collins73 · May 26, 2019 13:03 · May 20, 2019 · May 20, 2019 · May 20, 2019 · May 20, 2019
diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -364,6 +364,8 @@ gcloud compute routes create no-ip-internet-route \
     --tags no-ip --priority 800
 ```
 ### firewall rules
+* https://medium.com/@swongra/protect-your-google-cloud-instances-with-firewall-rules-69cce960fba
+
 ```
 # allow SSH, RDP and ICMP for the given network
 gcloud compute firewall-rules create managementnet-allow-icmp-ssh-rdp --direction=INGRESS --priority=1000 --network=managementnet --action=ALLOW --rules=tcp:22,3389,icmp --source-ranges=0.0.0.0/0

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -380,6 +380,9 @@ gcloud compute firewall-rules create mynetwork-deny-icmp \
 gcloud compute firewall-rules list \
 --filter="network:mynetwork AND name=mynetwork-deny-icmp"
 
+# sort-by
+gcloud compute firewall-rules list --sort-by=NETWORK
+
 ```
 
 ### layer 4 network lb

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -365,22 +365,19 @@ gcloud compute routes create no-ip-internet-route \
 ```
 ### firewall rules
 ```
-## ALLOW
-gcloud beta compute firewall-rules create mynetwork-allow-icmp --network mynetwork \
---action ALLOW --direction INGRESS --rules icmp
-gcloud beta compute firewall-rules create mynetwork-allow-ssh --network mynetwork \
---action ALLOW --direction INGRESS --rules tcp:22
-gcloud beta compute firewall-rules create mynetwork-allow-internal --network \
+# allow SSH, RDP and ICMP for the given network
+gcloud compute firewall-rules create managementnet-allow-icmp-ssh-rdp --direction=INGRESS --priority=1000 --network=managementnet --action=ALLOW --rules=tcp:22,3389,icmp --source-ranges=0.0.0.0/0
+# allow internal from given source range
+gcloud compute firewall-rules create mynetwork-allow-internal --network \
 mynetwork --action ALLOW --direction INGRESS --rules all \
 --source-ranges 10.128.0.0/9
-gcloud beta compute firewall-rules list \
---filter="network:mynetwork"
+gcloud compute firewall-rules list --filter="network:mynetwork"
 
 ## DENY
-gcloud beta compute firewall-rules create mynetwork-deny-icmp \
+gcloud compute firewall-rules create mynetwork-deny-icmp \
 --network mynetwork --action DENY --direction EGRESS --rules icmp \
 --destination-ranges 10.132.0.2 --priority 500
-gcloud beta compute firewall-rules list \
+gcloud compute firewall-rules list \
 --filter="network:mynetwork AND name=mynetwork-deny-icmp"
 
 ```

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -343,6 +343,14 @@ Use [gcloud compute operations describe URI] command to check the status of the
 
 ## Networking
 
+### network and subnets
+```
+ gcloud compute networks create privatenet --subnet-mode=custom
+ gcloud compute networks subnets create privatesubnet-us --network=privatenet --region=us-central1 --range=172.16.0.0/24
+ gcloud compute networks subnets create privatesubnet-eu --network=privatenet --region=europe-west1 --range=172.20.0.0/20
+ gcloud compute networks subnets list --sort-by=NETWORK
+```
+
 ### route
 tag the instances with `no-ips`
 

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -558,6 +558,18 @@ gcloud beta container clusters create private-cluster2 \
     --master-authorized-networks <external_ip_of_kubectl_instance>
 ```
 
+```
+# create a GKE cluster with CloudRun,Istio, HPA enabled
+gcloud beta container clusters create run-gke \
+  --addons HorizontalPodAutoscaling,HttpLoadBalancing,Istio,CloudRun \
+  --scopes cloud-platform \
+  --zone us-central1-a \
+  --machine-type n1-standard-4 \
+  --enable-stackdriver-kubernetes \
+  --no-enable-ip-alias
+```
+
+
 ## Machine Learning
 ```
 brew install bat

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -213,19 +213,90 @@ curl -v "https://cloudkms.googleapis.com/v1/projects/$DEVSHELL_PROJECT_ID/locati
   -H "Content-Type:application/json" \
 | jq .plaintext -r | base64 -d    
 ```
+## compute engine
 
-## gcloud command for creating an instance? 
+### gcloud command for creating an instance? 
 from web console
 ```
 gcloud compute instances create [INSTANCE_NAME] \
   --image-family [IMAGE_FAMILY] \
   --image-project [IMAGE_PROJECT] \
   --create-disk image=[DISK_IMAGE],image-project=[DISK_IMAGE_PROJECT],size=[SIZE_GB],type=[DISK_TYPE]
   
