K8s Basics: Getting started with Terraform and GKE

K8s Basics: Getting started with Terraform and GKE

Terraform is a technology for managing infrastructure as code. Many projects would benefit greatly from using it to manage infrastrucutre.

GKE is googles kubernetes offering, and has some great features and offerings to make your experience with kubernetes more amazing.

In this article I'll walk you through some of the options you may want to consider, help you avoid pitfalls, and present my preference for a nice general purpose config.

Feel free to skip to the code , and go back through the article for any arguments that you're curious about.

For tips on writing better cloud native services check out my other article 9 tips for writing better micro-services.

Cluster

We'll start with a minimal config, and add to it.

A basic config will look something like this (the next thing we cover is location which is required).

resource "google_container_cluster" "clustername" {
  name     = "clustername"
}

Location

Location is a required field, and an important one to discuss. This field controls both what regions/zones your cluster runs in, but also whether it runs as a "zonal" or "regional" cluster.

Zonal clusters run in a single availability zone, whereas regional clusters run in multiple but require more instances of every pod (one per availability zone).

If you have enough traffic to make use of multiple instances of each pod, regional will be a great option. If you need to do everything you can to minimize downtime, you should go with a regional cluster.

If your traffic is minimal, and minimizing cost of resources is important, go with a zonal config.

Zonal

resource "google_container_cluster" "clustername" {
  ...
  location = "us-central1-a"
}

Regional

resource "google_container_cluster" "clustername" {
  ...
  location = "us-central1"

  // Optional control over which zones your regional cluster runs in
  node_locations = ["us-central1-a","us-central1-b"]
}

Networking Mode - IMPORTANT

Perhaps the biggest pitfall in setting up your cluster using terraform.

Terraform managed clusters default to routes based clustering, wheras google defaults to VPC_NATIVE. In order to work with private Cloud SQL you'll need VPC_NATIVE.

More info on vpc native clusters here .

resource "google_container_cluster" "clustername" {
  ...
  networking_mode = "VPC_NATIVE"

  // Networking mode VPC_NATIVE also requires an ip allocation policy
  ip_allocation_policy {
    cluster_ipv4_cidr_block  = "/16"
    services_ipv4_cidr_block = "/22"
  }
}

Release channels

Release channels allows you to have google manage your kubernetes update cycle.

Stable is likely good enough for most production workloads, unless you have a specific need for something else.

resource "google_container_cluster" "clustername" {
  ...

  release_channel {
    channel = "STABLE"
  }
}

Workload Identity Config

I need to review this, I haven't been able to get it working properly quite yet.

This option though allows you to specify credentials in a way that new credentials will be generated and used each time a pod is spun up, yet with correct permissions to run what it needs.

Timeouts

Clusters can take some time to create and update. To avoid running into these limits in terraform, let's increase the timeouts.

Without these, there is a higher chance google takes long enough that terraform thinks the operation failed and cancels it.

resource "google_container_cluster" "clustername" {
  ...

  timeouts {
    create = "20m"
    update = "20m"
  }
}

Shielded Nodes

Shielded nodes increases the security of your cluster by verifying nodes that join. Otherwise it's a bit easier to impersonate nodes in your cluster given the ability to exploit a pod.

resource "google_container_cluster" "clustername" {
  ...
  enable_shielded_nodes = "true"
}

Maintance Policy

By default google will run automatic upgrades of your cluster whenever it feels like it. To change it to start in a specific window, this is how. Time is in GMT. There are some other options to choose from in maintenance policy, but this is what I use.

resource "google_container_cluster" "clustername" {
  ...
  maintenance_policy {
    daily_maintenance_window {
      start_time = "03:00"
    }
  }
}

Resource Usage

Gather data on resource usage within the cluster. Good for determining what containers are costing what amount.

resource "google_container_cluster" "clustername" {
  ...
  resource_usage_export_config {
    enable_network_egress_metering = false
    enable_resource_consumption_metering = true

    bigquery_destination {
      dataset_id = "cluster_resource_usage"
    }
  }
}

Initial Node Count and Remove Default Node Pool - IMPORTANT

Node pools specified in the cluster resource require cluster to be destroyed/recreated in order to change them. For this reason I strongly recommend using a separate node pool config. This is what's required for the cluster config in order to enable that.

Clusters spun up by terraform have to have a node pool to start. We'll tell terraform to auto destroy that node pool, and have at most one node in it while creating.

resource "google_container_cluster" "clustername" {
  ...

  initial_node_count       = 1
  remove_default_node_pool = true
}

Other options

Some other options on the cluster object that I generally leave at defaults, but you may be interested in.

enable_autopilot

Autopilot mode gives a more hands off experience for GKE at the expense of less flexibility.

network

Specify what network your cluster runs in. I think default is often good enough, but for more advanced use cases you may want to use another network.

vertical_pod_autoscaling

Still in beta, but sounds like a very nice feature. This will handle tuning cpu/mem requests for you.

Istio config

Note, google seems to discourage using this option. The suggest using anthos if you want service mesh features supported by them. Further the just released a competitor to istio that I imagine will be better supported long term.

Node Pool

Node pools define what VM's are used to run our kubernetes cluster. For the rest of the article we'll be covering the configuration of this resource instead of the cluster's config.

Location (basically the same as cluster)

Zones/Regions should be the same as cluster.

