问题
I'm trying to launch Google Container Engine (GKE) in Private GCP network Subnet.
I have created custom Google Cloud VPC, then I have created custom Private Network Access Subnet too under that VPC.
1) When I create GKE cluster with Private Subnet, still my Kubernetes nodes assigned with Public IP. Why it is so ? As per Google Document private instance should get Private IP.
2) If I create cluster in Private, can I connect my container application to Google SQL instance ?
3) Is any recommendation to launch GKE cluster should launched in Public Subnet only, not in Private Subnet ?
回答1:
With lots of R&D and some replies got from forum.
GKE should allow you to create a cluster in a Network that does have a default route to internet. We can launch a cluster in private subnet but that GKE cluster instance will treat as Public Subnet only.
As GKE relies on public IPs to access the hosted master, for now.
Security aspects considering of GKE cluster, we can deny all ports in firewall to access Cluster through internet.
回答2:
Private Clusters on GKE are now available in beta. They allow you to restrict public internet from connecting to the master.
https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters
回答3:
Agreed, you can get started with a private cluster which takes your nodes off the internet and has private communication with your master. https://cloudplatform.googleblog.com/2018/03/kubernetes-engine-private-clusters-now.html
来源:https://stackoverflow.com/questions/45156606/can-i-launch-google-container-engine-gke-in-private-gcp-network-subnet