-gcloud beta compute --project=victory-demo-dev instances create micro1 --zone=us-west1-a --machine-type=f1-micro --subnet=default --network-tier=PREMIUM --maintenance-policy=MIGRATE --service-account=398028291895-compute@developer.gserviceaccount.com --scopes=https://www.googleapis.com/auth/devstorage.read_only,https://www.googleapis.com/auth/logging.write,https://www.googleapis.com/auth/monitoring.write,https://www.googleapis.com/auth/servicecontrol,https://www.googleapis.com/auth/service.management.readonly,https://www.googleapis.com/auth/trace.append --min-cpu-platform=Automatic --image=debian-9-stretch-v20180510 --image-project=debian-cloud --boot-disk-size=10GB --boot-disk-type=pd-standard --boot-disk-device-name=micro1
+gcloud compute instances create micro1 --zone=us-west1-a --machine-type=f1-micro --subnet=default --network-tier=PREMIUM --maintenance-policy=MIGRATE --service-account=398028291895-compute@developer.gserviceaccount.com --scopes=https://www.googleapis.com/auth/devstorage.read_only,https://www.googleapis.com/auth/logging.write,https://www.googleapis.com/auth/monitoring.write,https://www.googleapis.com/auth/servicecontrol,https://www.googleapis.com/auth/service.management.readonly,https://www.googleapis.com/auth/trace.append --min-cpu-platform=Automatic --image=debian-9-stretch-v20180510 --image-project=debian-cloud --boot-disk-size=10GB --boot-disk-type=pd-standard --boot-disk-device-name=micro1
 ```
 
-## instances, template, target-pool and instance group
+### list compute images
+```
+gcloud compute images list --filter=name:debian --uri
+https://www.googleapis.com/compute/v1/projects/debian-cloud/global/images/debian-8-jessie-v20180109
+https://www.googleapis.com/compute/v1/projects/debian-cloud/global/images/debian-9-stretch-v20180105
+
+# Use the following command to see available non-Shielded VM Windows Server images
+gcloud compute images list --project windows-cloud --no-standard-images
+# Use the following command to see a list of available Shielded VM images, including Windows images
+gcloud compute images list --project gce-uefi-images --no-standard-images
+```
+
+### list an instance 
+* [filters](https://cloud.google.com/sdk/gcloud/reference/topic/filters)
+* [resource-keys](https://cloud.google.com/sdk/gcloud/reference/topic/resource-keys)
+
+```
+gcloud compute instances list --filter="zone:us-central1-a"
+gcloud compute instances list --project=dev --filter="name~^es"
+gcloud compute instances list --project=dev --filter=name:kafka --format="value(name,INTERNAL_IP)"
+gcloud compute instances list --filter=tags:kafka-node
+gcloud compute instances list --filter='machineType:g1-small'
+```
+
+### move instance
+`gcloud compute instances move <instance_wanna_move> --destination-zone=us-central1-a --zone=us-central1-c`
+
+### ssh & scp
+```
+#--verbosity=debug is great for debugging, showing the SSH command 
+# the following is a real word example for running a bastion server that talks to a GKE cluster (master authorized network)
+gcloud compute ssh --verbosity=debug <instance_name> --command "kubectl get nodes"
+
+gcloud compute scp  --recurse ../manifest <instance_name>:
+```
+### ssh port forwarding for elasticsearch
+```
+gcloud compute --project "foo" ssh --zone "us-central1-c" "elasticsearch-1"  --ssh-flag="-L localhost:9200:localhost:9200"
+```
+The 2nd `localhost` is relative to  elasticsearch-1`
+
+### ssh reverse port forwarding 
+for example, how to connect to home server's flask server (tcp port 5000) for a demo or a local game server in development
+```
+GOOGLE_CLOUD_PROJECT=$(gcloud config get-value project)
+gcloud compute --project "${GOOGLE_CLOUD_PROJECT}" ssh --zone "us-west1-c" --ssh-flag="-v -N -R :5000:localhost:5000" "google_cloud_bastion_server"
+```
+
+### generate ssh config 
+```
+gcloud compute config-ssh
+```
+
+### debugging
+gcloud debugging: `gcloud  compute instances list --log-http`
+[serial port debug](https://cloud.google.com/compute/docs/instances/interacting-with-serial-console)
+
+
+### instance level metadata
+```
+curl -s "http://metadata.google.internal/computeMetadata/v1/instance/?recursive=true&alt=text" -H "Metadata-Flavor: Google"
+leader=$(curl -s "http://metadata.google.internal/computeMetadata/v1/instance/attributes/leader" -H "Metadata-Flavor: Google")
+```
+
+### project level metadata
+```
+gcloud compute project-info describe
+gcloud compute project-info describe --flatten="commonInstanceMetadata[]"
+```
+
+### instances, template, target-pool and instance group
 ```
 cat << EOF > startup.sh
 #! /bin/bash
@@ -258,6 +329,19 @@ gcloud compute instance-templates create nat-2 \
     --machine-type n1-standard-2 --can-ip-forward --tags natgw \
     --metadata-from-file=startup-script=startup.sh  --address $nat_2_ip
 ```
+### disk snapshot
+```
+gcloud compute disks snapshot kafka-data1-1 --async --snapshot-names=kafka-data-1 --project project_a --zone us-west1-a
+Use [gcloud compute operations describe URI] command to check the status of the operation(s).
+```
+
+### regional disk
+```
+ gcloud beta compute instance attach-disk micro1 --disk pd-west1 --disk-scope regional
+```
+
+
+## Networking
 
 ### route
 tag the instances with `no-ips`
@@ -271,7 +355,7 @@ gcloud compute routes create no-ip-internet-route \
     --next-hop-instance-zone us-central1-a \
     --tags no-ip --priority 800
 ```
-## firewall rules
+### firewall rules
 ```
 ## ALLOW
 gcloud beta compute firewall-rules create mynetwork-allow-icmp --network mynetwork \
@@ -293,8 +377,7 @@ gcloud beta compute firewall-rules list \
 
