Venafi experts from Jetstack work with many customers using Google Cloud’s Kubernetes Engine (GKE). We work closely with teams to configure their clusters to conform with best practices. While GKE’s robust default settings provide an excellent abstraction of the lower level details of control plane configuration, there are still many more considerations when automating the build of a production grade cluster.
Automating cluster deployments
To ensure deployments of clusters are as reliable as possible, it’s best to automate as much as possible. The aim is for infrastructure deployment to be easy and repeatable. As well as helping reduce human error, this codifies the infrastructure setup, allowing it to be version controlled and more easily reviewed.
Terraform is an excellent tool for automating infrastructure deployment. If you’re not already using it we’d highly recommend it; it’s widely used both internally at our company and by our customers.
When it comes to managing clusters with Terraform, it’s not just about creating the cluster, a key feature is also performing cluster upgrades. Terraform is the best infrastructure-as-code tool for managing cluster lifecycle.
Another benefit of Terraform is that it features modules, which are a way to group resources. Modules can be dropped into your Terraform projects for easy reuse of resources, or to share and include resources configured by someone else.
When our experts are your experts, you can make the most of Kubernetes
Enter: Terraform GKE Module
To consolidate our team's extensive production experience with GKE and as an artefact that can form part of an automated deployment, we created our Terraform GKE cluster module.
We’ve been developing and testing it over the past few months and are excited to have just released version 0.1.0 on GitHub!
The module currently uses Terraform version 0.11. However with the recent release of Terraform 0.12, which overhauls the Terraform syntax, development of a 0.12 compatible version is already underway.
What can I tweak?
To get the most out of a GKE production cluster means making use of the more advanced security features, as well as using supporting Google Cloud Platform (GCP) products. The Terraform GKE module enables as many additional security features as possible. These include:
- Enabling network policy
- Disabling basic authentication and client certificate issuing
- Disabling Kubernetes dashboard (Google Cloud Console should be used instead)
- Setting the OAuth scope of nodes to cloud-platform to manage permissions with IAM
- Disabling node legacy endpoints
- Creating an IAM service account for nodes with the minimum required roles
While the module is opinionated, and designed to force strong security, there are many configurable parts too. These are provided to the module in the form of input variables. Configurable parts include (among many others):
- GCP location (zonal/regional)
- Node pool auto-repair & upgrade
- VPC network and subnetwork names
- Access to private GCR images
- GCP HTTP load balancing configuration
- Master authorized CIDR blocks
Looking for a place to start?
Included alongside the module is an example project in the module’s GitHub repository. The project creates the minimal resources required to support the cluster, and keep to best practices. This example can serve as a great starting point for your own Terraform project.
The module is also available on the Terraform Registry so it can be used without having to manually download any dependencies. Terraform automatically fetches dependent modules from the Terraform Registry when you run terraform init. Just include the following in your project, proving the input variables as required.
module "gke-cluster" {
source = "jetstack/gke-cluster/google"
version = "0.1.0"
# insert the 9 required variables here
}
We’re actively maintaining this module, please open an issue if you run into any problems!