I've been into DevOps for barely two years now, and have just started using GCP due to a new client that we now have. Your videos are a lifesaver brother, thank you so much for the clear explanations and all the tutorials!
Super super video Anton !!! Thank you for your effort in making up this kind of videos. If you allow me I would like to suggest you to make a video on how to deploy Google Anthos using Ansible / Terraform, it will be a great addition to the very useful collection of videos. Currently I'm struggling to learn how to deal with all the init part of Google SDK by using Ansible. Best regards !
Hi Sasidhar, I don't think that you need bastion in gcp at all. To ssh just use gcloud compute ssh command, also about to wrap up OpenVPN tutorial that lets you connect to gcp VPC including resolving private hosted zones.
how would i get the value master_ipv4_cidr_block in the private_cluster_config ? is this a predefined subnet in the host project ? Thank you for a great video. It was very helpful
It depends on your setup and your future goals. If you have a small infrastructure and team, keep it under a single project. If you have a lot of VM and other services that you use in GCP. The best practice is to create shared VPC and share subnets with other projects. In that way, you can centralize network management/security in one place/group. Also, projects help you to keep billing under control; it's match easy to get a total bill for Kubernetes that you run if it is in a dedicated project. There are other benefits. If it's for your personal project, keep it in 1 project for enterprise, follow multi-project/shared VPC setup.
@@AntonPutra Thanks for the quick replies 😺 Oh for that one I did it already. And i put the loadBalancerIP: "x.x.x.x" in my nginx yaml service.. But after i deploy it and run kubectl get svc nginx, the column external-ip is always in state. Am I doing woring ? 🙇
sorry but how this is best practice with "private endpoint disabled"? your master totally open to attackers. Also i should emphasize that "bastion host" should be used in a private cluster with vpc native network. thanks for the video btw.
It’s a good point, I always use private endpoints with OpenVPN server set up that I can access private IP. It was too much for one video to configure VPN, that’s why I decided to leave it out. My next tutorial is about OpenVPN.
@@AntonPutra thanks for sharing all this, your videos and source code are great! Would you be able to elaborate a bit more on this particular topic? (security concerns when private endpoint is disabled). I'm planning to use a very similar setup as the one you shared here for a staging deployment; and then create a separate GCP project for production. You said in another comment in this video that bastion might not be needed in GCP; what would then be the security suggestion to protect the k8s cluster when using a setup like the one you shared here? I don't see a problem if you keep GCP credentials secured, but maybe I'm missing something. Thanks!
Very informative. Very informative. I tried to create a GKE auto pilot cluster with shared VPC. But I got this exception repeatedly as “ Error in creating a cluster; 0 nodes were created out of 1, cluster may be unhealthy”… I have verified the permissions on the GKE project service account, verified the terraform module and I have assigned the right permissions. But I got the above exception. Any thoughts and suggestions on this error ?
i would focus on the permissions, make sure you have network and other access from the GKE and service project. also when granting permissions use "*iam_member" terraform resource, it's Non-authoritative and help to add additional permissions in the future
@@AntonPutraI have created a service project and assigned the necessary permission (container.googleapis.com) and i tried to create With the assigned IP range for the GKE auto pilot resource, here I’m able to create a GKE standard cluster with out any issues. But while creating a GKE auto pilot cluster within the same service project with the same shared IP range I’m getting the exception “Error: Error waiting for creating GKE Cluster: All cluster resources were brought up , but only 0 nodes out of 1 have registered; cluster may be unhealthy “. Any references or directions to overcome this issue?
thanks bro, I really liked your video. but I want to asked something, so If I want to use subnet from host project, do I need to create service account in service project first ? so when the service account already created, I just need to add that service account in members resource google_compute_subnetwork_iam_binding host project ?
