Skip to content

Latest commit

 

History

History
42 lines (29 loc) · 3.03 KB

private_clusters.md

File metadata and controls

42 lines (29 loc) · 3.03 KB

Creating Private GKE Clusters

To create a private GKE cluster, you can use one of the private submodules.

Note that a private cluster is inherently more restricted and greater care must be taken in configuring networking ingress/egress.

Private Cluster Endpoints

When creating a private cluster, nodes are provisioned with private IPs. The Kubernetes master endpoint is also locked down, which affects these module features:

  • configure_ip_masq
  • stub_domains

If you are not using these features, then the module will function normally for private clusters and no special configuration is needed.

If you are using these features with a private cluster, you will need to either:

  1. Run Terraform from a VM on the same VPC as your cluster (allowing it to connect to the private endpoint) and set deploy_using_private_endpoint to true.
  2. Enable (beta) route export functionality to connect from an on-premise network over a VPN or Interconnect.
  3. Include the external IP of your Terraform deployer in the master_authorized_networks configuration.
  4. Deploy a bastion host or proxy in the same VPC as your GKE cluster.

If you are going to isolate your GKE private clusters from internet access you could check this guide and the associated repo.

Troubleshooting

Master Authorized Network

When creating a private cluster with a private endpoint (enable_private_endpoint = true), your cluster will not have a publicly addressable endpoint.

When using this setting, any CIDR ranges listed in the master_authorized_networks configuration must come from your private IP space. If you include a CIDR block outside your private space, you might see this error:

Error: Error waiting for creating GKE cluster: Invalid master authorized networks: network "73.89.231.174/32" is not a reserved network, which is required for private endpoints.

  on .terraform/modules/gke-cluster-dev.gke/terraform-google-kubernetes-engine-9.2.0/modules/beta-private-cluster/cluster.tf line 22, in resource "google_container_cluster" "primary":
  22: resource "google_container_cluster" "primary" {

To resolve this error, update your configuration to either:

  • Enable a public endpoint (with enable_private_endpoint = false)
  • Update your master_authorized_networks configuration to only use CIDR blocks from your private IP space.