From Google Cloud Build overview documentation, Cloud Build executes builds (a build contains instructions for Cloud Build to perform tasks) as a series of build steps, where each build step is run in a Docker container. Executing build steps is analogous to executing commands in a script.
Private pools
Cloud Build by default runs in a secure, hosted environment with access to the public internet. Each build runs on its own worker and is isolated from other workloads.
Private pools are dedicated pools of workers that can access resources in a private network.
Private pools are hosted in a Google-owned service producer network. For builds to access resources in a private network, a private VPC peering connection between the VPC network and the service producer network is required.
Aviatrix Cloud Networking Reference Architecture
The Aviatrix FireNet reference architecture is described below:
Private Connection Configuration
Enable API:
In the VPC network, allocate a named IP range:
Cloud Build reserves the IP range
192.168.10.0/24for the Docker bridge network.
Each service producer requires a minimum prefix size of /24. Create a private connection between the service producer network and your VPC network:
Route configuration:
Aviatrix spoke gateway configuration:
- spoke50:
- spoke60:
Permissions:
- Cloud Run runs under Cloud Build Services Account
Create a pool:
Testing
The testing topology is show below:
I describe how to deploy a GKE on top of an Aviatrix cloud network on the following post:
We will verify that the solution is working by running the command kubectl get nodes in a build step which is running in the private pool:
To submit run the command:
cloud builds submit --config=cloudbuild.yaml
We can also check the console: Cloud Build -> History:
References
https://cloud.google.com/build/docs/overview
https://cloud.google.com/architecture/accessing-private-gke-clusters-with-cloud-build-private-pools
