GKE Nodepool Add Labels Without overwriting existing labels

GKE has a feature to add node labels to all nodes in the nodepool. GKE will add the label to both the nodes already running in the cluster and also to newly added nodes.

You can use the feature like this:

gcloud container node-pools update my-node-pool \
  --cluster my-cluster --labels sam …

GKE list tainted nodepools with a specific taint

A use case for upgrades involved being able to list all the node pools that have scaled down back to 0 and have a specific taint. This blog post shows the commands you can use to get this information.

List the GKE nodepools that have been tainted with key=upgrade …

3 tips for GKE ML/batch workloads

There has been an influx of large batch and ML training workloads on GKE. I've personally had the please of working with one of those workloads. The things that batch and ML workload often require from GKE are the following:

• Minimize pod disruptions since pods often can't simply be restarted …

GKE Safely Drain a Nodepool without pod disruptions

GKE/K8s wasn't originally designed for workloads that spin up single pods and want those pods to stay up and running on the same node for very time. That doesn't mean those kind of workloads aren't running on GKE. In fact, there are large GKE ML/batch platform workloads running …

Preventing Privileged pods using Pod Security Admission / Standards

In a Kubernetes cluster, a privileged pod is a pod that has been given extended permissions beyond the default set of permissions. These extended permissions can include the ability to access the host's network, devices, and other sensitive resources. While privileged pods can be useful in certain situations, they also …

Trying ValidationAdmissionPolicy aka CEL Admission in K8s 1.26

CEL for admission control is a new 1.26 feature. With the feature, define ValidationAdmissionPolicy to express your desired policy and ValidationAdmissionPolicyBinding to assign the policy to e.g. a namespace.

This post has the following sections:

1. Creating a 1.26 cluster with ValidationAdmissionPolicy / CEL Admission enabled
2. Configure the policies …

Deploying K8s on your laptop with minikube

K8s on your laptop is helpful for initial development and testing environment. Minikube makes it easy to get K8s deployed on your laptop. Let's get K8s installed by doing the following:

1. Installing required tools: docker, minikube and kubectl
2. Deploying the minikube cluster with minikube start
3. Verifying you can deploy an …

GKE GPU timesharing and resource quotas experiment

You only got a few GPUs and want to pretend to your end-users that you got many? Then GKE GPU timesharing might just be the feature for you to save costs on GPUs that are underutilized. In this blog post you will learn:

1. Creating a GKE nodepool with timesharing enabled …

GKE move system services (kube-dns, calico) to dedicated nodepool

GKE by default deploys kube-dns and other system services to any of your nodepools. This is probably fine for most cases, but certain use cases might require preventing system services from running on the same nodes as your where your applications are running. This blog post provides instructions on how …

GKE docker registry with HTTP proxy

You are at one of those places that requires you to use a proxy to access your company wide Docker registry. Sometimes HTTP proxies are used to supposedly improve security or to workaround IP based rate limits. Well good luck, you're in for a ride on how to do this …