 ```
 
-
-## layer 4 network lb
+### layer 4 network lb
 ```
 gcloud compute firewall-rules create www-firewall --allow tcp:80
 gcloud compute forwarding-rules create nginx-lb \
@@ -306,7 +389,7 @@ gcloud compute firewall-rules list --sort-by=NETWORK
 
 ```
 
-## layer 7 http lb
+### layer 7 http lb
 * https://cloud.google.com/solutions/scalable-and-resilient-apps
 
 ```
@@ -337,14 +420,14 @@ gcloud compute forwarding-rules list
 
 ```
 
-## forwarding-rules
+### forwarding-rules
 ```
 gcloud compute forwarding-rules list --filter=$(dig +short <dns_name>)
 gcloud compute forwarding-rules describe my-forwardingrule --region us-central1
 gcloud compute forwarding-rules describe my-http-forwardingrule --global
 ```
 
-## address
+### address
 ```
 # get the external IP address of the instance
 gcloud compute instances describe single-node \
@@ -357,84 +440,6 @@ gcloud projects list --format='value(project_id)' | xargs -I {} gcloud compute a
 ```
 
 
-## compute engine image
-```
-gcloud compute images list --filter=name:debian --uri
-https://www.googleapis.com/compute/v1/projects/debian-cloud/global/images/debian-8-jessie-v20180109
-https://www.googleapis.com/compute/v1/projects/debian-cloud/global/images/debian-9-stretch-v20180105
-```
-
-## list an instance 
-* [filters](https://cloud.google.com/sdk/gcloud/reference/topic/filters)
-* [resource-keys](https://cloud.google.com/sdk/gcloud/reference/topic/resource-keys)
-
-```
-gcloud compute instances list --filter="zone:us-central1-a"
-gcloud compute instances list --project=dev --filter="name~^es"
-gcloud compute instances list --project=dev --filter=name:kafka --format="value(name,INTERNAL_IP)"
-gcloud compute instances list --filter=tags:kafka-node
-gcloud compute instances list --filter='machineType:g1-small'
-```
-
-## move instance
-`gcloud compute instances move <instance_wanna_move> --destination-zone=us-central1-a --zone=us-central1-c`
-
-## ssh & scp
-```
-#--verbosity=debug is great for debugging, showing the SSH command 
-# the following is a real word example for running a bastion server that talks to a GKE cluster (master authorized network)
-gcloud compute ssh --verbosity=debug <instance_name> --command "kubectl get nodes"
-
-gcloud compute scp  --recurse ../manifest <instance_name>:
-```
-### ssh port forwarding for elasticsearch
-```
-gcloud compute --project "foo" ssh --zone "us-central1-c" "elasticsearch-1"  --ssh-flag="-L localhost:9200:localhost:9200"
-```
-The 2nd `localhost` is relative to  elasticsearch-1`
-
-### ssh reverse port forwarding 
-for example, how to connect to home server's flask server (tcp port 5000) for a demo or a local game server in development
-```
-GOOGLE_CLOUD_PROJECT=$(gcloud config get-value project)
-gcloud compute --project "${GOOGLE_CLOUD_PROJECT}" ssh --zone "us-west1-c" --ssh-flag="-v -N -R :5000:localhost:5000" "google_cloud_bastion_server"
-```
-
-### generate ssh config 
-```
-gcloud compute config-ssh
-```
-
-## serial port debug
-* https://cloud.google.com/compute/docs/instances/interacting-with-serial-console
-
-## disk snapshot
-```
