For some time now Kubernetes supports ephemeral containers. Starting from Kubernetes version 1.18 the ephemeral pods can be used to debug running pods in addition to a large set of other troubleshooting methods. While GKE already supports Kubernetes 1.18 the kubectl debug command is still unavailable. Mainly because this feature is still marked as Alpha in Kubernetes API. So, what else can you do beside inspecting GKE application logs and traces?

It is possible to access to running pod’s containers from the hosting VM. In GKE most of clusters use COS to run worker nodes. When you SSH’ing to the…

A term label usually describes a key/value pair that is attached to some object. In Kubernetes, labels are key/value pairs that are attached to manifested resources, such as pods. The Kubernetes labels can be used to organize and to select subsets of objects. Google Cloud labels (further in the post referenced as Cloud labels) are mainly used to categorize resources in billing reports in order to simplify analysis of spending costs. When the term label is used with GKE service it sometimes creates an ambiguity and confusion. The GKE documentation that referencing them as “cluster labels” may contribute to the…

One of the requirements for secure access remote machines are an easy management of users to VMs access matrix and reduced solution and operational costs. For VM fleets hosted on Google Cloud it is easy to do. In this post I build an example of the working solution based on OS-Login and IAP Tunneling and review a few important focus points about the technology and best practices.

How it is usually done.

Majority of the existing solutions for Data Centers and Cloud providers use one of three constructs:

• SSH / RDP encrypted connection to destination host
• SSH / RDP encrypted connection to a Bastion host…