May 21, 2024


What are you able to do with this new GKE structure?

With this new set of options, you’ll be able to principally take away all public IP communication in your GKE clusters! This, in essence, means you may make your GKE clusters fully non-public. 

You at the moment must create the cluster as public to make sure that it makes use of PSC, however you’ll be able to then replace your cluster utilizing gcloud with the --enable-private-endpoint flag, or the UI, to configure entry through solely a personal endpoint on the management airplane or create new non-public node swimming pools. 

Alternatively, you’ll be able to management entry at cluster creation time with the --master-authorized-networks and --no-enable-google-cloud-access flags to forestall entry from public addressing to the management airplane.

Moreover, you should use the REST API or Terraform Suppliers to truly construct a brand new PSC-based GKE cluster with the default (thus first) node swimming pools to have non-public nodes. This may be performed by setting the enablePrivateNodes subject to true (as a substitute of leveraging the general public GKE cluster defaults after which updating afterwards, as at the moment required with gcloud and UI operations). 

Lastly, the aforementioned options prolong not solely to Normal GKE clusters, but additionally to GKE Autopilot clusters.

When evaluating in case you’re prepared to maneuver these PSC-based GKE cluster varieties to reap the benefits of non-public cluster isolation, needless to say the management airplane’s non-public endpoint has the next limitations:

  • Non-public addresses in URLs for brand spanking new or present webhooks that you simply configure aren’t supported. To mitigate this incompatibility and assign an inside IP tackle to the URL for webhooks, arrange a webhook to a personal tackle by URL, create a headless service with no selector and a corresponding endpoint for the required vacation spot.

  • The management airplane non-public endpoint is just not at the moment accessible from on-premises programs.

  • The management airplane non-public endpoint is just not at the moment globally accessible: Shopper VMs from completely different areas than the cluster area can’t connect with the management airplane’s non-public endpoint.

All public clusters on model 1.25 and later that aren’t but PSC-based are at the moment being migrated to the brand new PSC infrastructure; due to this fact, your clusters would possibly already be utilizing PSC to speak with the management airplane.

To study extra about GKE clusters with PSC-based management airplane communication, take a look at these references:

Listed below are the extra particular options within the newest Terraform Supplier, useful to combine into your automation pipeline:

Terraform Suppliers Google: launch


Source link