-gcloud compute disks snapshot kafka-data1-1 --async --snapshot-names=kafka-data-1 --project project_a --zone us-west1-a
-Use [gcloud compute operations describe URI] command to check the status of the operation(s).
-```
-
-## regional disk
-```
- gcloud beta compute instance attach-disk micro1 --disk pd-west1 --disk-scope regional
-```
-
-## debugging
-```
-gcloud  compute instances list --log-http
-```
-
-## instance level metadata
-```
-curl -s "http://metadata.google.internal/computeMetadata/v1/instance/?recursive=true&alt=text" -H "Metadata-Flavor: Google"
-leader=$(curl -s "http://metadata.google.internal/computeMetadata/v1/instance/attributes/leader" -H "Metadata-Flavor: Google")
-```
-
-## project level metadata
-```
-gcloud compute project-info describe
-gcloud compute project-info describe --flatten="commonInstanceMetadata[]"
-```
 
 ## GCP managed ssl certificate
 ```

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -217,6 +217,11 @@ curl -v "https://cloudkms.googleapis.com/v1/projects/$DEVSHELL_PROJECT_ID/locati
 ## gcloud command for creating an instance? 
 from web console
 ```
+gcloud compute instances create [INSTANCE_NAME] \
+  --image-family [IMAGE_FAMILY] \
+  --image-project [IMAGE_PROJECT] \
+  --create-disk image=[DISK_IMAGE],image-project=[DISK_IMAGE_PROJECT],size=[SIZE_GB],type=[DISK_TYPE]
+  
 gcloud beta compute --project=victory-demo-dev instances create micro1 --zone=us-west1-a --machine-type=f1-micro --subnet=default --network-tier=PREMIUM --maintenance-policy=MIGRATE --service-account=398028291895-compute@developer.gserviceaccount.com --scopes=https://www.googleapis.com/auth/devstorage.read_only,https://www.googleapis.com/auth/logging.write,https://www.googleapis.com/auth/monitoring.write,https://www.googleapis.com/auth/servicecontrol,https://www.googleapis.com/auth/service.management.readonly,https://www.googleapis.com/auth/trace.append --min-cpu-platform=Automatic --image=debian-9-stretch-v20180510 --image-project=debian-cloud --boot-disk-size=10GB --boot-disk-type=pd-standard --boot-disk-device-name=micro1
 ```
 

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -446,7 +446,14 @@ gcloud beta compute target-https-proxies list
 gcloud logging read "timestamp >= \"2018-04-19T00:30:00Z\"  and logName=projects/${project_id}/logs/requests and resource.type=http_load_balancer" --format="csv(httpRequest.remoteIp,httpRequest.requestUrl,timestamp)" --project=${project_id}
 ```
 
-## Enable Service
+## Service
+
+### list service available
+
+`gcloud services list --available`
+
+### Enable Service 
+
 ```
 # chain 
 gcloud services enable cloudapis.googleapis.com && \

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -428,6 +428,7 @@ leader=$(curl -s "http://metadata.google.internal/computeMetadata/v1/instance/at
 ## project level metadata
 ```
 gcloud compute project-info describe
+gcloud compute project-info describe --flatten="commonInstanceMetadata[]"
 ```
 
 ## GCP managed ssl certificate

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -289,7 +289,7 @@ gcloud beta compute firewall-rules list \
 ```
 
