Docker: Setting up a private cluster on GCP Kubernetes

In this post, we'll learn how to create a private cluster in Google Kubernetes Engine.

In Kubernetes Engine, a private cluster is a cluster that makes our master (every cluster has a Kubernetes API server called the master) inaccessible from the public internet. In a private cluster, nodes have internal RFC 1918 IP addresses only and do not have public IP addresses, which ensures that their workloads are isolated from the public Internet. Nodes and masters communicate with each other using VPC peering.

Picture from Kubernetes Engine Private Clusters now available in beta

A private cluster can use an HTTP(S) load balancer or a network load balancer to accept incoming traffic, even though the cluster nodes do not have public IP addresses. A private cluster can also use an internal load balancer to accept traffic from within our VPC network.

The private clusters use the following GCP features Setting up a private cluster:

VPC Network Peering:

Private clusters require VPC Network Peering. Your VPC network contains the cluster nodes, but a separate VPC network in a Google-owned project contains the master. The two VPC networks are connected using VPC Network Peering. Traffic between nodes and the master is routed entirely using internal IP addresses.

Private Google Access:

Private nodes do not have outbound Internet access because they don't have external IP addresses. Private Google Access provides private nodes and their workloads with limited outbound access to Google Cloud Platform APIs and services over Google's private network. For example, Private Google Access makes it possible for private nodes to pull container images from Google Container Registry, and to send logs to Stackdriver.

Google Cloud Shell is loaded with development tools and it offers a persistent 5GB home directory and runs on the Google Cloud. Google Cloud Shell provides command-line access to our GCP resources. We can activate the shell: in GCP console, on the top right toolbar, click the Open Cloud Shell button:

In the dialog box that opens, click "START CLOUD SHELL".

gcloud is the command-line tool for Google Cloud Platform. It comes pre-installed on Cloud Shell and supports tab-completion.

Setup the zone in Cloud Shell:

$ gcloud config set compute/zone us-central1-a
Updated property [compute/zone].

We can list all available zones with: gcloud compute zones list:

$ gcloud compute zones list
NAME                       REGION                   STATUS  NEXT_MAINTENANCE  TURNDOWN_DATE
us-east1-b                 us-east1                 UP
us-east1-c                 us-east1                 UP
us-east1-d                 us-east1                 UP
us-east4-c                 us-east4                 UP
us-east4-b                 us-east4                 UP
us-east4-a                 us-east4                 UP
us-central1-c              us-central1              UP
us-central1-a              us-central1              UP
us-central1-f              us-central1              UP
us-central1-b              us-central1              UP
us-west1-b                 us-west1                 UP
us-west1-c                 us-west1                 UP
us-west1-a                 us-west1                 UP
...

When we create a private cluster, we must specify a /28 CIDR range for the VMs that run the Kubernetes master components and we need to enable IP aliases.

Then, we'll create a cluster named private-cluster, and specify a CIDR range of 172.16.0.16/28 for the masters. When we enable IP aliases, we let Kubernetes Engine automatically create a subnetwork for us.

We'll create the private cluster by using the --private-cluster, --master-ipv4-cidr, and --enable-ip-alias flags.

Run the following to create the cluster:

$ gcloud beta container clusters create private-cluster \
    --private-cluster \
    --master-ipv4-cidr 172.16.0.16/28 \
    --enable-ip-alias \
    --create-subnetwork ""
...
kubeconfig entry generated for private-cluster.
NAME             LOCATION       MASTER_VERSION  MASTER_IP       MACHINE_TYPE   NODE_VERSION  NUM_NODES  STATUS
private-cluster  us-central1-a  1.11.7-gke.4    35.225.169.164  n1-standard-1  1.11.7-gke.4  3          RUNNING

List the subnets in the default network:

