Description
openedon Mar 27, 2020
What would you like to be added:
The Gardener GCP provider allow already to pass configuration for services of type LoadBalancer which are backed by internal load balancers. The user can specify in the infra config via .internal
a cidr range within the vpc which should be used to pick an ip addresses for the internal load balancer service.
The extension will create a subnet in the vpc with the .internal
cidr.
I propose to extend this approach to allow users to specify an existing subnet, which can be as well used to pick ip addresses for internal load balancer services.
In addition it could also make sense to deploy Shoot cluster only with internal load balancer services as there could be scenarios which require that for security/isolation reasons (those scenarios would of course require that the control plane hosting seed can access these enviroments).
The InfrastructureConfig
could look like this:
apiVersion: gcp.provider.extensions.gardener.cloud/v1beta1
kind: InfrastructureConfig
networks:
vpc:
name: myvpc
...
internal:
cidr: 10.251.0.0/16
subnet: subnet-name-in-myvpc
internalOnly: true|false
localAccess: true|false
...
Either .internal.cidr
or .internal.subnet
can be specified.
The .internal.internalOnly
flag specify that all load balancer services in the cluster need to be internal ones (including vpn-shoot
). That can be enforces and/or validated via webhooks.
The .internal.localAccess
flag allow to specify could be used to limit the access to the internal load balancers only within vpc.
The following annotation on the services need to be set:
networking.gke.io/load-balancer-type: Internal
networking.gke.io/internal-load-balancer-allow-global-access: true # enforced false when `.internal.localAccess == true` via webhook
networking.gke.io/internal-load-balancer-subnet: subnet-name-in-myvpc. # subnet-name enforced when `.internal.subnet` is set via webhook
The annotation networking.gke.io/internal-load-balancer-subnet
is currently available as alpha feature.
To enable it on the cloud provider config passed to the GCP cloud-controller-manager need to contain alpha-features="ILBCustomSubnet"
.
Why is this needed:
There are scenarios where user need to create upfront a vpc with a subnet inside which is routable in other context e.g. internal networks etc.