Skip to content
เอกสารคู่มือ

Google Kubernetes Engine (GKE)

This content is not available in your language yet.

You will be provision an GKE Cluster with a bare minimum of running the entire Opstella platform in Multi-Cluster Architecture

🟢 Management

  • A Standard Regional GKE Cluster named: opstella-devsecops
    • Standard Tier
    • Region asia-southeast-1
      • Node Locations will be random
    • Node Pool named custom-spot-pool
      • 5 Nodes x n2d-custom-4-12288 (4 Core/12GB Memory)
      • 40GB Boot Disk - Standard Persistence Disk
      • Google Container-Optimized OS COS_CONTAINERD
      • (Optional) Utilize Spot Instance Type
    • Kubernetes Version 1.30.5-gke.1443001 ; Newest as of writing. (You may Required to change this.)
    • Using Google Compute Engine Persistence Disk as Kubernetes Persistence Support gcp-compute-persistent-disk-csi-driver
    • Utilize Default GCP-managed for Kubernetes Services IP Range: 34.118.224.0/20
    • Utilize Pod IP Range from Secondary IP Range of the Subnet: gke-pod-pool-1 - 10.250.0.0/16
    • Regular Kubernetes Version Release Channel
    • Cloud Monitoring, Logging, Managed Service for Prometheus Disabled
    • Enable Client Certificate Authentication with Kubernetes API
    • Enable Kubernetes Version Auto-upgrade

🟢 Management

  • A Standard Regional GKE Cluster named: opstella-observability
    • Standard Tier
    • Region asia-southeast-1
      • Node Locations will be random
    • Node Pool named custom-spot-pool
      • 5 Nodes x n2d-custom-4-12288 (4 Core/12GB Memory)
      • 40GB Boot Disk - Standard Persistence Disk
      • Google Container-Optimized OS COS_CONTAINERD
      • (Optional) Utilize Spot Instance Type
    • Kubernetes Version 1.30.5-gke.1443001 ; Newest as of writing. (You may Required to change this.)
    • Using Google Compute Engine Persistence Disk as Kubernetes Persistence Support gcp-compute-persistent-disk-csi-driver
    • Utilize Default GCP-managed for Kubernetes Services IP Range: 34.118.224.0/20
    • Utilize Pod IP Range from Secondary IP Range of the Subnet: gke-pod-pool-2 - 10.251.0.0/16
    • Regular Kubernetes Version Release Channel
    • Cloud Monitoring, Logging, Managed Service for Prometheus Disabled
    • Enable Client Certificate Authentication with Kubernetes API
    • Enable Kubernetes Version Auto-upgrade

🟦 Non-Production DEV Workload

  • A Standard Regional GKE Cluster named: workload-nonprod-dev
    • Standard Tier
    • Region asia-southeast-1
      • Node Locations will be random
    • Node Pool named custom-spot-pool
      • 3 Nodes x n1-standard-2 (2 Core/7.5GB Memory)
      • 40GB Boot Disk - Standard Persistence Disk
      • Google Container-Optimized OS COS_CONTAINERD
      • (Optional) Utilize Spot Instance Type
    • Kubernetes Version 1.30.5-gke.1443001 ; Newest as of writing. (You may Required to change this.)
    • Using Google Compute Engine Persistence Disk as Kubernetes Persistence Support gcp-compute-persistent-disk-csi-driver
    • Utilize Default GCP-managed for Kubernetes Services IP Range: 34.118.224.0/20
    • Utilize Pod IP Range from Secondary IP Range of the Subnet: gke-pod-pool-3 - 10.252.0.0/16
    • Regular Kubernetes Version Release Channel
    • Cloud Monitoring, Logging, Managed Service for Prometheus Disabled
    • Enable Client Certificate Authentication with Kubernetes API
    • Enable Kubernetes Version Auto-upgrade

