Can I launch Google Container Engine (GKE) in Private GCP network Subnet?

2
votes

I'm trying to launch Google Container Engine (GKE) in Private GCP network Subnet.

I have created custom Google Cloud VPC, then I have created custom Private Network Access Subnet too under that VPC.

1) When I create GKE cluster with Private Subnet, still my Kubernetes nodes assigned with Public IP. Why it is so ? As per Google Document private instance should get Private IP.

2) If I create cluster in Private, can I connect my container application to Google SQL instance ?

3) Is any recommendation to launch GKE cluster should launched in Public Subnet only, not in Private Subnet ?

3
google-cloud-platformkubernetesgoogle-kubernetes-engine
Observation : We have launched GKE cluster in Private Subnet, but GKE Cluster is behaving same as if its launch in Public Subnet. - Nilesh Suryavanshi

3 Answers

1
votes

With lots of R&D and some replies got from forum.

GKE should allow you to create a cluster in a Network that does have a default route to internet. We can launch a cluster in private subnet but that GKE cluster instance will treat as Public Subnet only.

As GKE relies on public IPs to access the hosted master, for now.

Security aspects considering of GKE cluster, we can deny all ports in firewall to access Cluster through internet.

1
votes

Private Clusters on GKE are now available in beta. They allow you to restrict public internet from connecting to the master.

https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters

0
votes

Agreed, you can get started with a private cluster which takes your nodes off the internet and has private communication with your master. https://cloudplatform.googleblog.com/2018/03/kubernetes-engine-private-clusters-now.html