Zum Inhalt springen
1337skills 1337skills - Referenzen

Google Kubernetes Engine Cheat Sheet

Overview

Google Kubernetes Engine (GKE) is a managed Kubernetes service built on Google Cloud that provides a production-ready environment for deploying containerized applications. As the original creators of Kubernetes, Google brings deep expertise to GKE with features like Autopilot mode (fully managed node infrastructure), multi-cluster management with GKE Enterprise, and integrated security through Binary Authorization and Workload Identity. GKE runs a certified, conformant version of Kubernetes with automatic upgrades and repair.

GKE offers two operation modes: Standard (you manage node pools and configuration) and Autopilot (Google manages infrastructure, you only define workloads). Both modes integrate with Google Cloud services including Cloud Logging, Cloud Monitoring, Artifact Registry, Cloud Load Balancing, and VPC networking. GKE also supports GKE Sandbox (gVisor) for enhanced workload isolation, Managed Prometheus for metrics, and Gateway API for advanced traffic management.

Installation

Install gcloud CLI and kubectl

# Install gcloud SDK
curl https://sdk.cloud.google.com | bash
exec -l $SHELL
gcloud init

# Install kubectl via gcloud
gcloud components install kubectl

# Install gke-gcloud-auth-plugin (required for kubectl)
gcloud components install gke-gcloud-auth-plugin

# Verify
kubectl version --client
gcloud version

Cluster Management

CommandDescription
gcloud container clusters create <name>Create a new GKE cluster
gcloud container clusters delete <name>Delete a cluster
gcloud container clusters listList clusters
gcloud container clusters describe <name>Show cluster details
gcloud container clusters resize <name> --num-nodes <n>Resize node pool
gcloud container clusters get-credentials <name>Configure kubectl access
gcloud container clusters upgrade <name>Upgrade cluster version

Create Clusters

# Autopilot cluster (recommended)
gcloud container clusters create-auto my-cluster \
  --region us-central1 \
  --project my-project

# Standard cluster
gcloud container clusters create my-cluster \
  --region us-central1 \
  --num-nodes 3 \
  --machine-type e2-standard-4 \
  --disk-size 100 \
  --enable-autoscaling --min-nodes 1 --max-nodes 10 \
  --enable-autorepair \
  --enable-autoupgrade \
  --workload-pool=my-project.svc.id.goog \
  --enable-ip-alias

# Get credentials for kubectl
gcloud container clusters get-credentials my-cluster --region us-central1

Node Pool Management

# Add node pool
gcloud container node-pools create gpu-pool \
  --cluster my-cluster \
  --region us-central1 \
  --machine-type n1-standard-4 \
  --accelerator type=nvidia-tesla-t4,count=1 \
  --num-nodes 2 \
  --enable-autoscaling --min-nodes 0 --max-nodes 5

# List node pools
gcloud container node-pools list --cluster my-cluster --region us-central1

# Resize node pool
gcloud container node-pools update default-pool \
  --cluster my-cluster \
  --region us-central1 \
  --enable-autoscaling --min-nodes 2 --max-nodes 8

# Delete node pool
gcloud container node-pools delete old-pool --cluster my-cluster --region us-central1

Workload Identity

# Enable Workload Identity on cluster
gcloud container clusters update my-cluster \
  --workload-pool=my-project.svc.id.goog

# Create GCP service account
gcloud iam service-accounts create gke-app-sa

# Grant GCS access
gcloud projects add-iam-policy-binding my-project \
  --member "serviceAccount:gke-app-sa@my-project.iam.gserviceaccount.com" \
  --role "roles/storage.objectViewer"

# Bind Kubernetes SA to GCP SA
gcloud iam service-accounts add-iam-policy-binding gke-app-sa@my-project.iam.gserviceaccount.com \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:my-project.svc.id.goog[default/app-sa]"

# Annotate Kubernetes service account
kubectl annotate serviceaccount app-sa \
  iam.gke.io/gcp-service-account=gke-app-sa@my-project.iam.gserviceaccount.com

Networking

Ingress with Google Cloud Load Balancer

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: web-ingress
  annotations:
    kubernetes.io/ingress.class: "gce"
    kubernetes.io/ingress.global-static-ip-name: "web-ip"
    networking.gke.io/managed-certificates: "web-cert"
spec:
  rules:
    - host: app.example.com
      http:
        paths:
          - path: /*
            pathType: ImplementationSpecific
            backend:
              service:
                name: web-service
                port:
                  number: 80

Gateway API

apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: external-http
spec:
  gatewayClassName: gke-l7-global-external-managed
  listeners:
    - name: https
      protocol: HTTPS
      port: 443
      tls:
        mode: Terminate
        certificateRefs:
          - name: web-cert

Configuration

GKE Config Connector (Manage GCP Resources via K8s)

apiVersion: storage.cnrm.cloud.google.com/v1beta1
kind: StorageBucket
metadata:
  name: my-app-data
  annotations:
    cnrm.cloud.google.com/project-id: my-project
spec:
  location: US
  storageClass: STANDARD
  versioning:
    enabled: true

Pod Disruption Budget

apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: web-pdb
spec:
  minAvailable: 2
  selector:
    matchLabels:
      app: web

Advanced Usage

Binary Authorization

# Enable Binary Authorization
gcloud container clusters update my-cluster \
  --binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE

# Create attestor
gcloud container binauthz attestors create my-attestor \
  --attestation-authority-note=projects/my-project/notes/my-note \
  --attestation-authority-note-project=my-project

Backup for GKE

# Enable Backup API
gcloud services enable gkebackup.googleapis.com

# Create backup plan
gcloud beta container backup-restore backup-plans create my-plan \
  --cluster=projects/my-project/locations/us-central1/clusters/my-cluster \
  --all-namespaces \
  --cron-schedule="0 2 * * *" \
  --backup-retain-days=30

# Restore from backup
gcloud beta container backup-restore restores create my-restore \
  --restore-plan=my-plan \
  --backup=backups/my-backup

Spot VMs for Cost Savings

gcloud container node-pools create spot-pool \
  --cluster my-cluster \
  --region us-central1 \
  --spot \
  --machine-type e2-standard-4 \
  --num-nodes 3 \
  --enable-autoscaling --min-nodes 0 --max-nodes 10

Troubleshooting

IssueSolution
gke-gcloud-auth-plugin not foundInstall: gcloud components install gke-gcloud-auth-plugin
Nodes NotReadyCheck kubectl describe node; verify VPC firewall rules allow internal traffic
Pods stuck PendingCheck resource quotas, node capacity, and PodDisruptionBudgets
Ingress returns 404Verify backend service health checks pass; check kubectl describe ingress for events
Workload Identity not workingEnsure annotation on K8s SA matches GCP SA binding
Autopilot rejects workloadAutopilot enforces resource limits; add resources.requests to all containers
Image pull errorsEnsure Artifact Registry permissions and node SA has storage.objectViewer role