Google Kubernetes Engine upgrade: regional cluster, new control panel, and security recommendations

Google Kubernetes Engine upgrade: regional cluster, new control panel, and security recommendations

Google has updated its Kubernetes Engine (GKE) service several times. You can now use GKE on a large scale. In addition to the kubectl command for cluster control and management, it also supports cluster management through the Cloud Console of a Web-side control panel. In addition, GKE can use Google best practices to run Kubernetes clusters to enhance security.

In early December, Google announced that the GKE regional cluster (regional clusters) was in the test and had better scalability. This means that you can now create a Kubernetes cluster with multiple master nodes and a high-availability control plane ). The advantage of a regional cluster is that when an error occurs in upgrading the master node or restoring a single region, the downtime can be reduced. For GKE users, the new cloud console can better manage clusters, troubleshoot faults, and perform various repairs. In addition, Google provides several best practices for running Kubernetes clusters. They recommend that you use as few privileged accounts as possible for each node and administrator, and disable Kubernetes Web UI (that is, Kubernetes Dashboard) and legacy authorization in the production environment.

Source: https://cloudplatform.googleblog.com/2017/12/Manage-Google-Kubernetes-Engine-from-Cloud-Console-dashboard-now-generally-available.html

In a Kubernetes regional cluster, master nodes and other nodes are distributed in three regions. Each region has three nodes by default. This distribution of master nodes and other nodes ensures cluster availability when a fault occurs in one region. In addition, by adding the number of nodes in each region (by configuring-- Num-nodesTo further enhance the availability and scalability of the cluster. You can find more detailed information about the features of regional clusters in related documents.

Source: https://cloudplatform.googleblog.com/2017/12/with-Google-Kubernetes-Engine-regional-clusters-master-nodes-are-now-highly-available.html

This service is free of charge during the test of the GKE regional cluster feature. Finally, when configuring the cluster, Google recommends:

• Create service accounts using IAM in the cloud console and follow the least privilege principle before associating them with each node.
• When the cluster is started and running, disable the Kubernetes Web UI because it is controlled by a highly privileged account.
• Disable legacy authorization, which is an Attribute-Based Access Control (ABAC, Attribute-Based Access Control ). In Kubernetes 1.8, ABAC is disabled by default.

In the Google Cloud Platform blog, you can find detailed information on how to run the Kubernetes cluster security recommendation in GKE.

Currently, all three public cloud service providers (Google, Amazon, and Microsoft) Support Kubernetes through their respective services. Both Amazon and Microsoft have available general container configuration tools on their respective platforms. Currently, both cloud service providers focus primarily on Kubernetes. Microsoft uses a dedicated Azure Container Service (AKS) for Kubernetes to support Kubernetes. This service was launched in last October and can be used in a public preview. Amazon also announced at their recent re: Invent Conference that they will support Kubernetes through a Service called Amazon Elastic Container Service, which is currently in the Public Preview stage.

Google Kubernetes Engine Upgrades: Regional Clusters, New Dashboard and Security Recommendations