$ gcloud compute networks subnets list --network default
NAME                                 REGION                   NETWORK  RANGE
default                              us-west2                 default  10.168.0.0/20
default                              asia-northeast1          default  10.146.0.0/20
default                              us-west1                 default  10.138.0.0/20
default                              southamerica-east1       default  10.158.0.0/20
default                              europe-west4             default  10.164.0.0/20
default                              asia-east1               default  10.140.0.0/20
default                              europe-north1            default  10.166.0.0/20
default                              asia-southeast1          default  10.148.0.0/20
default                              us-east4                 default  10.150.0.0/20
default                              europe-west1             default  10.132.0.0/20
default                              europe-west2             default  10.154.0.0/20
default                              europe-west3             default  10.156.0.0/20
default                              australia-southeast1     default  10.152.0.0/20
default                              asia-south1              default  10.160.0.0/20
default                              us-east1                 default  10.142.0.0/20
default                              us-central1              default  10.128.0.0/20
gke-private-cluster-subnet-d1a99990  us-central1              default  10.33.40.0/22
default                              asia-east2               default  10.170.0.0/20
default                              northamerica-northeast1  default  10.162.0.0/20

In the output, find the name of the subnetwork that was automatically created for our cluster. For example, gke-private-cluster-subnet-xxxxxxxx. Save the name of the cluster, we'll use it in the next step.

Now get information about the automatically created subnet, replacing [SUBNET_NAME] with our subnet by running:

# gcloud compute networks subnets describe [SUBNET_NAME] --region us-central1

$ gcloud compute networks subnets describe gke-private-cluster-subnet-d1a99990 --region us-central1
...
gatewayAddress: 10.33.40.1
id: '8907292442116278553'
ipCidrRange: 10.33.40.0/22
kind: compute#subnetwork
name: gke-private-cluster-subnet-d1a99990
...
privateIpGoogleAccess: true
...
secondaryIpRanges:
- ipCidrRange: 10.33.0.0/20
  rangeName: gke-private-cluster-services-d1a99990
- ipCidrRange: 10.36.0.0/14
  rangeName: gke-private-cluster-pods-d1a99990
...

The output shows us the primary address range with the name of our GKE private cluster and the secondary ranges.

In the output, we can see that one secondary range is for pods and the other secondary range is for services.

Notice that privateIPGoogleAccess is set to true. This enables our cluster hosts, which have only private IP addresses, to communicate with Google APIs and services.

At this point, the only IP addresses that have access to the master are the addresses in these ranges:

1. The primary range of our subnetwork. This is the range used for nodes.
2. The secondary range of our subnetwork that is used for pods.

To provide additional access to the master, we must authorize selected address ranges.

Let's create a VM instance which we'll use to check the connectivity to Kubernetes clusters:

$ gcloud compute instances create source-instance --zone us-central1-a --scopes 'https://www.googleapis.com/auth/cloud-platform'
NAME             ZONE           MACHINE_TYPE   PREEMPTIBLE  INTERNAL_IP  EXTERNAL_IP    STATUS
source-instance  us-central1-a  n1-standard-1               10.128.0.2   35.202.39.147  RUNNING

We can also get the <External_IP> of the source-instance with:

$ gcloud compute instances describe source-instance --zone us-central1-a | grep natIP

natIP: 35.202.39.147

We'll use the <nat_IP> address in later steps.

Run the following to Authorize our external address range, replacing [MY_EXTERNAL_RANGE] with the CIDR range of the external addresses from the previous output (our CIDR range is natIP/32). With CIDR range as natIP/32, we are "whitelisting one specific IP address":

# gcloud container clusters update private-cluster \
    --enable-master-authorized-networks \
    --master-authorized-networks [MY_EXTERNAL_RANGE]

$ gcloud container clusters update private-cluster \
    --enable-master-authorized-networks \
    --master-authorized-networks 35.202.39.147/32
Updating private-cluster...done.
...

Now that we have access to the master from a range of external addresses, we'll install kubectl so we can use it to get information about our cluster. For example, we can use kubectl to verify that our nodes do not have external IP addresses.

SSH into source-instance with:

$ gcloud compute ssh source-instance --zone us-central1-a
...
This tool needs to create the directory
[/home/google2522490_student/.ssh] before being able to generate SSH
keys.

Do you want to continue (Y/n)?  y

Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
...

In SSH shell install kubectl:

$ $ sudo apt-get install kubectl
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  kubectl
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 7,852 kB of archives.
After this operation, 39.3 MB of additional disk space will be used.
Get:1 http://packages.cloud.google.com/apt cloud-sdk-stretch/main amd64 kubectl amd64 1.13.3-00 [7,852 kB]
Fetched 7,852 kB in 0s (43.7 MB/s)
Selecting previously unselected package kubectl.
(Reading database ... 34432 files and directories currently installed.)
Preparing to unpack .../kubectl_1.13.3-00_amd64.deb ...
Unpacking kubectl (1.13.3-00) ...
Setting up kubectl (1.13.3-00) ...

