[GSP178] Setting up a Private Kubernetes Cluster


Делаю:
02.06.2019


In Kubernetes Engine, a private cluster is a cluster that makes your master inaccessible from the public internet. In a private cluster, nodes do not have public IP addresses, only private addresses, so your workloads run in an isolated environment. Nodes and masters communicate with each other using VPC peering.

In the Kubernetes Engine API, address ranges are expressed as Classless Inter-Domain Routing (CIDR) blocks.


Creating a private cluster

$ gcloud config set compute/zone us-central1-a

When you create a private cluster, you must specify a /28 CIDR range for the VMs that run the Kubernetes master components and you need to enable IP aliases.

Next you’ll create a cluster named private-cluster, and specify a CIDR range of 172.16.0.16/28 for the masters. When you enable IP aliases, you let Kubernetes Engine automatically create a subnetwork for you.

You’ll create the private cluster by using the –private-cluster, –master-ipv4-cidr, and –enable-ip-alias flags.


$ gcloud beta container clusters create private-cluster \
    --private-cluster \
    --master-ipv4-cidr 172.16.0.16/28 \
    --enable-ip-alias \
    --create-subnetwork ""



$ gcloud compute networks subnets list --network default
***
gke-private-cluster-subnet-7135c381  us-central1              default  10.33.40.0/22

// $ gcloud compute networks subnets describe [SUBNET_NAME] --region us-central1
$ gcloud compute networks subnets describe gke-private-cluster-subnet-7135c381 --region us-central1


Enabling master authorized networks

$ gcloud compute instances create source-instance --zone us-central1-a --scopes 'https://www.googleapis.com/auth/cloud-platform'

$ gcloud compute instances describe source-instance --zone us-central1-a | grep natIP

natIP: 104.198.63.250

[MY_EXTERNAL_RANGE] - natIP/32

// $ gcloud container clusters update private-cluster \
--enable-master-authorized-networks \
--master-authorized-networks [MY_EXTERNAL_RANGE]

$ gcloud container clusters update private-cluster \
--enable-master-authorized-networks \
--master-authorized-networks 104.198.63.250/32


// Enter through the passphrase questions.
$ gcloud compute ssh source-instance --zone us-central1-a

В виртуалке:

$ sudo apt-get install -y kubectl

$ gcloud container clusters get-credentials private-cluster --zone us-central1-a

$ kubectl get nodes --output wide
NAME                                             STATUS   ROLES    AGE     VERSION          INTERNAL-IP   EXTERNAL-IP   OS-IMAGE                             KERNEL-VERSION   CONTAINER-RUNTIME
gke-private-cluster-default-pool-7bbe0b39-6gz4   Ready    <none>   8m25s   v1.12.7-gke.10   10.33.40.3                  Container-Optimized OS from Google   4.14.106+        docker://17.3.2
gke-private-cluster-default-pool-7bbe0b39-hrxb   Ready    <none>   8m26s   v1.12.7-gke.10   10.33.40.4                  Container-Optimized OS from Google   4.14.106+        docker://17.3.2
gke-private-cluster-default-pool-7bbe0b39-rjpd   Ready    <none>   8m24s   v1.12.7-gke.10   10.33.40.2                  Container-Optimized OS from Google   4.14.106+        docker://17.3.2

$ exit


Clean Up

$ gcloud container clusters delete private-cluster --zone us-central1-a


Creating a private cluster that uses a custom subnetwork (Optional)

In the previous section Kubernetes Engine automatically created a subnetwork for you. In this section, you’ll create your own custom subnetwork, and then create a private cluster. Your subnetwork has a primary address range and two secondary address ranges.

Create a subnetwork and secondary ranges:

$ gcloud compute networks subnets create my-subnet \
    --network default \
    --range 10.0.4.0/22 \
    --enable-private-ip-google-access \
    --region us-central1 \
    --secondary-range my-svc-range=10.0.32.0/20,my-pod-range=10.4.0.0/14


Create a private cluster that uses your subnetwork:

$ gcloud beta container clusters create private-cluster2 \
    --private-cluster \
    --enable-ip-alias \
    --master-ipv4-cidr 172.16.0.32/28 \
    --subnetwork my-subnet \
    --services-secondary-range-name my-svc-range \
    --cluster-secondary-range-name my-pod-range


Authorize your external address range, replacing [MY_EXTERNAL_RANGE] with the CIDR range of the external addresses from the previous output:

// $ gcloud container clusters update private-cluster2 \
    --enable-master-authorized-networks \
    --master-authorized-networks [MY_EXTERNAL_RANGE]

$ gcloud container clusters update private-cluster2 \
    --enable-master-authorized-networks \
    --master-authorized-networks 104.198.63.250/32


$ gcloud compute ssh source-instance --zone us-central1-a

$ gcloud container clusters get-credentials private-cluster2 --zone us-central1-a

$ kubectl get nodes --output yaml | grep -A4 addresses
      addresses:
      - address: 10.0.4.4
        type: InternalIP
      - address: ""
        type: ExternalIP
  --
      addresses:
      - address: 10.0.4.2
        type: InternalIP
      - address: ""
        type: ExternalIP
  --
      addresses:
      - address: 10.0.4.3
        type: InternalIP
      - address: ""
        type: ExternalIP


At this point, the only IP addresses that have access to the master are the addresses in these ranges:

  • The primary range of your subnetwork. This is the range used for nodes. In this example, the range for nodes is 10.0.4.0/22.

  • The secondary range of your subnetwork that is used for pods. In this example, the range for pods is 10.4.0.0/14.