Added information about GKE private clusters and image access #1563
Conversation
|
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please visit https://cla.developers.google.com/ to sign. Once you've signed (or fixed any issues), please reply here with What to do if you already signed the CLAIndividual signers
Corporate signers
ℹ️ Googlers: Go here for more info. |
|
Hi @Oxxygenio. Thanks for your PR. I'm waiting for a kubeflow member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/assign @richardsliu |
There was a problem hiding this comment.
Thanks for this suggestion @Oxxygenio! I've suggested adding extra information so that readers know more about the suggested solution without having to search and make assumptions about it.
content/docs/gke/private-clusters.md
Outdated
| @@ -48,6 +48,7 @@ from the nodes. Google services (such as BigQuery and Cloud Storage) are still a | |||
| Importantly this means you can continue to use your [Google Container Registry (GCR)](https://cloud.google.com/container-registry/docs/) to host your Docker images. Other Docker registries (for example, DockerHub) will not be accessible. If you need to use Docker images | |||
| hosted outside GCR you can use the scripts provided by Kubeflow to mirror them to your GCR registry. | |||
|
|
|||
| There is however still a way to pull images directly from DockerHub, or other repositories, and not having the hassle of re-writing deployment files. Activating Google NAT service to the subnet you are using, will give your pods egress access | |||
There was a problem hiding this comment.
@jlewi Please would you review this suggestion?
@Oxxygenio We need to give more information in the docs, so that readers know what the proposed solution is, whether it's applicable to them, and how they can use it. For example, you should expand the abbreviation "NAT" (I think it's Cloud NAT?), link to the docs (these? https://cloud.google.com/nat/docs/overview), and give an example to illustrate how people can use this option.
There was a problem hiding this comment.
Thanks @sarahmaddox and @Oxxygenio.
Should we create a separate/new page that disucsses setting up a Cloud Nat and link to from the private GKE cluster page?
In the Cloud Nat Page it would be nice to have example commands that illustrate how to setup Cloud Nat.
On that page we could then have subsections corresponding to adding access for various services. So adding access to DockerHub would be one (and we could add others later as necessary).
The private GKE page could then just have something along the lines of
Alternatively follow these instructions to setup Cloud Nat to allow access to DockerHub.
There was a problem hiding this comment.
@jlewi That's a good suggestion. A separate page about Cloud NAT provides more clarity for readers, and gives us more scope to expand the information.
@Oxxygenio Are you happy to create such a page?
- Create a new file in this directory: https://github.com/kubeflow/website/tree/master/content/docs/gke
- Copy the "page front matter" (the top lines between the plus signs) from the top of this page:
https://raw.githubusercontent.com/kubeflow/website/master/content/docs/gke/private-clusters.md - Paste the front matter into your new file, then change the page title etc in the front matter.
- Add your content about Cloud NAT into the same file.
- Add a link from the "private clusters" page pointing to your new page - that is, replace the content you added in this PR with the link instead.
If you do all that in this PR, then you'll be able to view your changes at the same preview link: https://deploy-preview-1563--competent-brattain-de2d6d.netlify.com/docs/gke/private-clusters/
You can also build the site locally and watch your changes appear in a local version of the docs as you type - see the README:
https://github.com/kubeflow/website/blob/master/README.md
There was a problem hiding this comment.
@jlewi Do you think we should merge this PR and create an issue for the separation of this info into a new page? I don't know whether this content inherently belongs on this page or should be on a separate page from the beginning.
|
/assign @jlewi |
|
@Oxxygenio Please would you sign the CLA as suggested by the googlebot in a previous comment. When you've signed the CLA, add a comment to this PR with the words |
|
CLAs look good, thanks! ℹ️ Googlers: Go here for more info. |
|
Oh great, the CLA check has now run successfully. Thanks! |
|
@jlewi ill update it with information and a use-case :) |
|
We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google. ℹ️ Googlers: Go here for more info. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@googlebot I signed it! |
|
@googlebot I fixed it. |
|
CLAs look good, thanks! ℹ️ Googlers: Go here for more info. |
|
@sarahmaddox and @jlewi I had to go back in and fix the Markdown. for some reason the numbering broke completely, even something easy as getting the original document in raw form on GitHub breaks the numbers. Please re-review, so that it looks 100% on your end. |
content/docs/gke/private-clusters.md
Outdated
| @@ -80,7 +84,7 @@ export PROJECT_NUMBER=$(gcloud projects describe ${PROJECT} --format='value(proj | |||
| dns.googleapis.com --project=${PROJECT} | |||
| ``` | |||
|
|
|||
| 1. Check if you have an access policy object already created: | |||
| 2. Check if you have an access policy object already created: | |||
There was a problem hiding this comment.