 
-## layer 3 network lb
+## layer 4 network lb
 ```
 gcloud compute firewall-rules create www-firewall --allow tcp:80
 gcloud compute forwarding-rules create nginx-lb \
@@ -341,11 +341,17 @@ gcloud compute forwarding-rules describe my-http-forwardingrule --global
 
 ## address
 ```
+# get the external IP address of the instance
+gcloud compute instances describe single-node \
+     --format='value(networkInterfaces.accessConfigs[0].natIP)
+     
 gcloud compute addresses describe https-lb --global --format json
 
 # list all IP addresses
 gcloud projects list --format='value(project_id)' | xargs -I {} gcloud compute addresses list --format='value(address)' --project {}  2>/dev/null | sort | uniq -c
 ```
+
+
 ## compute engine image
 ```
 gcloud compute images list --filter=name:debian --uri

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -7,6 +7,7 @@
 * [gcloud alpha interactive](http://cloudplatform.googleblog.com/2018/03/introducing-GCPs-new-interactive-CLI.html)
 * https://medium.com/@Joachim8675309/getting-started-with-gcloud-sdk-part-1-114924737
 * https://medium.com/@Joachim8675309/getting-started-with-gcloud-sdk-part-2-4d049a656f1a
+* https://gist.github.com/bborysenko/97749fe0514b819a5a87611e6aea3db8
 
 ## Other cheatsheets
 * https://github.com/dennyzhang/cheatsheet-gcp-A4

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -532,3 +532,9 @@ gcloud beta container clusters create private-cluster2 \
     --enable-master-authorized-networks \
     --master-authorized-networks <external_ip_of_kubectl_instance>
 ```
+
+## Machine Learning
+```
+brew install bat
+gcloud ml language analyze-entities --content="Michelangelo Caravaggio, Italian painter, is known for 'The Calling of Saint Matthew'." | bat  -l json
+```
diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -14,11 +14,11 @@
 ## multiple gcloud config
 
 ```
-gcloud config configurations list
+$gcloud config configurations list
 NAME           IS_ACTIVE  ACCOUNT                  PROJECT             DEFAULT_ZONE  DEFAULT_REGION
 default        False      [email protected]     operator  us-west1-b    us-west1
 someone  True       [email protected]  dev-env     us-west1-b    us-west1
-~/.config/gcloud/configurations
+
 $gcloud config configurations activate default
 ```
 

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -11,6 +11,17 @@
 ## Other cheatsheets
 * https://github.com/dennyzhang/cheatsheet-gcp-A4
 
+## multiple gcloud config
+
+```
+gcloud config configurations list
+NAME           IS_ACTIVE  ACCOUNT                  PROJECT             DEFAULT_ZONE  DEFAULT_REGION
+default        False      [email protected]     operator  us-west1-b    us-west1
+someone  True       [email protected]  dev-env     us-west1-b    us-west1
+~/.config/gcloud/configurations
+$gcloud config configurations activate default
+```
+
 ## auth
 ```
 gcloud auth list

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -93,6 +93,12 @@ fi
 
 ## service account and IAM
 * [When granting IAM roles, you can treat a service account either as a resource or as an identity](https://cloud.google.com/iam/docs/granting-roles-to-service-accounts)
+
+### List IAM policy on the project level
+```
+gcloud projects get-iam-policy <project_id>
+```
+### service account level
 ```
 # creaate jenkins sa
 gcloud iam service-accounts create jenkins --display-name jenkins
@@ -118,7 +124,6 @@ gcloud iam service-accounts keys create jenkins-sa.json --iam-account $SA_EMAIL
 
 ```
 gcloud iam service-accounts keys list --iam-account=vault-admin@<project_id>.iam.gserviceaccount.com
-gcloud projects get-iam-policy <project_id>
 gcloud iam service-accounts list
 gcloud iam service-accounts get-iam-policy <sa_email>
 
