ACE
- Areas to focus
- IAM - lots of questions about IAM, especially on granting least privileged role cross projects, or for external security, auditing teams.
- Roles
- Owner / Editor / Viewer / Admin / Deployer / etc
- Group works! (and it is recommended)
- Recommendations
- Use Cloud Identity (+ GSuite).
- Enforce MFA.
- Service account + access scope.
- Role type:
- Primitive / predefined / custom
- Lots on BigQuery, gcloud commands.
- GKE (lots)
- ClusterIP: internal to the cluster, through the service
- NodePort: external, through node (VM)
- LoadBalancer: external
- Ingress can work only with NodePort
- Project
- Projects are managed independently (e.g. no project copy/clone)
- Billing
- Alerts
- Cost calculator
- Use pricing calculator for each service
- Region, zone
- Compute
- Service account can be referred to in application through token via the metadata service.
- Instance startup order:
- gcloud command starts (without –async).
- Instance is in Provisioning state.
- Space is reserved on a host machine.
- Service account (if specified) is attached.
- Instance is in Staging state.
- Other processes such as network adapter attachment.
- Instance is in Running state.
- The metadata service returns information (e.g. startup script).
- gcloud command completes.
- Startup script starts.
- Startup script completes.
- Storage
- GCS charges by data access (read/write). This option can be more expensive compared to Bigtable if there are more IOs.
- Database and analytics options
- Data Studio: (~ Quicksights/Tableau) for data visulization.
- Logging
- Log flow (stackdriver, cloud storage, bigquery)
- GKE does NOT use GCE service account to create GCE instance. The log record will be just “GKE_NODE_INSTANCE_NAME was created”.
- gcloud command (lots)
- Project settings (e.g. gcloud abc xyz)
- Service settings (e.g. bq abx xyz)