Why are you explicitly changing the numbering rather than letting markdown auto enumerate it for you?
There was a problem hiding this comment.
@Oxxygenio just saw your comment about numbering. I would suggest reverting the numbering changes and then we should try to figure out why the numbering is broken
There was a problem hiding this comment.
FYI, here's the preview of your PR, where you can see how the page looks with your changes included, when built by Netlify for the doc website:
https://deploy-preview-1563--competent-brattain-de2d6d.netlify.com/docs/gke/private-clusters/
Netlify builds the preview each time you push a commit up to GitHub.
|
/ok-to-test |
|
@Oxxygenio How are you doing with the suggested updates? |
|
@sarahmaddox That should set it right. |
There was a problem hiding this comment.
Thanks! A couple more suggestions, and I'll leave it up to @jlewi to decide whether we should merge this and create an issue for the separate page.
| @@ -48,6 +48,11 @@ from the nodes. Google services (such as BigQuery and Cloud Storage) are still a | |||
| Importantly this means you can continue to use your [Google Container Registry (GCR)](https://cloud.google.com/container-registry/docs/) to host your Docker images. Other Docker registries (for example, DockerHub) will not be accessible. If you need to use Docker images | |||
| hosted outside GCR you can use the scripts provided by Kubeflow to mirror them to your GCR registry. | |||
|
|
|||
| There is however still a way to pull images directly from DockerHub, or other repositories, and not having the hassle of re-writing deployment files. Activating Google's [Cloud NAT](https://cloud.google.com/nat/docs/overview/)(Network Address Translation) service to the subnet you are using, will give your pods egress access. | |||
There was a problem hiding this comment.
Add a space before (Network Address Translation). See preview: https://deploy-preview-1563--competent-brattain-de2d6d.netlify.com/docs/gke/private-clusters/
| @@ -48,6 +48,11 @@ from the nodes. Google services (such as BigQuery and Cloud Storage) are still a | |||
| Importantly this means you can continue to use your [Google Container Registry (GCR)](https://cloud.google.com/container-registry/docs/) to host your Docker images. Other Docker registries (for example, DockerHub) will not be accessible. If you need to use Docker images | |||
| hosted outside GCR you can use the scripts provided by Kubeflow to mirror them to your GCR registry. | |||
|
|
|||
| There is however still a way to pull images directly from DockerHub, or other repositories, and not having the hassle of re-writing deployment files. Activating Google's [Cloud NAT](https://cloud.google.com/nat/docs/overview/)(Network Address Translation) service to the subnet you are using, will give your pods egress access. | |||
| One use-case where this is very helpful is when you are using command tools that install several components and rely on publicly available images. | |||
| [Istio](https://istio.io/docs/setup/install/istioctl/) with its istioctl is a good example: _istioctl manifest apply_ | |||
There was a problem hiding this comment.
Add a full stop (period) after apply_.
| There is however still a way to pull images directly from DockerHub, or other repositories, and not having the hassle of re-writing deployment files. Activating Google's [Cloud NAT](https://cloud.google.com/nat/docs/overview/)(Network Address Translation) service to the subnet you are using, will give your pods egress access. | ||
| One use-case where this is very helpful is when you are using command tools that install several components and rely on publicly available images. | ||
| [Istio](https://istio.io/docs/setup/install/istioctl/) with its istioctl is a good example: _istioctl manifest apply_ | ||
| Generating and editing the manifest file is timeconsuming and error-prone. |
There was a problem hiding this comment.
Suggestion: Remove this sentence about editing the manifest file. As a reader, I found it a little unexpected at this location.
|
@Oxxygenio Could we provide more information about how to setup Cloud Nat? In particular, can we provide gcloud commands that users can run? As mentioned earlier it might be nice to move that into its own page or at least make it a new section. |
|
@Oxxygenio Friendly ping - please would you take a look at the review comments on this PR? |
|
@Oxxygenio It looks like you've run out of time to work on this PR. Also, we're planning a large-scale update to the docs - see issue #1705. I've linked this PR to that issue, so that the engineers can take your work into account too. Thanks so much for your contribution to the docs! I'll close this PR now, but please do re-open it if you plan to work further on it. /close |
|
@sarahmaddox: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Added information on how it's possible to pull images from docker hub and other repositories when using GKE private cluster
This change is