如何将已有的GKE集群改成GKE私有(private)集群?我是否能够根据防火墙规则从 Internet 连接到 Kubectl API,或者我应该有一个堡垒主机吗?我不想实现 Cloud Nat
或 nat gateway
。我有一个 squid 代理 VM,可以处理 pod 的互联网访问。我只需要能够连接到 Kubectl 即可应用或修改任何内容。
我不确定如何修改我编写的现有模块以使节点私有(private)化,并且我不确定如果我尝试应用与私有(private) gke 集群相关的新更改是否会删除该集群。
resource "google_container_cluster" "primary" {
name = "prod"
network = "prod"
subnetwork = "private-subnet-a"
location = "us-west1-a"
remove_default_node_pool = true
initial_node_count = 1
depends_on = [var.depends_on_vpc]
}
resource "google_container_node_pool" "primary_nodes" {
depends_on = [var.depends_on_vpc]
name = "prod-node-pool"
location = "us-west1-a"
cluster = google_container_cluster.primary.name
node_count = 2
node_config {
preemptible = false
machine_type = "n1-standard-2"
metadata = {
disable-legacy-endpoints = "true"
}
oauth_scopes = [
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/compute",
]
}
}
最佳答案
回答问题的一部分:
How to change the existing GKE cluster to GKE private cluster?
GKE
设置:Private cluster
是不可变的。 此设置只能在 GKE
集群配置期间设置.
要将集群创建为私有(private)集群,您可以:
- 创建一个新的
GKE
私有(private)集群。 - 复制现有集群并将其设置为私有(private):
- 此设置在
GCP Cloud Console
中可用 ->Kubernetes Engine
->CLUSTER-NAME
->Duplicate
- 此设置将克隆您之前集群的基础设施配置,但不会克隆工作负载(
Pods
、Deployments
等)
- 此设置在
Will I be able to connect to the Kubectl API from internet based on firewall rules or should I have a bastion host?
是的,你可以,但这在很大程度上取决于你在 GKE
集群创建过程中选择的配置。
至于连接到您的 GKE
私有(private)集群的能力,有专门的文档介绍:
至于如何使用 Terraform 创建私有(private)集群,有专门的站点,其中包含特定于 GKE
的配置选项。还有一些参数负责配置一个private
集群:
关于使用 Terraform 创建私有(private) GKE
集群的基本示例:
main.tf
provider "google" {
project = "INSERT_PROJECT_HERE"
region = "europe-west3"
zone = "europe-west3-c"
}
gke.tf
resource "google_container_cluster" "primary-cluster" {
name = "gke-private"
location = "europe-west3-c"
initial_node_count = 1
private_cluster_config {
enable_private_nodes = "true"
enable_private_endpoint = "false" # this option will make your cluster available through public endpoint
master_ipv4_cidr_block = "172.16.0.0/28"
}
ip_allocation_policy {
cluster_secondary_range_name = ""
services_secondary_range_name = ""
}
node_config {
machine_type = "e2-medium"
}
}
A side note!
I've created a public
GKE
cluster, modified the.tf
responsible for it's creation to support private cluster. After running:$ terraform plan
Terraform responded with the information that the cluster will be recreated.
关于kubernetes - 使用 terraform 将公共(public) GKE 更改为私有(private) GKE 集群,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/65916344/