Configure access to the Kubernetes cluster from SSH shell with:

$ gcloud container clusters get-credentials private-cluster --zone us-central1-a
Fetching cluster endpoint and auth data.
kubeconfig entry generated for private-cluster.

Verify that our cluster nodes do not have external IP addresses:

$ kubectl get nodes --output yaml | grep -A4 addresses
    addresses:
    - address: 10.33.40.3
      type: InternalIP
    - address: ""
      type: ExternalIP
--
    addresses:
    - address: 10.33.40.4
      type: InternalIP
    - address: ""
      type: ExternalIP
--
    addresses:
    - address: 10.33.40.2
      type: InternalIP
    - address: ""
      type: ExternalIP

The output shows that the nodes have internal IP addresses but do not have external addresses.

Here is another command we can use to verify that our nodes do not have external IP addresses:

$ kubectl get nodes --output wide
NAME                                             STATUS   ROLES    AGE   VERSION         INTERNAL-IP   EXTERNAL-IP   OS-IMAGE                             KERNEL-VER
SION   CONTAINER-RUNTIME
gke-private-cluster-default-pool-e887ae5b-87q5   Ready    <none>   41m   v1.11.7-gke.4   10.33.40.3                  Container-Optimized OS from Google   4.14.89+  
       docker://17.3.2
gke-private-cluster-default-pool-e887ae5b-lrcf   Ready    <none>   41m   v1.11.7-gke.4   10.33.40.4                  Container-Optimized OS from Google   4.14.89+  
       docker://17.3.2
gke-private-cluster-default-pool-e887ae5b-xfxs   Ready    <none>   41m   v1.11.7-gke.4   10.33.40.2                  Container-Optimized OS from Google   4.14.89+  
       docker://17.3.2

Delete the Kubernetes cluster:

$ gcloud container clusters delete private-cluster --zone us-central1-a
The following clusters will be deleted.
 - [private-cluster] in [us-central1-a]
Do you want to continue (Y/n)?  Y
Deleting cluster private-cluster...done.
...