@@ -128,6 +133,8 @@ gcloud iam service-accounts list   --filter='email ~ [0-9]*-compute@.*'   --form
 # add role to service account
 gcloud iam service-accounts add-iam-policy-binding [email protected] --member='serviceAccount:[email protected]' --role='roles/iam.serviceAccountActor'
 ```
+
+### GCS bucket level
 ```
 COMPUTE_ENGINE_SA_EMAIL=$(gcloud iam service-accounts list --filter="name:Compute Engine default service account" --format "value(email)")
 gsutil iam ch serviceAccount:${COMPUTE_ENGINE_SA_EMAIL}:objectViewer gs://bucket-name

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -363,6 +363,13 @@ gcloud compute --project "foo" ssh --zone "us-central1-c" "elasticsearch-1"  --s
 ```
 The 2nd `localhost` is relative to  elasticsearch-1`
 
+### ssh reverse port forwarding 
+for example, how to connect to home server's flask server (tcp port 5000) for a demo or a local game server in development
+```
+GOOGLE_CLOUD_PROJECT=$(gcloud config get-value project)
+gcloud compute --project "${GOOGLE_CLOUD_PROJECT}" ssh --zone "us-west1-c" --ssh-flag="-v -N -R :5000:localhost:5000" "google_cloud_bastion_server"
+```
+
 ### generate ssh config 
 ```
 gcloud compute config-ssh

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -1,12 +1,16 @@
+## References
 * [have fun with them](https://cloudplatform.googleblog.com/2016/06/filtering-and-formatting-fun-with.html)
 * [projections](https://cloud.google.com/sdk/gcloud/reference/topic/projections)
 * [filters](https://cloud.google.com/sdk/gcloud/reference/topic/filters)
 * [resource-keys](https://cloud.google.com/sdk/gcloud/reference/topic/resource-keys)
 * [scripting-gcloud](https://cloud.google.com/sdk/docs/scripting-gcloud)
-* http://cloudplatform.googleblog.com/2018/03/introducing-GCPs-new-interactive-CLI.html
+* [gcloud alpha interactive](http://cloudplatform.googleblog.com/2018/03/introducing-GCPs-new-interactive-CLI.html)
 * https://medium.com/@Joachim8675309/getting-started-with-gcloud-sdk-part-1-114924737
 * https://medium.com/@Joachim8675309/getting-started-with-gcloud-sdk-part-2-4d049a656f1a
 
+## Other cheatsheets
+* https://github.com/dennyzhang/cheatsheet-gcp-A4
+
 ## auth
 ```
 gcloud auth list

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -142,6 +142,21 @@ gcloud builds submit --config=cloudbuild.yaml --substitutions=_BRANCH_NAME=foo,_
 gcloud builds submit --config=cloudbuild.yaml --substitutions=TAG_NAME=v1.0.1
 ```
 
+### Cloud build trigger GCE rolling replace/start
+* https://medium.com/google-cloud/continuous-delivery-in-google-cloud-platform-cloud-build-with-compute-engine-a95bf4fd1821
+* https://cloud.google.com/compute/docs/instance-groups/updating-managed-instance-groups#performing_a_rolling_replace_or_restart
+
+```
+steps:
+- name: 'gcr.io/cloud-builders/docker'
+  args: [ 'build', '-t', 'gcr.io/$PROJECT_ID/gcp-cloudbuild-gce-angular', '.' ]
+- name: 'gcr.io/cloud-builders/gcloud'
+  args: [ 'beta', 'compute', 'instance-groups', 'managed', 'rolling-action', 'restart', 'gce-angular-instance-group', '--zone=us-east1-b' ]
+images:
+- 'gcr.io/$PROJECT_ID/gcp-cloudbuild-gce-angular'
+
+```
+
 ## kms
 * [cloud-encrypt-with-kms](https://codelabs.developers.google.com/codelabs/cloud-encrypt-with-kms/#0)
 * [Integrated with cloud build](https://cloud.google.com/cloud-build/docs/securing-builds/use-encrypted-secrets-credentials)

