#gcp

The Post The Post Sync to Git Repository The Repository to be Synced Creating the Infra and Syncing to Repository Deploying Changes to the Cluster Deploy Sync to OCI Artifact The Repository to be Synced Creating the Infra and Syncing to OCI Artifact Building and Deploying Changes to the Cluster Build Deploy Summary I have created some code with examples to complement GCP - GKE How to - ACM. [Read More]

The Post It’s actually WIP - most of the ideas are here but I still need to review it and think a bit more about the options I want to explore later.. Problem Statement Let’s say we have “multi-tenant GKE clusters” where many tenants deploy their workloads and have their own namespaces… they dont access the namespaces directly, they deploy through a pipeline and manage everything without kubectl (from a IDP). [Read More]

This Post I covered ASM egress and a bit of ingress in another post Using ASM Egress and Ingress Gateways. Outbound If running ASM in strict outbound mode - which should be the case if it’s not a development environment then we need to use a ServiceEntry. There are multiple options and this post: ISTIO Egress Performance shows everything we need to know about the different options for egress. I want to talk about 2: 1. [Read More]

This Post This Post Service Mesh - ASM and ISTIO ASM in your GKE clusters Receiving External Traffic… Putting Things Together Service Mesh - ASM and ISTIO ASM uses an implementation of ISTIO, but like GKE is a implementation of kubernetes, ASM is kind of the managed version of ISTIO. I have seem people manage their own ISTIO, just like people can manage their own kubernetes control plane - I have done it in the past and I think there are very few reasons to want to manage our own but it really depends on what is needed. [Read More]

TLDR; If you want something simple which works well and only applies the difference, go with Git Repository Sync; if you want something more flexible, and that offers the possibility to use Binary Auth, for example, go with OCI Artifacts. In both scenarios teams can individually manage the lifecycle of what gets synced. OCI Artifacts are usually a better choice for a bigger number of teams and Repository Sync works well for smaller/less teams and/or lower environments. [Read More]

About VPCSC Virtual Private Cloud Service Controls allows us to enforce GCP service access perimeters - this translates to “we can specify which GCP services (apis) can be used in a set of VPCs or projects, who can access those services, and from where they may be accessed”. VPCSC is similar to a firewall but for GCP services (apis)… Simple VPC-SC Here is an example: let’s say we have pr-project-3 in VPC-SC-1 that contains images in Google Artifact Registry and projects pr-project-2 in VPC-SC-1, np-project-2 in VPC-SC-2, and al-project-2 want to pull images from there. [Read More]