🟥 Production PRD Workload

  • A Standard Regional GKE Cluster named: workload-prod-prd
    • Standard Tier
    • Region asia-southeast-1
      • Node Locations will be random
    • Node Pool named custom-spot-pool
      • 3 Nodes x n1-standard-2 (2 Core/7.5GB Memory)
      • 40GB Boot Disk - Standard Persistence Disk
      • Google Container-Optimized OS COS_CONTAINERD
      • (Optional) Utilize Spot Instance Type
    • Kubernetes Version 1.30.5-gke.1443001 ; Newest as of writing. (You may Required to change this.)
    • Using Google Compute Engine Persistence Disk as Kubernetes Persistence Support gcp-compute-persistent-disk-csi-driver
    • Utilize Default GCP-managed for Kubernetes Services IP Range: 34.118.224.0/20
    • Utilize Pod IP Range from Secondary IP Range of the Subnet: gke-pod-pool-4 - 10.253.0.0/16
    • Regular Kubernetes Version Release Channel
    • Cloud Monitoring, Logging, Managed Service for Prometheus Disabled
    • Enable Client Certificate Authentication with Kubernetes API
    • Enable Kubernetes Version Auto-upgrade

Prerequisites

Section titled “Prerequisites”

Before you continue,

Assume that you have installed and set up Google Cloud CLI (gcloud) and properly logged in with Google Account

(This won’t guide you through generating and utilizing long-lived token, as not recommended by Google)

You can use Google Cloud Platform - Web Management Console to provision or use the following CLI Command to create resources on Bastion Host. (Recommended)

Create Google Kubernetes Engine (GKE) Resource

Section titled “Create Google Kubernetes Engine (GKE) Resource”
Terminal window
# Set Project ID, Region, Zone
export GOOGLE_CLOUD_PROJECT_ID="foobar-opstella"
export GOOGLE_CLOUD_REGION="asia-southeast1"
export GOOGLE_CLOUD_ZONE="asia-southeast1-a"

🟢 Management

Terminal window
# Create GKE
gcloud beta container clusters create "opstella-devsecops" \
    --cluster-version "1.30.5-gke.1443001" --release-channel "regular" --tier "standard" \
    --machine-type "n2d-custom-4-12288" --image-type "COS_CONTAINERD" --disk-type "pd-standard" --disk-size "40" \
    --spot --num-nodes "5" \
    --network "projects/$GOOGLE_CLOUD_PROJECT_ID/global/networks/opstella-platform" --subnetwork "projects/$GOOGLE_CLOUD_PROJECT_ID/regions/$GOOGLE_CLOUD_REGION/subnetworks/gke-nodes" \
    --enable-ip-alias --cluster-secondary-range-name="gke-pod-pool-1" \
    --metadata disable-legacy-endpoints=true --scopes "https://www.googleapis.com/auth/devstorage.read_only","https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/monitoring","https://www.googleapis.com/auth/servicecontrol","https://www.googleapis.com/auth/service.management.readonly","https://www.googleapis.com/auth/trace.append" \
    --no-enable-intra-node-visibility --default-max-pods-per-node "110" \
    --enable-ip-access --security-posture=standard --workload-vulnerability-scanning=disabled \
    --no-enable-master-authorized-networks --no-enable-google-cloud-access \
    --addons HorizontalPodAutoscaling,HttpLoadBalancing,GcePersistentDiskCsiDriver \
    --enable-autoupgrade \
    --no-enable-basic-auth --issue-client-certificate \
    --enable-autorepair --max-surge-upgrade 1 --max-unavailable-upgrade 0 --binauthz-evaluation-mode=DISABLED \
    --no-enable-managed-prometheus --enable-shielded-nodes

🟢 Management

Terminal window
# Create GKE
gcloud beta container clusters create "opstella-observability" \
    --cluster-version "1.30.5-gke.1443001" --release-channel "regular" \
    --machine-type "n2d-custom-4-12288" --image-type "COS_CONTAINERD" --disk-type "pd-standard" --disk-size "40" \
    --spot --num-nodes "5" \
    --network "projects/$GOOGLE_CLOUD_PROJECT_ID/global/networks/opstella-platform" --subnetwork "projects/$GOOGLE_CLOUD_PROJECT_ID/regions/$GOOGLE_CLOUD_REGION/subnetworks/gke-nodes" \
    --enable-ip-alias --cluster-secondary-range-name="gke-pod-pool-2" \
    --metadata disable-legacy-endpoints=true --scopes "https://www.googleapis.com/auth/devstorage.read_only","https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/monitoring","https://www.googleapis.com/auth/servicecontrol","https://www.googleapis.com/auth/service.management.readonly","https://www.googleapis.com/auth/trace.append" \
    --no-enable-intra-node-visibility --default-max-pods-per-node "110" \
    --enable-ip-access --security-posture=standard --workload-vulnerability-scanning=disabled \
    --no-enable-master-authorized-networks --no-enable-google-cloud-access \
    --addons HorizontalPodAutoscaling,HttpLoadBalancing,GcePersistentDiskCsiDriver \
    --enable-autoupgrade \
    --no-enable-basic-auth --issue-client-certificate \
    --enable-autorepair --max-surge-upgrade 1 --max-unavailable-upgrade 0 --binauthz-evaluation-mode=DISABLED \
    --no-enable-managed-prometheus --enable-shielded-nodes

