k8s筆記
2024/02/14
Connect cluster
gcloud container clusters get-credentials {cluster-name} --region {region} --project {gcp-project-id}
# example
gcloud container clusters get-credentials ciao-gke --region asia-east1 --project foobar
取得container log
# 不指定container, 會顯示第一個container的log
kubectl logs -f {pod-name}
# 指定container
kubectl logs -f {pod-name} -c {container-name}
進入container
# 不指定container, 會直接進入第一個container
kubectl exec -it {pod-name} -- bash
# 指定container
kubectl exec -it {pod-name} -c {container-name} -- bash
Port forward
透過port forward的方式
即使沒對外公開的服務
我們也可以將k8s上的service port forward至local使用該服務
kubectl port-forward service/{service-name} {service-port}:{forward-port}
# example
kubectl port-forward service/redis-headless -n infra 6379:6379
kubectl port-forward service/ciao-gke-api-service 8000:8000
取得k8s secret明碼
假設以下是k8s secret yml
apiVersion: v1
data:
fast_api_env: %FAST_API_ENV%
default_gcp_sa: %DEFAULT_GCP_SA%
db_password: %DB_PASSWORD%
kind: Secret
metadata:
name: ciao-gke-config
type: Opaque
我們可透過以下方式取得secret明碼
kubectl get secret [secret-name] -o jsonpath='{.data.{path}' | base64 --decode
# example
kubectl get secret ciao-gke-config -o jsonpath='{.data.fast_api_env}' | base64 --decode
Workload Identity
在GSA與KSA間啟用IAM綁定
gcloud iam service-accounts add-iam-policy-binding {GSA_NAME}@{GSA_PROJECT_ID}.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:{GKE_PROJECT_ID}.svc.id.goog[{GKE_NAMESPACE}/{KSA_NAME}]"
# example
gcloud iam service-accounts add-iam-policy-binding [foobar@project-1.iam.gserviceaccount.com](mailto:foobar@project-1.iam.gserviceaccount.com) \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:project-1.svc.id.goog[default/default]"
設定annotation完成GSA與KSA間的綁定
kubectl annotate serviceaccount {KSA_NAME} \
--namespace {NAMESPACE} \
iam.gke.io/gcp-service-account={GSA_NAME}@{GSA_PROJECT}.iam.gserviceaccount.com
# example
kubectl annotate serviceaccount default \
--namespace default \
iam.gke.io/gcp-service-account=foobar@project-1.iam.gserviceaccount.com
Meta Server
# 取得service account email
curl -H "Metadata-Flavor: Google" http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/email
# 取得access token
curl -H "Metadata-Flavor: Google" http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token
常見問題
在GCP Console上看不到GKE上的任何log
GKE寫log是透過Default Compute Engine service account
所以要將這個SA新增以下兩個role
- Logging Admin
- Monitoring Metric Writer
才能正常看到log
否則將只能透過kubectl logs -f {pod-name}指令來查看log