服務

kubectl port-forward service/{service-name} {service-port}:{forward-port}

# example
kubectl port-forward service/redis-headless -n infra 6379:6379

kubectl port-forward service/ciao-gke-api-service 8000:8000

取得k8s secret明碼

假設以下是k8s secret yml

apiVersion: v1
data:
  fast_api_env: %FAST_API_ENV% 
  default_gcp_sa: %DEFAULT_GCP_SA% 
  db_password: %DB_PASSWORD% 
kind: Secret
metadata:
  name: ciao-gke-config
type: Opaque

我們可透過以下方式取得secret明碼

kubectl get secret [secret-name] -o jsonpath='{.data.{path}' | base64 --decode

# example
kubectl get secret ciao-gke-config -o jsonpath='{.data.fast_api_env}' | base64 --decode

Workload Identity

ref

在GSA與KSA間啟用IAM綁定

gcloud iam service-accounts add-iam-policy-binding {GSA_NAME}@{GSA_PROJECT_ID}.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:{GKE_PROJECT_ID}.svc.id.goog[{GKE_NAMESPACE}/{KSA_NAME}]"

# example
gcloud iam service-accounts add-iam-policy-binding [foobar@project-1.iam.gserviceaccount.com](mailto:foobar@project-1.iam.gserviceaccount.com) \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:project-1.svc.id.goog[default/default]"

設定annotation完成GSA與KSA間的綁定

kubectl annotate serviceaccount {KSA_NAME} \
    --namespace {NAMESPACE} \
    iam.gke.io/gcp-service-account={GSA_NAME}@{GSA_PROJECT}.iam.gserviceaccount.com

# example
kubectl annotate serviceaccount default \
    --namespace default \
    iam.gke.io/gcp-service-account=foobar@project-1.iam.gserviceaccount.com

Meta Server

ref

# 取得service account email
curl -H "Metadata-Flavor: Google" http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/email

# 取得access token
curl -H "Metadata-Flavor: Google" http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token

常見問題

在GCP Console上看不到GKE上的任何log

GKE寫log是透過Default Compute Engine service account

所以要將這個SA新增以下兩個role

- Logging Admin
- Monitoring Metric Writer

才能正常看到log

否則將只能透過kubectl logs -f {pod-name}指令來查看log

k8s筆記