🟦 Non-Production DEV Workload

Terminal window
# Create GKE
gcloud beta container clusters create "workload-nonprod-dev" \
    --cluster-version "1.30.5-gke.1443001" --release-channel "regular" \
    --machine-type "n2d-custom-4-12288" --image-type "COS_CONTAINERD" --disk-type "pd-standard" --disk-size "40" \
    --spot --num-nodes "3" \
    --network "projects/$GOOGLE_CLOUD_PROJECT_ID/global/networks/opstella-platform" --subnetwork "projects/$GOOGLE_CLOUD_PROJECT_ID/regions/$GOOGLE_CLOUD_REGION/subnetworks/gke-nodes" \
    --enable-ip-alias --cluster-secondary-range-name="gke-pod-pool-3" \
    --metadata disable-legacy-endpoints=true --scopes "https://www.googleapis.com/auth/devstorage.read_only","https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/monitoring","https://www.googleapis.com/auth/servicecontrol","https://www.googleapis.com/auth/service.management.readonly","https://www.googleapis.com/auth/trace.append" \
    --no-enable-intra-node-visibility --default-max-pods-per-node "110" \
    --enable-ip-access --security-posture=standard --workload-vulnerability-scanning=disabled \
    --no-enable-master-authorized-networks --no-enable-google-cloud-access \
    --addons HorizontalPodAutoscaling,HttpLoadBalancing,GcePersistentDiskCsiDriver \
    --enable-autoupgrade \
    --no-enable-basic-auth --issue-client-certificate \
    --enable-autorepair --max-surge-upgrade 1 --max-unavailable-upgrade 0 --binauthz-evaluation-mode=DISABLED \
    --no-enable-managed-prometheus --enable-shielded-nodes

🟥 Production PRD Workload

Terminal window
# Create GKE
gcloud beta container clusters create "workload-prod-prd" \
    --cluster-version "1.30.5-gke.1443001" --release-channel "regular" \
    --machine-type "n2d-custom-4-12288" --image-type "COS_CONTAINERD" --disk-type "pd-standard" --disk-size "40" \
    --spot --num-nodes "3" \
    --network "projects/$GOOGLE_CLOUD_PROJECT_ID/global/networks/opstella-platform" --subnetwork "projects/$GOOGLE_CLOUD_PROJECT_ID/regions/$GOOGLE_CLOUD_REGION/subnetworks/gke-nodes" \
    --enable-ip-alias --cluster-secondary-range-name="gke-pod-pool-4" \
    --metadata disable-legacy-endpoints=true --scopes "https://www.googleapis.com/auth/devstorage.read_only","https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/monitoring","https://www.googleapis.com/auth/servicecontrol","https://www.googleapis.com/auth/service.management.readonly","https://www.googleapis.com/auth/trace.append" \
    --no-enable-intra-node-visibility --default-max-pods-per-node "110" \
    --enable-ip-access --security-posture=standard --workload-vulnerability-scanning=disabled \
    --no-enable-master-authorized-networks --no-enable-google-cloud-access \
    --addons HorizontalPodAutoscaling,HttpLoadBalancing,GcePersistentDiskCsiDriver \
    --enable-autoupgrade \
    --no-enable-basic-auth --issue-client-certificate \
    --enable-autorepair --max-surge-upgrade 1 --max-unavailable-upgrade 0 --binauthz-evaluation-mode=DISABLED \
    --no-enable-managed-prometheus --enable-shielded-nodes

Finished?

Use the below navigation to proceed