Back to home

Nine Managed GKE

nine managed Kubernetes is a platform, based on Google’s Kubernetes Engine, with a Swiss location and additional services that let you focus on your application development.

Details

Running containers in production isn’t easy, it’s not enough just to have a Kubernetes cluster running when you need to ensure reliablity and resilience. Covering this complexity on behalf of the Customer is at the heart of nine’s managed GKE. Nine’s Managed GKE offering helps customers focus on their core business value by allowing them to focus on their applications and not on the services around them.

Usage

Getting started

You will need both the gcloud SDK and kubectl to start using your kubernetes cluster

GCloud SDK

Kubectl

  • After installing and initialising Google’s Cloud SDK tools you should install kubectl for direct control of your cluster
  • You can do this directly with the gcloud tool by running the following command
gcloud components install kubectl

Please see the documentation for more information about installing kubectl

Cluster login

After you have completed the gcloud installation you can use it to login to your Kubernetes cluster. Follow these steps to do so:

# Find your project ID
$ gcloud projects list
PROJECT_ID               NAME                     PROJECT_NUMBER
nine-example-478153      nine-example-478153      667903848739

# Switch to that project
$ gcloud config set project nine-example-478153

# Find your cluster
$ gcloud container clusters list
NAME             LOCATION      MASTER_VERSION  MASTER_IP      MACHINE_TYPE   NODE_VERSION   NUM_NODES  STATUS
example-cluster  europe-west6  1.12.8-gke.10   32.63.127.187  n1-standard-1  1.12.8-gke.10  6          RUNNING

# Login to your cluster
$ gcloud container clusters get-credentials example-cluster --region=europe-west6

# Use kubectl to interact with your cluster
$ kubectl cluster-info
Kubernetes master is running at https://32.63.127.187

Authentication information and secrets

Information regarding credentials and endpoints for your cluster can be found on runway.

Alternatively the same information can be found in a secure GCP bucket. Your bucket URL has the following format: gs://credentials-<project-number>. You can find your project number on runway or by using the gcloud utility.

# To get your project number
gcloud projects describe $(gcloud config get-value project) --format="value(projectNumber)"

# To see all secrets in your bucket
gsutil ls -r gs://credentials-<project-number>

# To view the contents of a secret
gsutil cat gs://credentials-<project-number>/<service>/info.json

# Full example including parsing json output (requires jq - https://stedolan.github.io/jq/)
gsutil cat gs://credentials-<project-number>/cloudsql/my-cluster-288835/info.json | jq .
{
  "data": {
    "credentials": {
      "address": "10.224.129.7",
      "database_version": "POSTGRES_9_6",
      "password": "1234",
      "username": "admin"
    }
  },
  "meta": {
    "description": "Instance: my-cluster-288835",
    "name": "Cloud SQL PostgreSQL",
    "support_url": "https://support.nine.ch/a/w0dWXF-xIFc"
  }
}

Users

For maximum security nine controls user access and authentication to your cluster, if you wish to add new user you must request this from support@nine.ch.
As well as adding users to your cluster nine offers an easy way to add a list of default users to any namespace that is created. If you wish to use this feature when requesting a user creation or update please specify if they should be added to the global admin or viewer list.

Password reset

If you need a new password for your nine managed GKE account, please contact support at support@nine.ch. Please be aware that you have to be registered as a technical contact in our system.

Namespace Permissions

By default the person creating a namespace will be configured as the admin of that namespace, allowing them to manually configure the other namespace users. Any additional users that you have requested to be added to the global admin or viewer lists will also be added to any namespace. If the namespace is created by helm/tiller then tiller will also be added as an admin in that namespace, to allow it to configure the necessary resources. To delete a namespace, the user needs to be an admin in that namespace for the operation to succeed.

Role permissions in namespaces

If you want to assign permissions to other ‘non global admin’ users in a given namespace, you need to create a rolebinding which binds these users to cluster roles. Every GKE cluster comes with the following predefined cluster roles which can be used in namespaces:

  • cluster-admin
  • admin
  • edit
  • view

The following table lists the differences between those cluster roles when used in namespaced rolebindings:

cluster role name permissions when used in rolebinding
cluster-admin This role gives full control over every resource in the rolebinding’s namespace, including the namespace itself.
admin Allows admin access, intended to be granted within a namespace. It allows read/write access to most resources in a namespace, including the ability to create roles and rolebindings within the namespace. It does not allow write access to resource quota or to the namespace itself
edit Allows read/write access to most objects in a namespace. It does not allow viewing or modifying roles or rolebindings.
view Allows read-only access to see most objects in a namespace. It does not allow viewing roles or rolebindings. It does not allow viewing secrets, since those are escalating.

Assigning roles to users in namespaces

To assign one of the predefined cluster roles to users in namespaces, the kubectl application can be used. Here are some examples:

# creating a namespace admin with full privileges
kubectl create rolebinding custom-admins-full-privileges --clusterrole=cluster-admin --user=<name>@ninegcp.ch [--user ...] --namespace=<your namespace>

# creating a normal namespace admin
kubectl create rolebinding custom-admins --clusterrole=admin --user=<name>@ninegcp.ch [--user ...] --namespace=<your namespace>

# granting normal edit permissions
kubectl create rolebinding custom-editors --clusterrole=edit --user=<name>@ninegcp.ch [--user ...] --namespace=<your namespace>

# granting view only permissions
kubectl create rolebinding custom-viewers --clusterrole=view --user=<name>@ninegcp.ch [--user ...] --namespace=<your namespace>

To edit the created rolebindings later on the kubectl edit rolebinding <rolebinding name> -n <your namespace> command can be used.

Node Pools

Your cluster is configured with groups of machines, called node pools. A node pool consists of 1-n machines of the same GCP type. The default node pool that nine creates will split the 3 nodes of your cluster between the 3 availability zones of GCP’s swiss infrastructure, to ensure your setup is highly available.

When upgrading or changing your cluster configuration it is possible to request node pools changes in three different ways:

Expand the existing node pool

It is possible to simply add more machines of the same type to your existing node pool.

Creating a new node pool

It is possible to create a completely new node pool for your cluster. When requesting this your new node pool will be set up, and then your existing nodes will be drained with the existing deployments moved to the new pool.

Create an additional node pool

If you require additional compute power, that is not the same machine type as the existing nodes, it is possible to add another node pool to your cluster. When adding an additional node pool it is advised to have a minimum of 3 nodes so that they can be spanned across all possible availability zones.

SLA

Nine offer two SLA options for your nine managed GKE cluster, sold as an additional service. You can find more details of the SLA terms and conditions on our website

Further Information

For further information or sales please contact sales@nine.ch
For support please contact support@nine.ch

Didn't find what you were looking for?

Contact our support:

+41 44 637 40 40 support@nine.ch