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -467,4 +467,24 @@ gcloud beta container clusters create private-cluster \
     --master-ipv4-cidr 172.16.0.16/28 \
     --enable-ip-alias \
     --create-subnetwork ""
-```
+
+
+gcloud compute networks subnets create my-subnet \
+    --network default \
+    --range 10.0.4.0/22 \
+    --enable-private-ip-google-access \
+    --region us-central1 \
+    --secondary-range my-svc-range=10.0.32.0/20,my-pod-range=10.4.0.0/14
+
+gcloud beta container clusters create private-cluster2 \
+    --private-cluster \
+    --enable-ip-alias \
+    --master-ipv4-cidr 172.16.0.32/28 \
+    --subnetwork my-subnet \
+    --services-secondary-range-name my-svc-range \
+    --cluster-secondary-range-name my-pod-range
+ 
+ gcloud container clusters update private-cluster2 \
+    --enable-master-authorized-networks \
+    --master-authorized-networks <external_ip_of_kubectl_instance>
+```
diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -459,3 +459,12 @@ gcloud container images list-tags gcr.io/$IMAGE --limit=unlimited --sort-by=TIME
 --filter="NOT tags:* AND timestamp.datetime < '${DATE}'" --format='get(digest)' | \
 while read digest;do gcloud container images delete -q --force-delete-tags gcr.io/$IMAGE@$digest ;done
 ```
+## GKE
+```
+# create a private cluster
+gcloud beta container clusters create private-cluster \
+    --private-cluster \
+    --master-ipv4-cidr 172.16.0.16/28 \
+    --enable-ip-alias \
+    --create-subnetwork ""
+```
diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -230,6 +230,7 @@ gcloud compute routes create no-ip-internet-route \
 ```
 ## firewall rules
 ```
+## ALLOW
 gcloud beta compute firewall-rules create mynetwork-allow-icmp --network mynetwork \
 --action ALLOW --direction INGRESS --rules icmp
 gcloud beta compute firewall-rules create mynetwork-allow-ssh --network mynetwork \
@@ -240,6 +241,13 @@ mynetwork --action ALLOW --direction INGRESS --rules all \
 gcloud beta compute firewall-rules list \
 --filter="network:mynetwork"
 
+## DENY
+gcloud beta compute firewall-rules create mynetwork-deny-icmp \
+--network mynetwork --action DENY --direction EGRESS --rules icmp \
+--destination-ranges 10.132.0.2 --priority 500
+gcloud beta compute firewall-rules list \
+--filter="network:mynetwork AND name=mynetwork-deny-icmp"
+
 ```
 
 

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -228,6 +228,20 @@ gcloud compute routes create no-ip-internet-route \
     --next-hop-instance-zone us-central1-a \
     --tags no-ip --priority 800
 ```
+## firewall rules
+```
+gcloud beta compute firewall-rules create mynetwork-allow-icmp --network mynetwork \
+--action ALLOW --direction INGRESS --rules icmp
+gcloud beta compute firewall-rules create mynetwork-allow-ssh --network mynetwork \
+--action ALLOW --direction INGRESS --rules tcp:22
+gcloud beta compute firewall-rules create mynetwork-allow-internal --network \
+mynetwork --action ALLOW --direction INGRESS --rules all \
+--source-ranges 10.128.0.0/9
+gcloud beta compute firewall-rules list \
+--filter="network:mynetwork"
+
+```
+
 
 ## layer 3 network lb
 ```

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -237,7 +237,7 @@ gcloud compute forwarding-rules create nginx-lb \
          --ports=80 \
          --target-pool nginx-pool
          
-gcloud compute forwarding-rules list
+gcloud compute firewall-rules list --sort-by=NETWORK
 
 ```
 

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -413,20 +413,27 @@ enable-service container.googleapis.com
 
 ## chaining gcloud commands
 ```
-gcloud compute forwarding-rules list --format 'value(NAME)' | xargs -I {}  gcloud compute forwarding-rules delete {}  --region us-west1 -q
+gcloud compute forwarding-rules list --format 'value(NAME)' \
+| xargs -I {}  gcloud compute forwarding-rules delete {}  --region us-west1 -q
 
-gcloud projects list --format='value(project_id)' | xargs -I {} gcloud compute addresses list --format='value(address)' --project {}  2>/dev/null | sort | uniq -c
+gcloud projects list --format='value(project_id)' \
+| xargs -I {} gcloud compute addresses list --format='value(address)' --project {}  2>/dev/null | sort | uniq -c
 
-gcloud compute instances list --filter=elasticsearch --format='value(NAME)' | xargs -I {} -p gcloud compute instances stop {}
-gcloud compute instances list --filter=elasticsearch --format='value(INTERNAL_IP)' | xargs -I {} ssh {} "sudo chef-client"
+gcloud compute instances list --filter=elasticsearch --format='value(NAME)' \
+| xargs -I {} -p gcloud compute instances stop {}
+gcloud compute instances list --filter=elasticsearch --format='value(INTERNAL_IP)' \
+| xargs -I {} ssh {} "sudo chef-client"
 
