Answering the part of the question:
How to change the existing GKE cluster to GKE private cluster?
GKE
setting: Private cluster
is immutable. This setting can only be set during the GKE
cluster provisioning.
To create your cluster as a private one you can either:
- Create a new
GKE
private cluster.
- Duplicate existing cluster and set it to private:
- This setting is available in
GCP Cloud Console
-> Kubernetes Engine
-> CLUSTER-NAME
-> Duplicate
- This setting will clone the configuration of your infrastructure of your previous cluster but not the workload (
Pods
, Deployments
, etc.)
Will I be able to connect to the Kubectl API from internet based on firewall rules or should I have a bastion host?
Yes, you could but it will heavily depend on the configuration that you've chosen during the GKE
cluster creation process.
As for ability to connect to your GKE
private cluster, there is a dedicated documentation about it:
As for how you can create a private cluster with Terraform, there is the dedicated site with configuration options specific to GKE
. There are also parameters responsible for provisioning a private
cluster:
As for a basic example of creating a private GKE
cluster with Terraform:
provider "google" {
project = "INSERT_PROJECT_HERE"
region = "europe-west3"
zone = "europe-west3-c"
}
resource "google_container_cluster" "primary-cluster" {
name = "gke-private"
location = "europe-west3-c"
initial_node_count = 1
private_cluster_config {
enable_private_nodes = "true"
enable_private_endpoint = "false" # this option will make your cluster available through public endpoint
master_ipv4_cidr_block = "172.16.0.0/28"
}
ip_allocation_policy {
cluster_secondary_range_name = ""
services_secondary_range_name = ""
}
node_config {
machine_type = "e2-medium"
}
}
A side note!
I've created a public GKE
cluster, modified the .tf
responsible for it's creation to support private cluster. After running: $ terraform plan
Terraform responded with the information that the cluster will be recreated.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…