Docker & K8s

1. Docker install on Amazon Linux AMI
2. Docker install on EC2 Ubuntu 14.04
3. Docker container vs Virtual Machine
4. Docker install on Ubuntu 14.04
5. Docker Hello World Application
6. Nginx image - share/copy files, Dockerfile
7. Working with Docker images : brief introduction
8. Docker image and container via docker commands (search, pull, run, ps, restart, attach, and rm)
9. More on docker run command (docker run -it, docker run --rm, etc.)
10. Docker Networks - Bridge Driver Network
11. Docker Persistent Storage
12. File sharing between host and container (docker run -d -p -v)
13. Linking containers and volume for datastore
14. Dockerfile - Build Docker images automatically I - FROM, MAINTAINER, and build context
15. Dockerfile - Build Docker images automatically II - revisiting FROM, MAINTAINER, build context, and caching
16. Dockerfile - Build Docker images automatically III - RUN
17. Dockerfile - Build Docker images automatically IV - CMD
18. Dockerfile - Build Docker images automatically V - WORKDIR, ENV, ADD, and ENTRYPOINT
19. Docker - Apache Tomcat
20. Docker - NodeJS
21. Docker - NodeJS with hostname
22. Docker Compose - NodeJS with MongoDB
23. Docker - Prometheus and Grafana with Docker-compose
24. Docker - StatsD/Graphite/Grafana
25. Docker - Deploying a Java EE JBoss/WildFly Application on AWS Elastic Beanstalk Using Docker Containers
26. Docker : NodeJS with GCP Kubernetes Engine
27. Docker : Jenkins Multibranch Pipeline with Jenkinsfile and Github
28. Docker : Jenkins Master and Slave
29. Docker - ELK : ElasticSearch, Logstash, and Kibana
30. Docker - ELK 7.6 : Elasticsearch on Centos 7
31. Docker - ELK 7.6 : Filebeat on Centos 7
32. Docker - ELK 7.6 : Logstash on Centos 7
33. Docker - ELK 7.6 : Kibana on Centos 7
34. Docker - ELK 7.6 : Elastic Stack with Docker Compose
35. Docker - Deploy Elastic Cloud on Kubernetes (ECK) via Elasticsearch operator on minikube
36. Docker - Deploy Elastic Stack via Helm on minikube
37. Docker Compose - A gentle introduction with WordPress
38. Docker Compose - MySQL
39. MEAN Stack app on Docker containers : micro services
40. MEAN Stack app on Docker containers : micro services via docker-compose
41. Docker Compose - Hashicorp's Vault and Consul Part A (install vault, unsealing, static secrets, and policies)
42. Docker Compose - Hashicorp's Vault and Consul Part B (EaaS, dynamic secrets, leases, and revocation)
43. Docker Compose - Hashicorp's Vault and Consul Part C (Consul)
44. Docker Compose with two containers - Flask REST API service container and an Apache server container
45. Docker compose : Nginx reverse proxy with multiple containers
46. Docker & Kubernetes : Envoy - Getting started
47. Docker & Kubernetes : Envoy - Front Proxy
48. Docker & Kubernetes : Ambassador - Envoy API Gateway on Kubernetes
49. Docker Packer
50. Docker Cheat Sheet
51. Docker Q & A #1
52. Kubernetes Q & A - Part I
53. Kubernetes Q & A - Part II
54. Docker - Run a React app in a docker
55. Docker - Run a React app in a docker II (snapshot app with nginx)
56. Docker - NodeJS and MySQL app with React in a docker
57. Docker - Step by Step NodeJS and MySQL app with React - I
58. Installing LAMP via puppet on Docker
59. Docker install via Puppet
60. Nginx Docker install via Ansible
61. Apache Hadoop CDH 5.8 Install with QuickStarts Docker
62. Docker - Deploying Flask app to ECS
63. Docker Compose - Deploying WordPress to AWS
64. Docker - WordPress Deploy to ECS with Docker-Compose (ECS-CLI EC2 type)
65. Docker - WordPress Deploy to ECS with Docker-Compose (ECS-CLI Fargate type)
66. Docker - ECS Fargate
67. Docker - AWS ECS service discovery with Flask and Redis
68. Docker & Kubernetes : minikube
69. Docker & Kubernetes 2 : minikube Django with Postgres - persistent volume
70. Docker & Kubernetes 3 : minikube Django with Redis and Celery
71. Docker & Kubernetes 4 : Django with RDS via AWS Kops
72. Docker & Kubernetes : Kops on AWS
73. Docker & Kubernetes : Ingress controller on AWS with Kops
74. Docker & Kubernetes : HashiCorp's Vault and Consul on minikube
75. Docker & Kubernetes : HashiCorp's Vault and Consul - Auto-unseal using Transit Secrets Engine
76. Docker & Kubernetes : Persistent Volumes & Persistent Volumes Claims - hostPath and annotations
77. Docker & Kubernetes : Persistent Volumes - Dynamic volume provisioning
78. Docker & Kubernetes : DaemonSet
79. Docker & Kubernetes : Secrets
80. Docker & Kubernetes : kubectl command
81. Docker & Kubernetes : Assign a Kubernetes Pod to a particular node in a Kubernetes cluster
