This page explains how network isolation and access controls work for your Google Kubernetes Engine (GKE) cluster control plane and cluster nodes. This page replaces the page describing the concept of private clusters.
There are two aspects to consider when deciding how to configure network isolation:
This page shows you how to control and customize who can access the cluster's control plane and cluster nodes (in a Standard cluster) or workloads (in an Autopilot cluster). This customization is relevant when you are deciding the network configuration for your cluster. To go straight to defining your network configuration, see Customize your network isolation.
Best practice:Plan and design your network isolation configuration with your organization's Network architects, Network engineers, Network administrators, or another team who is responsible for the definition, implementation, and maintenance of the network architecture.
Control plane accessIn this section, you'll consider who can access your control plane.
Every GKE cluster has a control plane that handles Kubernetes API requests. The control plane runs on a virtual machine (VM) that is in a VPC network in a Google-managed project. A regional cluster has multiple replicas of the control plane, each of which runs on its own VM.
The control plane has two kinds of endpoints for cluster access:
Use only the DNS-based endpoint to access your control plane for simplified configuration and a flexible and policy-based layer of security.
DNS-based endpointThe DNS-based endpoint gives a unique DNS or fully qualified domain name (FQDN) for each cluster control plane. This DNS name can be used to access your control plane. The DNS name resolves to an endpoint that is accessible from any network reachable by Google Cloud APIs, including on-premises or other cloud networks. Enabling the DNS-based endpoint eliminates the need for a bastion host or proxy nodes to access the control plane from other VPC networks or external locations.
To access the control plane endpoint, you need to configure IAM roles and policies, and authentication tokens. For more details on the exact permissions required, see Customize your network isolation.
In addition to IAM policies and tokens, you can also configure the following access attributes:
IP address or network-based controls with VPC Service Controls: to enhance security for your GKE cluster control plane, VPC Service Controls adds another layer of access security. It uses context-aware access based on attributes like network origin.
VPC Service Controls doesn't directly support clusters with public IP addresses for their control plane. However, GKE clusters, including both private and public clusters, gain protection from VPC Service Controls when you access them using the DNS-based endpoint.
You configure VPC Service Controls to protect your GKE cluster's DNS-based endpoint by including container.googleapis.com and kubernetesmetadata.googleapis.com in your service perimeter's restricted services list. Adding these APIs to your service perimeter will enable VPC-SC for all GKE API operations. This configuration helps ensure that your defined security perimeters govern access to the control plane.
By using both IAM policies and VPC Service Controls to secure access to the DNS-based endpoint, you create a multi-layer security model for your cluster control plane. VPC Service Controls integrates with supported Google Cloud services. It aligns your cluster's security configuration with the data you host in other Google Cloud services.
Private Service Connect or Cloud NAT: to access the DNS-based endpoint from clients that don't have public internet access. By default, the DNS-based endpoint is accessible through Google Cloud APIs that are available on the public internet. To learn more, see DNS-based endpoint in the Customize your network isolation page.
Optionally, you can also configure access to the control plane using IP-based endpoints.
Terminology related to clusters and IP addressesGoogle Cloud external IP addresses:
External IP addresses assigned to any VM used by any customer hosted on Google Cloud. Google Cloud owns these IP addresses. To learn more, see Where can I find Compute Engine IP ranges?
External IP addresses used by Google Cloud products such as Cloud Run or Cloud Run functions. Any client hosted on Google Cloud can instantiate these IP addresses. Google Cloud owns these IP addresses.
Google-reserved IP addresses: External IP addresses for GKE cluster management purposes. These IP addresses include GKE managed processes and other production Google services. Google owns these IP addresses.
GKE cluster IP address ranges: Internal IP addresses assigned to the cluster that GKE uses for the cluster's nodes, Pods, and Services.
Internal IP addresses: IP addresses from your cluster's VPC network. These IP addresses can include your cluster IP address, on-premises networks, the RFC 1918 ranges, or the privately used public IP (PUPI) addresses that include non-RFC 1918 ranges.
External endpoint: The external IP address that GKE assigns to the control plane.
Internal endpoint: The internal IP address that GKE assigns to the control plane.
VPC network: A virtual network in which you create subnets with IP address ranges specifically for the cluster's nodes and Pods.
When using IP-based endpoints, you have two options:
Expose the control plane on both the external and internal endpoints. This means that the control plane's external endpoint is accessible from an external IP address, and the internal endpoint is accessible from your cluster's VPC network. Nodes will communicate with the control plane on the internal endpoint only.
Expose the control plane on the internal endpoint only. This means that clients on the internet cannot connect to the cluster and the control plane is accessible from any IP address from your cluster's VPC network. Nodes will communicate with the control plane on the internal endpoint only.
This is the most secure option when using IP-based endpoints as it prevents all internet access to the control plane. This is a good choice if you have workloads that—for example—require controlled access due to data privacy and security regulations.
In both of the preceding options, you can restrict which IP addresses reach the endpoints by configuring authorized networks. If you use IP-based endpoints, then we strongly recommend that you add at least one authorized network. Authorized networks grant control plane access to a specific set of trusted IPv4 addresses, and provide protection and additional security benefits for your GKE cluster.
Best practice:Enable authorized networks when using IP-based endpoints to secure your GKE cluster.
Authorized networks provide an IP-based firewall that controls access to the GKE control plane. Access to the control plane depends on the source IP addresses. When you enable authorized networks, you configure the IP addresses for which you want to allow access to the GKE cluster control plane endpoint as a CIDR block list.
The following table shows:
With an authorized network, you can also configure the region from which an internal IP address can reach your control plane's internal endpoint. You can choose to allow access only from the cluster's VPC network, or from any Google Cloud region in a VPC or on-premises environment.
Limitations of using IP-based endpointsThis section discusses isolating nodes within a Kubernetes cluster.
Enable private nodesPrevent external clients from accessing nodes by provisioning those nodes only with internal IP addresses, making the nodes private. Workloads running on nodes without an external IP address cannot reach the internet unless NAT is enabled on the cluster's network. You can change these settings at any time.
You can enable private nodes at an individual cluster level or at the node pool (for Standard) or workload (for Autopilot) level. Enabling private nodes at the node pool or workload level overrides any node configuration at the cluster level.
If you update a public node pool to private mode, workloads that require access outside the cluster network might fail in the following scenarios:
Clusters in a Shared VPC network where Private Google Access is not enabled. Manually enable Private Google Access to ensure GKE downloads the assigned node image. For clusters that aren't in a Shared VPC network, GKE automatically enables Private Google Access.
Workloads that require access to the internet where Cloud NAT is not enabled or a custom NAT solution is not defined. To allow egress traffic to the internet, enable Cloud NAT or a custom NAT solution.
Whether or not you enable private nodes, the control plane still communicates with all nodes through internal IP addresses only.
Benefits of network isolationThe following are the benefits of network isolation:
Flexibility:
Security:
Compliance: If you work in an industry with strict regulations for data access and storage, private nodes help with compliance by ensuring that sensitive data remains within your private network.
Control: Private nodes give you granular control over how traffic flows in and out of your cluster. You can configure firewall rules and network policies to allow only authorized communication. If you operate across multi-cloud environments, private nodes can help you establish secure and controlled communication between different environments.
Cost: By enabling private nodes, you can reduce costs for nodes that don't require an external IP address to access public services on the internet.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4