Connect to Cloud SQL from an Application in Kubernetes Engine

search share Gabung Login

Connect to Cloud SQL from an Application in Kubernetes Engine

1 jam 15 menit 7 Kredit


Google Cloud Self-Paced Labs


This lab shows how easy it is to connect an application in Kubernetes Engine to a Cloud SQL instance using the Cloud SQL Proxy container as a sidecar container. You will deploy a Kubernetes Engine cluster and a Cloud SQL Postgres instance and use the Cloud SQL Proxy container to allow communication between them.

While this lab is focused on connecting to a Cloud SQL instance with a Cloud SQL Proxy container, the concepts are the same for any Google Cloud managed service that requires API access.

This lab was created by GKE Helmsman engineers to help you gain a better understanding of Cloud SQL through a proxy container. You can view this demo on on Github here. We encourage any and all to contribute to our assets!

The key takeaways are:

  • How to protect your database from unauthorized access by using an unprivileged service account on your Kubernetes Engine nodes.
  • How to put privileged service account credentials into a container running on Kubernetes Engine.
  • How to use the Cloud SQL Proxy to offload the work of connecting to your Cloud SQL instance and reduce your applications knowledge of your infrastructure.

Unprivileged service accounts

All Kubernetes Engine nodes are assigned the default Compute Engine service account. This service account is fairly high privilege and has access to many Google Cloud services. Because of the way the Cloud SDK is setup, software that you write will use the credentials assigned to the compute engine instance on which it is running. Since you don't want all of your containers to have the privileges that the default Compute Engine service account has, you need to make a least-privilege service account for your Kubernetes Engine nodes and then create more specific (but still least-privilege) service accounts for your containers.

Privileged service accounts in containers

The only two ways to get service account credentials are through:

  1. Your host instance (which you don't want)
  2. A credentials file

This lab will show you how to get the credentials file into your container running in Kubernetes Engine so your application has the privileges it needs.

Cloud SQL Proxy

The Cloud SQL Proxy allows you to offload the burden of creating and maintaining a connection to your Cloud SQL instance to the Cloud SQL Proxy process. Doing this allows your application to be unaware of the connection details and simplifies your secret management. The Cloud SQL Proxy comes pre-packaged by Google as a Docker container that you can run alongside your application container in the same Kubernetes Engine pod.

Bergabunglah dengan Qwiklabs untuk membaca tentang lab ini selengkapnya... beserta informasi lainnya!

  • Dapatkan akses sementara ke Google Cloud Console.
  • Lebih dari 200 lab mulai dari tingkat pemula hingga lanjutan.
  • Berdurasi singkat, jadi Anda dapat belajar dengan santai.
Bergabung untuk Memulai Lab Ini