 # delete non default routes
-gcloud compute routes list --filter="NOT network=default" --format='value(NAME)' | xargs -I {} gcloud compute routes delete -q {}
+gcloud compute routes list --filter="NOT network=default" --format='value(NAME)' \
+| xargs -I {} gcloud compute routes delete -q {}
 ```
 
 ## one liner to purge GCR images given a date
 ```
 DATE=2018-10-01
 IMAGE=<project_id>/<image_name>
-gcloud container images list-tags gcr.io/$IMAGE --limit=999999 --sort-by=TIMESTAMP   --filter="timestamp.datetime < '${DATE}'" --format='get(digest)' | while read digest;do gcloud container images delete -q --force-delete-tags gcr.io/$IMAGE@$digest ;done
+gcloud container images list-tags gcr.io/$IMAGE --limit=unlimited --sort-by=TIMESTAMP   \
+--filter="NOT tags:* AND timestamp.datetime < '${DATE}'" --format='get(digest)' | \
+while read digest;do gcloud container images delete -q --force-delete-tags gcr.io/$IMAGE@$digest ;done
 ```
diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -424,3 +424,9 @@ gcloud compute instances list --filter=elasticsearch --format='value(INTERNAL_IP
 gcloud compute routes list --filter="NOT network=default" --format='value(NAME)' | xargs -I {} gcloud compute routes delete -q {}
 ```
 
+## one liner to purge GCR images given a date
+```
+DATE=2018-10-01
+IMAGE=<project_id>/<image_name>
+gcloud container images list-tags gcr.io/$IMAGE --limit=999999 --sort-by=TIMESTAMP   --filter="timestamp.datetime < '${DATE}'" --format='get(digest)' | while read digest;do gcloud container images delete -q --force-delete-tags gcr.io/$IMAGE@$digest ;done
+```
diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -124,6 +124,11 @@ gcloud iam service-accounts list   --filter='email ~ [0-9]*-compute@.*'   --form
 # add role to service account
 gcloud iam service-accounts add-iam-policy-binding [email protected] --member='serviceAccount:[email protected]' --role='roles/iam.serviceAccountActor'
 ```
+```
+COMPUTE_ENGINE_SA_EMAIL=$(gcloud iam service-accounts list --filter="name:Compute Engine default service account" --format "value(email)")
+gsutil iam ch serviceAccount:${COMPUTE_ENGINE_SA_EMAIL}:objectViewer gs://bucket-name
+```
+
 ## app engine
 * https://medium.com/google-cloud/app-engine-project-cleanup-9647296e796a
 

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -124,6 +124,9 @@ gcloud iam service-accounts list   --filter='email ~ [0-9]*-compute@.*'   --form
 # add role to service account
 gcloud iam service-accounts add-iam-policy-binding [email protected] --member='serviceAccount:[email protected]' --role='roles/iam.serviceAccountActor'
 ```
+## app engine
+* https://medium.com/google-cloud/app-engine-project-cleanup-9647296e796a
+
 ## cloud build 
 
 ```

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -135,6 +135,9 @@ gcloud builds submit --config=cloudbuild.yaml --substitutions=TAG_NAME=v1.0.1
 ```
 
 ## kms
+* [cloud-encrypt-with-kms](https://codelabs.developers.google.com/codelabs/cloud-encrypt-with-kms/#0)
+* [Integrated with cloud build](https://cloud.google.com/cloud-build/docs/securing-builds/use-encrypted-secrets-credentials)
+
 ```
 # list all keyrings 
 gcloud kms keyrings list --location global

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -88,6 +88,7 @@ fi
 ```
 
 ## service account and IAM
+* [When granting IAM roles, you can treat a service account either as a resource or as an identity](https://cloud.google.com/iam/docs/granting-roles-to-service-accounts)
 ```
 # creaate jenkins sa
 gcloud iam service-accounts create jenkins --display-name jenkins

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -43,6 +43,11 @@ PROJECT_ID=$(gcloud info --format='value(config.project)')
 # get project_number
 gcloud projects list --filter="name:${project_id}"  --format='value(project_number)'
 ```
+## billing
+```
+gcloud beta billing accounts list
+gcloud organizations list
+```
 
 ## switch gcloud context with gcloud config
 ```
No results found