0

Can I create a service or container from another container, on Google Cloud Run or Cloud Run on GKE ?

I basically want to manage my containers/services dynamically from another container and not sure how to go about this

Adding more details:

One of my microservices needs to create new isolated containers that will run some user-land code. I would like to have full life-cycle control of these containers, run the code, and then destroy as needed.

I also looked at Cloud Run APIs but not sure how to run something like 'kubectl create ...' through the APIs? Is that the right approach?

Artemis Georgakopoulou
  • 1,171
  • 4
  • 12
haknick
  • 1,892
  • 1
  • 20
  • 28
  • Could you edit the question to be more specific about what you're trying to accomplish? – Doug Stevenson Sep 16 '19 at 04:31
  • Sure, why not, just need a pod / container that contains the necessary tools to interact / manage the cluster (i.e. kubectl). – masseyb Sep 16 '19 at 06:19
  • In summary, you want an on demand environment (serverless) for managing other container? Do you need a terminal access or or only to run scheduled script on it? – guillaume blaquiere Sep 16 '19 at 08:22
  • @DougStevenson added some more details to it – haknick Sep 17 '19 at 04:34
  • @guillaumeblaquiere Not sure if I need terminal access at this point, but I wouldn't think so – haknick Sep 17 '19 at 04:36
  • Cloud Run (fully managed) does not support DinD. Not sure about Cloud Run on GKE, but I'm pretty unclear why you'd need to do this in a GKE cluster you control. – Grayside Sep 17 '19 at 05:00
  • @Grayside I'm asking about managing other containers/services on the cluster, not DinD – haknick Sep 19 '19 at 02:41

1 Answers1

1

Yes, you should be able to deploy Cloud Run services from Cloud Run services.

  • on Cloud Run (hosted): services by default run with Editor permissions, so this should be possible without any extra configuration
    • note that if you deploy apps with --allow-unauthenticated which requires setting IAM permissions, the Editor role will not be enough, as you need Owner role on the GCP project for that.
  • on Cloud Run on GKE: services by default run with limited scopes (as they by default inherit GKE node's permissions/scopes). You should add a service account to the Kubernetes Pod and use it to authenticate.

From there, you have several options:

  1. Use the REST API directly: Since run.googleapis.com behaves like a Kubernetes API server, you can directly apply JSON objects of Knative Services. (You can use gcloud ... --log-http to learn how deployments are made using REST API requests).

  2. Use gcloud: you can ship your container image with gcloud and invoke it from your process.

  3. Use Google Cloud Client Libraries: You can use the client libraries that are available for Cloud Run (for example this Go library) to construct in-memory Service objects and send them to the API using a higher level client library (recommended approach)

ahmet alp balkan
  • 42,679
  • 38
  • 138
  • 214
  • This is great, thank you. 1- Where can I find an example or more info on the first option? 2- Also, it seems like the first option would be a more standard Knative option that would run the same on every Knative setup? Whereas the third option seems specific to Cloud Run? 3- Lastly, is there a Node library similar to the Go one that you know of ? – haknick Sep 19 '19 at 03:15
  • 1. You just write HTTP requests in a http client yourself, just look at --log-http output of gcloud to see what/how it makes such requests. 2. Yeah the Knative API is nearly the same as Cloud Run, but some stuff like authentication will be different. 3. Yes, I'm sure there's a node equivalent library to call Google APIs, like googleapis/google-api-nodejs-client. – ahmet alp balkan Sep 19 '19 at 12:15