Cloud Sandbox

A CLI utility for creating sandbox VMs to easily access private GKE clusters. This started as a quality of life script for me to just wrap a few GKE commands. Eventually it turned into a little bit more, then a little bit more, then... you know how it is.

Sometimes having a totally locked down private kubernetes API server is great but it presents some challenges for development.

What It Does

The gke-sandbox.sh script handles the full lifecycle of sandbox VMs — creation, enumeration, and deletion — for accessing private GKE clusters that require administrative access through a bastion-style workflow.

I tried to make an intuitive interface that was as easy to use as possible. I was wrestling with creating myself bastion VMs.. and didn't want to maintain any terraform state or config for something I intended on deleting as soon as I was done.

What I like about this tool is it lets me create these super specific VMs on demand and access my cluster in a very secure way.

I wanted it to be flexible and extensible with different customizations. For example, one could install their favorite ~~spyware~~ "security" tooling automagically to meet company policy guidelines..

Another part I was proud of was the automatic service account creation related specifically to the VM scope so that permissions were done on a least-privileged basis. The VM gets just enough to manipulate the control plane and that's it.

Features

• Pre-configured environment — VMs come with kubectl, helm, jq, and networking pre-configured for API server connectivity
• Secure access — Uses Identity-Aware Proxy (IAP) tunneling instead of direct exposure
• Customizable setup — Startup scripts allow configuration of bundled tools and environment parameters
• Self-service — Users can independently manage VM lifecycle without manual intervention