Zonal

resource "google_container_node_pool" "nodepoolname" {
  ...
  location = "us-central1-a"
}

Regional

resource "google_container_node_pool" "nodepoolname" {
  ...
  location = "us-central1"

  // Optional control over which zones your regional cluster runs in
  node_locations = ["us-central1-a","us-central1-b"]
}

Auto-scaling

Auto-scaling is a very important feature allowing your cluster to grow and shrink with your traffic.

I'd suggest having a max node of maybe double what you may need at peak. Basically you want some flexibility and ability to scale, but you don't want a bug making taking up massive CPU to cost massive amounts since your cluster scaled to something huge.

resource "google_container_node_pool" "nodepoolname" {
  ...

  initial_node_count = 1
  autoscaling {
    min_node_count = 1
    max_node_count = 12
  }
}

Node Config - Machine Type

What type of VM your node pool uses. At a rough estimate, I generally target having a low number of nodes, but never less than (number of zones your running in).

Larger nodes will be easier to efficiently make use of, but if your not using all the resources they provide it'll be a waste.

resource "google_container_node_pool" "nodepoolname" {
  ...

  node_config {
    ...

    machine_type = "e2-medium"
  }
}

Machine type docs here .

Node Config - Preemptible

Preemptible VM's are a cheap alternative to regular VM's with the huge caveat that they may be shut down at any point (hopefully with 60s or so warning).

They can save alot of money, but they downside means you'll probably want them only for secondary data processing that isn't directly serving user requests, can shutdown safely and quickly, and/or be restarted/recovered easily.

resource "google_container_node_pool" "nodepoolname" {
  ...

  node_config {
    ...

    preemptible = "true"
  }
}

Node Config - Workload metadata config

Same as workload identity from cluster config, I need to experiment more with this.

Useful for helping secure your cluster more.

Node Config - OAuth scopes

Some permissions you'll need for your node pool.

resource "google_container_node_pool" "nodepoolname" {
  ...

  node_config {
    ...

    oauth_scopes = [
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring",
      "https://www.googleapis.com/auth/cloud-platform",
    ]
  }
}

Node Config - Metadata - disable-legacy-endpoints

Default value set by GKE. Terraform will try to unset it though if you haven't specified it.

resource "google_container_node_pool" "nodepoolname" {
  ...

  node_config {
    metadata = {
      disable-legacy-endpoints = true
    }
  }
}

Management - Auto repair

Should google recover bad nodes for you?

resource "google_container_node_pool" "nodepoolname" {
  ....
  management {
    auto_repair  = true
  }
}

Management - Auto upgrade

Should node pools auto upgrade?

resource "google_container_node_pool" "nodepoolname" {
  ....
  management {
    ....
    auto_upgrade = true
  }
}

Timeouts

Extra time for terraform to apply changes to your node pool. They can take awhile to run.

resource "google_container_node_pool" "nodepoolname" {
  ...

  timeouts {
    create = "20m"
    update = "20m"
  }
}

Other Node pool options

guest accelerators

Allows attaching gpu's to your nodes.

General Purpose Config

This is my take a general purpose config, that should be useful in many cases. But read through and find what changes make sense for your use case.

Find the full example at

Just the cluster and node pool configs

resource "google_container_cluster" "cluster" {
  name     = "cluster"
  location = "us-central1"

  node_locations = ["us-central1-a", "us-central1-b"]

  release_channel {
    channel = "STABLE"
  }

  enable_shielded_nodes = "true"

  workload_identity_config {
    identity_namespace = "${var.project}.svc.id.goog"
  }

  resource_usage_export_config {
    enable_network_egress_metering = true
    enable_resource_consumption_metering = true

    bigquery_destination {
      dataset_id = google_bigquery_dataset.cluster_resource_export.dataset_id
    }
  }

  networking_mode = "VPC_NATIVE"
  ip_allocation_policy {
    cluster_ipv4_cidr_block  = "/16"
    services_ipv4_cidr_block = "/22"
  }

  maintenance_policy {
    daily_maintenance_window {
      start_time = "03:00"
    }
  }

  initial_node_count       = 1
  remove_default_node_pool = true

  timeouts {
    create = "20m"
    update = "20m"
  }
}

resource "google_container_node_pool" "primary" {
  name     = "primary"

  location = "us-central1"
  node_locations = ["us-central1-a", "us-central1-b"]

  cluster  = google_container_cluster.cluster.name

  initial_node_count = 1
  autoscaling {
    min_node_count = 1
    max_node_count = 3
  }

  node_config {
    preemptible  = false
    machine_type = "e2-medium"

    workload_metadata_config {
      node_metadata = "GKE_METADATA_SERVER"
    }

    metadata = {
      disable-legacy-endpoints = true
    }

    oauth_scopes = [
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring",
      "https://www.googleapis.com/auth/cloud-platform",
    ]
  }

  management {
    auto_repair  = true
    auto_upgrade = true
  }

  timeouts {
    create = "20m"
    update = "20m"
  }
}

Conclusion

GKE is a powerful, full featured and mature offering for kubernetes. With lots of options though it is even more important to manage your config with infrastructure as code.

Terraform is great for managing GKE, but there are a few pitfalls to be aware of (including some defaults that are different in terraform vs gke). It can make it much easier to version control your config, test it in a dev setting, and otherwise be more sure the complexity of configuring your cluster can be tested before YOLO'ing it in your production environment.

Let me know what I've missed, what you disagree with, what was unclear or anything you feel like commenting on below! Your feedback helps me improve.