82. Docker & Kubernetes : Configure a Pod to Use a ConfigMap
83. AWS : EKS (Elastic Container Service for Kubernetes)
84. Docker & Kubernetes : Run a React app in a minikube
85. Docker & Kubernetes : Minikube install on AWS EC2
86. Docker & Kubernetes : Cassandra with a StatefulSet
87. Docker & Kubernetes : Terraform and AWS EKS
88. Docker & Kubernetes : Pods and Service definitions
89. Docker & Kubernetes : Service IP and the Service Type
90. Docker & Kubernetes : Kubernetes DNS with Pods and Services
91. Docker & Kubernetes : Headless service and discovering pods
92. Docker & Kubernetes : Scaling and Updating application
93. Docker & Kubernetes : Horizontal pod autoscaler on minikubes
94. Docker & Kubernetes : From a monolithic app to micro services on GCP Kubernetes
95. Docker & Kubernetes : Rolling updates
96. Docker & Kubernetes : Deployments to GKE (Rolling update, Canary and Blue-green deployments)
97. Docker & Kubernetes : Slack Chat Bot with NodeJS on GCP Kubernetes
98. Docker & Kubernetes : Continuous Delivery with Jenkins Multibranch Pipeline for Dev, Canary, and Production Environments on GCP Kubernetes
99. Docker & Kubernetes : NodePort vs LoadBalancer vs Ingress
100. Docker & Kubernetes : MongoDB / MongoExpress on Minikube
101. Docker & Kubernetes : Load Testing with Locust on GCP Kubernetes
102. Docker & Kubernetes : MongoDB with StatefulSets on GCP Kubernetes Engine
103. Docker & Kubernetes : Nginx Ingress Controller on Minikube
104. Docker & Kubernetes : Setting up Ingress with NGINX Controller on Minikube (Mac)
105. Docker & Kubernetes : Nginx Ingress Controller for Dashboard service on Minikube
106. Docker & Kubernetes : Nginx Ingress Controller on GCP Kubernetes
107. Docker & Kubernetes : Kubernetes Ingress with AWS ALB Ingress Controller in EKS
108. Docker & Kubernetes : Setting up a private cluster on GCP Kubernetes
109. Docker & Kubernetes : Kubernetes Namespaces (default, kube-public, kube-system) and switching namespaces (kubens)
110. Docker & Kubernetes : StatefulSets on minikube
111. Docker & Kubernetes : RBAC
112. Docker & Kubernetes Service Account, RBAC, and IAM
113. Docker & Kubernetes - Kubernetes Service Account, RBAC, IAM with EKS ALB, Part 1
114. Docker & Kubernetes : Helm Chart
115. Docker & Kubernetes : My first Helm deploy
116. Docker & Kubernetes : Readiness and Liveness Probes
117. Docker & Kubernetes : Helm chart repository with Github pages
118. Docker & Kubernetes : Deploying WordPress and MariaDB with Ingress to Minikube using Helm Chart
119. Docker & Kubernetes : Deploying WordPress and MariaDB to AWS using Helm 2 Chart
120. Docker & Kubernetes : Deploying WordPress and MariaDB to AWS using Helm 3 Chart
121. Docker & Kubernetes : Helm Chart for Node/Express and MySQL with Ingress
122. Docker & Kubernetes : Deploy Prometheus and Grafana using Helm and Prometheus Operator - Monitoring Kubernetes node resources out of the box
123. Docker & Kubernetes : Deploy Prometheus and Grafana using kube-prometheus-stack Helm Chart
124. Docker & Kubernetes : Istio (service mesh) sidecar proxy on GCP Kubernetes
125. Docker & Kubernetes : Istio on EKS
126. Docker & Kubernetes : Istio on Minikube with AWS EC2 for Bookinfo Application
127. Docker & Kubernetes : Deploying .NET Core app to Kubernetes Engine and configuring its traffic managed by Istio (Part I)
128. Docker & Kubernetes : Deploying .NET Core app to Kubernetes Engine and configuring its traffic managed by Istio (Part II - Prometheus, Grafana, pin a service, split traffic, and inject faults)
129. Docker & Kubernetes : Helm Package Manager with MySQL on GCP Kubernetes Engine
130. Docker & Kubernetes : Deploying Memcached on Kubernetes Engine
131. Docker & Kubernetes : EKS Control Plane (API server) Metrics with Prometheus
132. Docker & Kubernetes : Spinnaker on EKS with Halyard
133. Docker & Kubernetes : Continuous Delivery Pipelines with Spinnaker and Kubernetes Engine
134. Docker & Kubernetes : Multi-node Local Kubernetes cluster : Kubeadm-dind (docker-in-docker)
135. Docker & Kubernetes : Multi-node Local Kubernetes cluster : Kubeadm-kind (k8s-in-docker)
136. Docker & Kubernetes : nodeSelector, nodeAffinity, taints/tolerations, pod affinity and anti-affinity - Assigning Pods to Nodes
137. Docker & Kubernetes : Jenkins-X on EKS
138. Docker & Kubernetes : ArgoCD App of Apps with Heml on Kubernetes
139. Docker & Kubernetes : ArgoCD on Kubernetes cluster
140. Docker & Kubernetes : GitOps with ArgoCD for Continuous Delivery to Kubernetes clusters (minikube) - guestbook