Site icon Learning & Doing

Managing a GKE Multi-tenant Cluster with Namespaces

cluster

“Managing a GKE Multi-tenant Cluster with Namespaces”

Daftar Isi

Pengantar

Saat mempertimbangkan solusi pengoptimalan biaya untuk setiap infrastruktur Google Cloud yang dibangun di sekitar cluster Google Kubernetes Engine (GKE), penting untuk memastikan bahwa Anda menggunakan resource yang ditagih secara efektif. Salah langkah umum adalah menetapkan rasio pengguna atau tim satu banding satu ke klaster, yang mengakibatkan proliferasi klaster.

Klaster multi-penyewa memungkinkan beberapa pengguna atau tim untuk berbagi satu klaster untuk beban kerja mereka sambil mempertahankan isolasi dan pembagian sumber daya yang adil. Ini dicapai dengan membuat ruang nama. Ruang nama memungkinkan beberapa cluster virtual ada di cluster fisik yang sama.

Praktikum

Task 1. Download required files

gsutil -m cp -r gs://spls/gsp766/gke-qwiklab ~
cd ~/gke-qwiklab

Task 2. View and create namespaces

gcloud config set compute/zone us-central1-a && gcloud container clusters get-credentials multi-tenant-cluster

Default namespaces

kubectl get namespace
kubectl api-resources --namespaced=true
kubectl get services --namespace=kube-system

Creating new namespaces

kubectl create namespace team-a && \
kubectl create namespace team-b
kubectl run app-server --image=centos --namespace=team-a -- sleep infinity && \
kubectl run app-server --image=centos --namespace=team-b -- sleep infinity

kubectl get pods -A
kubectl describe pod app-server --namespace=team-a
kubectl config set-context --current --namespace=team-a
kubectl describe pod app-server

Task 3. Access Control in namespaces

gcloud projects add-iam-policy-binding ${GOOGLE_CLOUD_PROJECT} \
--member=serviceAccount:team-a-dev@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com  \
--role=roles/container.clusterViewer

Kubernetes RBAC

kubectl create role pod-reader \
--resource=pods --verb=watch --verb=get --verb=list
nano developer-role.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: team-a
  name: developer
rules:
- apiGroups: [""]
  resources: ["pods", "services", "serviceaccounts"]
  verbs: ["update", "create", "delete", "get", "watch", "list"]
- apiGroups:["apps"]
  resources: ["deployments"]
  verbs: ["update", "create", "delete", "get", "watch", "list"]
kubectl create -f developer-role.yaml
kubectl create rolebinding team-a-developers \
--role=developer --user=team-a-dev@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com

Test the rolebinding

gcloud iam service-accounts keys create /tmp/key.json --iam-account team-a-dev@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com
gcloud auth activate-service-account  --key-file=/tmp/key.json
gcloud container clusters get-credentials multi-tenant-cluster --zone us-central1-a --project ${GOOGLE_CLOUD_PROJECT}
kubectl get pods --namespace=team-a
gcloud container clusters get-credentials multi-tenant-cluster --zone us-central1-a --project ${GOOGLE_CLOUD_PROJECT}

Task 4. Resource quotas

kubectl create quota test-quota \
--hard=count/pods=2,count/services.loadbalancers=1 --namespace=team-a
kubectl run app-server-2 --image=centos --namespace=team-a -- sleep infinity
kubectl run app-server-3 --image=centos --namespace=team-a -- sleep infinity
Error from server (Forbidden): pods "app-server-3" is forbidden: exceeded quota: test-quota, requested: count/pods=1, used: count/pods=2, limited: count/pods=2
kubectl describe quota test-quota --namespace=team-a
export KUBE_EDITOR="nano"
kubectl edit quota test-quota --namespace=team-a

edit bagian

spec:
  hard:
    count/pods: "6"
kubectl describe quota test-quota --namespace=team-a

CPU and memory quotas

nano cpu-mem-quota.yaml

apiVersion: v1
kind: ResourceQuota
metadata:
  name: cpu-mem-quota
  namespace: team-a
spec:
  hard:
    limits.cpu: "4"
    limits.memory: "12Gi"
    requests.cpu: "2"
    requests.memory: "8Gi"
kubectl create -f cpu-mem-quota.yaml
nano cpu-mem-demo-pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: cpu-mem-demo
  namespace: team-a
spec:
  containers:
  - name: cpu-mem-demo-ctr
    image: nginx
    resources:
      requests:
        cpu: "100m"
        memory: "128Mi"
      limits:
        cpu: "400m"
        memory: "512Mi"
kubectl create -f cpu-mem-demo-pod.yaml --namespace=team-a
kubectl describe quota cpu-mem-quota --namespace=team-a

Task 5. Monitoring GKE and GKE usage metering

Monitoring Dashboard

Metrics Explorer

GKE usage metering

gcloud container clusters \
update multi-tenant-cluster --zone us-central1-a \
--resource-usage-bigquery-dataset cluster_dataset

Create the GKE cost breakdown table

export GCP_BILLING_EXPORT_TABLE_FULL_PATH=${GOOGLE_CLOUD_PROJECT}.billing_dataset.gcp_billing_export_v1_xxxx
export USAGE_METERING_DATASET_ID=cluster_dataset
export COST_BREAKDOWN_TABLE_ID=usage_metering_cost_breakdown
export USAGE_METERING_QUERY_TEMPLATE=~/gke-qwiklab/usage_metering_query_template.sql
export USAGE_METERING_QUERY=cost_breakdown_query.sql
export USAGE_METERING_START_DATE=2020-10-26
sed \
-e "s/\${fullGCPBillingExportTableID}/$GCP_BILLING_EXPORT_TABLE_FULL_PATH/" \
-e "s/\${projectID}/$GOOGLE_CLOUD_PROJECT/" \
-e "s/\${datasetID}/$USAGE_METERING_DATASET_ID/" \
-e "s/\${startDate}/$USAGE_METERING_START_DATE/" \
"$USAGE_METERING_QUERY_TEMPLATE" \
> "$USAGE_METERING_QUERY"
bq query \
--project_id=$GOOGLE_CLOUD_PROJECT \
--use_legacy_sql=false \
--destination_table=$USAGE_METERING_DATASET_ID.$COST_BREAKDOWN_TABLE_ID \
--schedule='every 24 hours' \
--display_name="GKE Usage Metering Cost Breakdown Scheduled Query" \
--replace=true \
"$(cat $USAGE_METERING_QUERY)"

Create the data source in Data Studio

 SELECT *  FROM `[PROJECT-ID].cluster_dataset.usage_metering_cost_breakdown`

Create a Data Studio Report

Data Range Dimension: usage_start_time
Dimension: namespace
Metric: cost
Data Range Dimension: usage_start_time
Dimension: resource_name
Metric: cost
Data Range Dimension: usage_start_time
Control field: namespace
Metric: None

Penutup

Sahabat Blog Learning & Doing demikianlah penjelasan mengenai Managing a GKE Multi-tenant Cluster with Namespaces. Semoga Bermanfaat . Sampai ketemu lagi di postingan berikut nya.

Exit mobile version